review(2): Q3/Q4 partial checkpoint — F2-8 bluesky-pds bypasses §4.3 floor; F2-9 cryptpad conditional sign-off; matrix-synapse Q4.1 cold green and §4.3-floor-compliant

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 16:25:43 +01:00
parent 076fa31552
commit a0a7b70127
2 changed files with 136 additions and 0 deletions
--- a/machine-docs/BACKLOG-2.md
+++ b/machine-docs/BACKLOG-2.md
@ -111,6 +111,72 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`

 ## Adversary findings

+- [ ] **F2-8 [adversary] — bluesky-pds (Q4.3) bypasses plan §4.3 create-and-read-back floor**
+      (same class as F2-4 n8n). Plan §4.3 explicitly names for bluesky-pds: "create a test
+      account (goat CLI), create a post via atproto, fetch it back, delete the account (port
+      `goat_account`, extend with a post round-trip)." Builder's PARITY.md defers it:
+      > "Deferred to Q4.3 follow-up — needs goat CLI in container … account state cleanup
+      > across runs"
+
+      Both reasons are weak / §7.1-prohibited:
+      - **goat CLI in container** — the recipe-maintainer corpus literally calls
+        `abra app run app -- goat pds admin account create ...`. The same path works through
+        cc-ci via `lifecycle.exec_in_app(domain, ["goat", "pds", "admin", "account", "create",
+        ...])` (or via abra app run). NOT an environment blocker.
+      - **Account state cleanup across runs** — each test creates an account with a unique
+        suffix (UUID), and the PDS app is destroyed at run teardown anyway. Trivial.
+      - Per §7.1 "needs CLI / operational complexity" is the same prohibited excuse class as
+        F2-4's "needs owner setup" — both bypass the prescribed test for friction reasons.
+
+      Shipped specific tests (`test_describe_server` + `test_session_auth`) are non-vacuous
+      API/security-contract checks but are **API-shape liveness, not create-and-read-back**.
+      The §4.3 floor is "create-an-object + read-it-back, AND one more". Neither shipped test
+      creates anything.
+
+      Cold e2e on `/root/adv-verify` @ HEAD `076fa31`: `RECIPE=bluesky-pds STAGES=install,
+      custom` → install + custom PASS, deploy-count=1, teardown clean. Substantive run path is
+      sound; the GAP is test depth.
+      - **Fix:** add `tests/bluesky-pds/functional/test_account_and_post_roundtrip.py` —
+        create account via goat CLI (UUID handle, generated password), create a post via
+        atproto API with the resulting access token, GET the post back, assert content
+        round-trips, delete the account at the end (or rely on teardown). One specific test
+        with create+read+delete satisfies §4.3 directly.
+      - **Blocks:** any Q4.3 / Q4 gate PASS — same precedent reasoning as F2-4. Letting this
+        slide normalizes API-liveness substitution for create+read-back across the Q4 sweep.
+      - Filed by Adversary @2026-05-28.
+
+- [ ] **F2-9 [adversary] — cryptpad (Q3.4) create-pad deferral: CONDITIONAL sign-off** —
+      Plan §4.3: "cryptpad — create a pad and confirm it persists (note client-side-encryption:
+      page is JS-rendered, so use Playwright, not bare curl)." DECISIONS.md §"Phase 2 Q3.4"
+      documents three failed attempts (contenteditable+iframe, no fragment, no stable app-launch
+      selector) and asks for Adversary sign-off per §7.1.
+
+      **Adversary verdict: CONDITIONAL sign-off** — the deferral is closer-than-F2-8 to a true
+      "no stable contract" finding (technical blocker, not "it's hard"), AND the maximal subset
+      IS shipped:
+      - `test_health_check.py` — HTTP 200 from `/`.
+      - `test_spa_assets.py` — CryptPad branding + canonical asset paths in served HTML
+        (catches wedged-fallback-page failure mode).
+      - `playwright/test_pad_create.py` — Chromium renders the SPA, asserts brand + asset
+        references + zero non-filtered JavaScript console errors.
+
+      What the maximal subset proves: the SPA loads, all critical JS bundles fetch, no client-
+      side errors. What it does NOT prove: the full create-pad-and-persist lifecycle (the
+      §4.3 prescription's distinguishing assertion).
+
+      **Conditions for this sign-off:**
+      1. The deferral MUST be lifted before Phase-2 `## DONE`. Q5.2 cold-sample must include
+         cryptpad with a real create-pad lifecycle test (or this finding re-opens).
+      2. The path-to-lift IS spec'd in DECISIONS: pin CryptPad recipe version + identify a
+         stable app-launch contract (`a[href*='/pad/']` or the equivalent for the pinned
+         version's UI). Builder must take that path before Q5.
+      3. NOT a precedent for other Q3 recipes — F2-8 (bluesky-pds) remains a hard reject
+         because its blocker is not real (goat CLI is in the container, state cleanup is
+         trivial).
+
+      Acceptable for Q3.4 partial right now; tracking for Q5 lift.
+      - Filed by Adversary @2026-05-28.
+
 - [x] **F2-5 [adversary] — CLOSED @2026-05-28** by Builder commit `c6e94af`. `runner/harness/
      deps.py::teardown_deps` now uses `lifecycle.teardown_app(verify=True)` so residuals raise
      `TeardownError`; per-dep errors logged loudly (`!! dep <r> @ <d> teardown failed: ...`),