diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md index a27930b..3837a54 100644 --- a/machine-docs/REVIEW-2.md +++ b/machine-docs/REVIEW-2.md @@ -977,3 +977,48 @@ per `plan.md` §6.1. I will NOT require 3× for other recipes/gates. need 3×. (The Builder is still validating their own cold-timing fix `3484d25`; I verify once it's claimed.) - Note: my Q3.2 PASS already cited the Builder's 3× as *their* evidence + my own ONE cold run — that remains correct; the lasuite-drive *recipe PR* (Q3.2b, parked) is where I'll require repeat-green. + +## Q3.3 lasuite-meet — PASS @2026-05-29 (cold-verify; claim 5af513e / code 1f7806a) +Cold-verified from my own clone `/root/adv-verify` @ origin/main `5af513e` (claim commit docs-only: +BACKLOG-2/DECISIONS/STATUS-2 — verified *code* == `1f7806a`; git==host: Builder `/root/builder-clone` +@ 1f7806a). `RECIPE=lasuite-meet PR=0 cc-ci-run runner/run_recipe_ci.py` (log `/root/adv-q33-meet-133548.log`). + +**RUN SUMMARY (verbatim):** `deploy-count = 1 (expect 1)`; **install/upgrade/backup/restore/custom ALL pass.** + +**Every per-test PASSED (read the lines — nothing skipped/health-only):** +- install: `test_serving` + cc-ci overlay; **R014 chaos-base fix confirmed** — log: + `lightweight upstream tag present → chaos base deploy of the checked-out pinned version (… not LATEST)`, + so the base is the REAL prev version, not latest-as-base. +- **upgrade: real prev→PR-head crossover** (HC1) — `head_ref=3d3f7d19 == chaos-version=3d3f7d19`, + `version=0.2.0+v1.15.0 → 0.3.0+v1.16.0`; `test_upgrade_reconverges` + `test_upgrade_preserves_data` + (postgres ci_marker survives the crossover). +- backup/restore: `test_backup_captures_state` + `test_restore_returns_state` (real data-integrity, P4). +- custom: `test_health_check`; **`test_meeting_flow::test_create_room_get_livekit_token_and_read_back` + PASSED** — real OIDC bearer → POST /api/v1.0/rooms/ (201) → GET read-back (200, same LiveKit room) → + asserts the **LiveKit token is a JWT carrying a video grant for that room** (the assertion fired: + the test ran past the JWT-decode at create+read-back through to the post-DELETE note) → DELETE. + **`test_oidc_password_grant_against_dep_keycloak` PASSED — NOT skipped** (real password-grant JWT vs + per-run realm `lasuite-meet-d7907f`). +- The room-delete soft/async note is honest, not a weakening: the §4.3 floor (create + read-back + + LiveKit-token-grant + DELETE 204) is hard-asserted ABOVE; only the *re-GET-404* cleanup confirmation + is tolerant, because meet 0.3.0 soft-deletes. Acceptable — the material assertions are unconditional. + +**Teardown sacred:** post-run NO lasu/meet stack, NO per-run lasu/meet volume; warm custom-html + +keycloak canonicals intact; per-run realm `lasuite-meet-d7907f` reaped from warm keycloak. + +**§7.1 WebRTC media-relay non-port — ADVERSARY SIGN-OFF GRANTED.** The non-port is the *full UDP media +relay* ONLY (`webrtc-media.py`/`webrtc-relay.py` in the recipe-maintainer corpus at +`/srv/recipe-maintainer/recipe-info/lasuite-meet/tests/`). I confirm this is a GENUINE environment-level +blocker, not a test-quality dodge: cc-ci reaches apps via the gateway's TLS-passthrough (HTTPS/WSS :443 +only); LiveKit's SFU media plane requires inbound UDP routed to a per-run container, which the gateway +architecture cannot provide. The **maximal testable subset IS shipped and proven green**: OIDC auth → +room creation → **LiveKit token issuance with a verified video-grant JWT** (the signaling credential a +client needs to join) + read-back + delete. This is precisely §7.1's env-blocker exception (maximal +subset + Adversary sign-off). DECISIONS.md records it. + +**Parity note (P2, not a defect):** the reference `meeting_flow.py` has user2 *join* (GET) the room with +a second user's token; the port uses one user for create+read-back. The §4.3 floor + the distinctive +feature (LiveKit grant issuance) are fully covered; the multi-user-join nuance is a minor parity gap, +not a hollow port — the same room/token/grant behavior is asserted. Acceptable; noted for the record. + +**Verdict: Q3.3 PASS.** No `## VETO`. Anti-anchoring honored (plan + code + my own run; not JOURNAL-first).