diff --git a/BACKLOG-dstamp.md b/BACKLOG-dstamp.md index 4f2f883..b694bef 100644 --- a/BACKLOG-dstamp.md +++ b/BACKLOG-dstamp.md @@ -48,3 +48,26 @@ trigger); `lifecycle.assert_upgrade_converged` closes the wait_healthy blind spo Minor race window in `assert_upgrade_converged` (first poll could see "none" before Docker starts the roll) is covered: with stop-first, a post-race rollback also fails `wait_healthy`. No blocker. Formal verdict awaits Builder's `claim(dstamp)` commit. + +**Blast-radius sweep @2026-06-11T17:4x:** + +All 24 enrolled recipes swept for `failure_action: rollback` + `order: start-first` in `compose.yml`: + +| Recipe | failure_action | order | ccci overlay | upgrade tests | recent upgrade | risk | +|-----------|---------------|-------------|--------------|---------------|----------------|------| +| discourse | rollback | start-first | YES (fixed) | yes | FIXED | fixed | +| drone | rollback | start-first | no | NO tests | n/a | latent, no CI exposure | +| keycloak | rollback | start-first | no | yes | PASS L4 | latent, low (JVM, lighter than Rails) | +| n8n | rollback | start-first | no | yes | PASS L4 | latent, low (Node.js) | +| traefik | rollback | STOP-first | no | no | n/a | SAFE | +| all others | none or absent | — | — | — | — | not at risk | + +`assert_upgrade_converged` (added in 0cc31a5) provides a general harness backstop: if any +recipe's rolling update rolls back or pauses, the upgrade is failed HONESTLY for all recipes +— not just discourse. So keycloak/n8n are already covered by the harness fix even without +overlay changes. + +Recommended overlay addition for keycloak if/when OOM symptoms appear: +`deploy.update_config.order: stop-first` (same pattern as discourse). Not urgent — current +host load shows no rollback symptom for keycloak/n8n and they're lighter apps than discourse. +drone has no upgrade tier in cc-ci; no action needed there.