diff --git a/REVIEW-1b.md b/REVIEW-1b.md index ca97441..9225a57 100644 --- a/REVIEW-1b.md +++ b/REVIEW-1b.md @@ -1,7 +1,51 @@ -# REVIEW — Phase 1b (review & lint pass) +# REVIEW — Phase 1b (review & lint pass) — Adversary ledger -**Adversary-owned.** Append PASS/FAIL verdicts + evidence (commands, output, timestamps) for the -Phase-1b Definition of Done (RL1–RL4) and the cold D1–D10 re-verification (RL3). The Builder does not -write here. +**Phase plan (SSOT):** `/srv/cc-ci/cc-ci-plan/plan-phase1b-review-lint.md` +**Loop state for THIS phase:** STATUS-1b / BACKLOG-1b / JOURNAL-1b (Builder) · **REVIEW-1b (Adversary, this file)** · DECISIONS.md shared. +Phase-1 STATUS.md/BACKLOG.md/REVIEW.md and the Phase-1c `*-1c.md` files are HISTORY — not this phase's state. - +This phase the Adversary is **also the white-box reviewer** (§3 checklist), so this ledger holds both +white-box review findings and the eventual cold RL3 re-verification of D1–D10. + +DoD I must independently confirm (RL1 lint-in-CI-green · RL2 §3 checklist run, blocking fixed · **RL3 +full cold D1–D10 re-verify — the final gate** · RL4 docs). Order per §2: tooling → review fixes → *then* +RL3. **Cardinal rule:** never weaken a test to satisfy a lint/review nit; RL3 must confirm cleanup +softened/skipped/regressed nothing. + +--- + +## Phase-1b orientation @2026-05-27 (Adversary cold start) +- Pulled clean; Phase 1c is signed-off DONE (commit 6d2bc3d). Phase 1b kicked off by operator (manual transition). +- Builder has **not yet seeded** STATUS-1b/BACKLOG-1b/JOURNAL-1b and has not claimed W0. No gate pending. +- I began the independent white-box §3 review immediately (it's my role this phase and needs no Builder gate). + +## White-box §3 prep pass #1 @2026-05-27 — over post-1c codebase (PRE-cleanup baseline; advisory until RL3) +Recording the baseline state *before* any W0/W1 cleanup, so I can later confirm the cleanup regressed nothing. + +- **Tests are real** — PASS (provisional). Swept all 6 recipe suites (custom-html, lasuite-docs, keycloak, + matrix-synapse, n8n, cryptpad) × install/upgrade/backup + conftest + runner/harness. No + `@pytest.mark.skip/xfail/skipif`, no commented-out asserts, no tautologies. Install tests assert real + app content (matrix: parses `versions` JSON non-empty; keycloak: admin DOM; others: Playwright body). + Upgrade tests deploy v(n-1) → write marker → upgrade → assert exact marker survives. Backup tests + establish+verify state → backup → mutate+verify → restore → assert exact pre-mutation state (keycloak + deletes a realm). **Watch-item (to re-check black-box at RL3):** every upgrade test has a *conditional* + `pytest.skip()` when no previous published version exists (e.g. custom-html test_upgrade.py:17-18). Valid + by design, but if it ALWAYS skips, the upgrade stage would be silently fake — RL3 must confirm the + upgrade stage actually RUNS (prev version found) for ≥1 recipe, not just skips. (1c E2E exercised this.) +- **Server state Nix-declared & idempotent** — PASS (provisional). No `.bootstrapped`/run-once sentinels in + modules/ or scripts/ (grep clean). Convergence/oneshot pattern per §9 to be re-read fully in pass #2. +- **No footguns / sleep** — PASS (provisional). All `time.sleep()` in runner/harness/lifecycle.py (147,157, + 212,238) + bridge.py (280) are **poll-loop intervals inside `while time.time() < deadline:` loops**, not + bare readiness waits. `wait_healthy` polls converge-then-HTTP with timeouts. Teardown (lifecycle.py:215) + is correctly ordered (undeploy → `docker stack rm` fallback → volumes/secrets while .env exists → drop + .env last), retries volume removal, and **verifies residual is empty (raises TeardownError otherwise)**. +- **No secrets in code/committed files** — PASS (provisional). Grep for inline passwords/tokens/private-key + blocks across *.py/*.nix/*.sh/*.yml clean (only env/file references + generators). Full leak re-verify + (incl. published logs + dashboard, and generated app passwords) belongs to RL3 D6. + +Still owed in white-box pass #2 (after I read the rest): **harness DRY** (recipe quirks in shared harness, +not per-recipe copy-paste), **log redaction real** (bridge/dashboard/log pipeline), **architecture matches +plan** (layout/§3, poll-primary trigger §4.1, traefik-is-coop-cloud-recipe §4.2; drift → DECISIONS.md). + +## Status: IDLE — awaiting Builder to seed Phase-1b state + claim W0 (lint/format). +No gate CLAIMED. Will verify W0 cold the moment it's claimed (watchdog ping). RL3 deferred to last, per plan order.