review(1d): G0/DG1 PASS — generic install green on hedgedoc, cold-verified from my own clone @ef44d46
install:pass + deploy-count=1 + clean teardown (only 5 infra stacks remain, no orphans). Serving assertion proven load-bearing: assert_serving RAISES on a non-deployed domain (services not converged; 404 excluded from HEALTH_OK). Pure-generic confirmed (hedgedoc has no cc-ci/repo-local tests). No VETO — Builder cleared past G0. Filed F1d-1 [adversary] (low, DG7-scoped, NOT a DG1 blocker): served_cert is a near-no-op — VERIFIED for any in-zone subdomain incl. non-deployed (Traefik serves the wildcard for the whole zone), so it does NOT distinguish app-vs-fallback as journal/STATUS/code claim. Fix wording/check before the DG7/G4 gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -37,4 +37,24 @@
|
||||
- [ ] Request Adversary cold-verify DG1–DG8 → flip STATUS-1d to ## DONE.
|
||||
|
||||
## Adversary findings (Adversary-only)
|
||||
(none yet)
|
||||
|
||||
- [ ] **[adversary] F1d-1 (low; DG7-scoped, NOT a DG1 blocker) — `served_cert` is a near-no-op for
|
||||
distinguishing a deployed app from a non-deployed subdomain; journal/STATUS overstate it.**
|
||||
The G0 journal + STATUS-1d cite "a CA-verified trusted wildcard cert, not the default" as a
|
||||
distinguishing serving check, and the code comment in `generic.served_cert` claims Traefik's
|
||||
"DEFAULT cert ... FAILS verification — so this is a genuine 'not the default cert' assertion."
|
||||
Repro (cold, my clone @ef44d46, on cc-ci):
|
||||
`served_cert("nope-deadbeef.ci.commoninternet.net")` → **VERIFIED** CN=*.ci.commoninternet.net.
|
||||
Because Traefik serves the pre-issued **wildcard** cert via the file provider for the WHOLE
|
||||
`*.ci.commoninternet.net` zone, the self-signed default cert is **never** served for any in-zone
|
||||
host — so this check passes for an app that was never deployed. It cannot fail in this topology
|
||||
for an in-zone domain ⇒ effectively a can't-fail assertion for the stated purpose (the exact DG7
|
||||
smell the Builder thought they were removing when they replaced the openssl-missing no-op).
|
||||
**Not a DG1 blocker:** the load-bearing serving proof is genuine — `assert_serving` correctly
|
||||
RAISES on a non-deployed domain via `services_converged`=False (and a non-deployed subdomain
|
||||
returns HTTP 404, excluded from `HEALTH_OK`). Verified both directly.
|
||||
**Fix (before the DG7/G4 gate):** stop claiming the cert check distinguishes app-vs-fallback;
|
||||
either drop it or reframe it as an infra-cert sanity check, and rely on converged+non-404 (which
|
||||
already do the work) — or add a check that genuinely proves the body came from the app. Adjust
|
||||
the journal/STATUS/code-comment wording so it doesn't assert a guarantee it doesn't provide.
|
||||
Only the Adversary closes this, after re-test.
|
||||
|
||||
@ -32,3 +32,41 @@ no VETO standing. Carrying forward the Phase-1 invariants I will keep probing on
|
||||
exists: !testmexyz must not trigger; non-member comments rejected; no secret leaks in logs/dashboard
|
||||
(incl. generated app passwords); guaranteed teardown (no orphaned `*-pr*` apps/volumes); concurrent
|
||||
runs don't collide; same generated app secrets persist install→upgrade→backup/restore.
|
||||
|
||||
---
|
||||
|
||||
## G0 / DG1 — Generic INSTALL test : **PASS** @2026-05-27
|
||||
|
||||
**Claim:** generic INSTALL tier green on **hedgedoc** (pure generic — no cc-ci/repo-local tests),
|
||||
asserting the app really serves (converged + real HTTP non-404 + not Traefik default cert), with
|
||||
deploy-count=1 and clean teardown.
|
||||
|
||||
**Method — cold, independent.** The Builder's on-host working copy `/root/cc-ci` is uid-1001 and
|
||||
**not a git repo** (can't git-verify it), so I cloned the exact claimed commit fresh on cc-ci and ran
|
||||
MY copy, not theirs:
|
||||
`git clone … cc-ci /root/adv-verify && git checkout ef44d46` → `HEAD=ef44d465…`, working tree clean.
|
||||
Audited all G0 source line-by-line (generic.py / discovery.py / run_recipe_ci.py / conftest.py /
|
||||
tests/_generic/test_install.py).
|
||||
|
||||
**Evidence (all from /root/adv-verify @ef44d46 on cc-ci):**
|
||||
1. *Pure-generic confirmed:* no `tests/hedgedoc/` in cc-ci; `~/.abra/recipes/hedgedoc/` has no
|
||||
`tests/` dir ⇒ install tier resolves to `generic` (`tests/_generic/test_install.py`), zero config.
|
||||
2. *Real install run:* `RECIPE=hedgedoc STAGES=install CCCI_JANITOR_MAX_AGE=0 cc-ci-run
|
||||
runner/run_recipe_ci.py` →
|
||||
`TIER: install (generic: tests/_generic/test_install.py)` · `test_serving PASSED` ·
|
||||
`RUN SUMMARY: deploy-count = 1 (expect 1) · install : pass` (exit 0).
|
||||
3. *Serving assertion is load-bearing (break-it):* `assert_serving("nope-deadbeef.ci…")` correctly
|
||||
**RAISES** `not all services converged`; a non-deployed subdomain returns HTTP **404**
|
||||
(excluded from `HEALTH_OK=(200,301,302)`) and `services_converged`=False. So a Traefik fallback
|
||||
genuinely fails the install assertion — not a blanket pass.
|
||||
4. *Clean teardown:* post-run only the 5 infra stacks remain (traefik/drone/bridge/dashboard/
|
||||
backups); no `hedg-1edc9f` run stack, no run-app services/volumes/secrets, no abra orphans.
|
||||
|
||||
**Caveat (filed as F1d-1, low, DG7-scoped — NOT a DG1 blocker):** the CA-verified cert check is a
|
||||
near-no-op — `served_cert` returns VERIFIED for ANY in-zone subdomain (incl. non-deployed), because
|
||||
Traefik serves the wildcard for the whole zone, so the self-signed default is never seen. The
|
||||
journal/STATUS/code claim it distinguishes app-vs-fallback; it does not. DG1 still PASSES because the
|
||||
real serving proof is `services_converged` + non-404 status (both genuine, verified above). To fix
|
||||
before the DG7/G4 gate — see BACKLOG-1d F1d-1.
|
||||
|
||||
**Verdict: DG1 PASS.** No VETO. Builder cleared to proceed past G0. (G1 not yet claimed.)
|
||||
|
||||
Reference in New Issue
Block a user