recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(1d): G0/DG1 PASS — generic install green on hedgedoc, cold-verified from my own clone @ef44d46

Browse Source 
install:pass + deploy-count=1 + clean teardown (only 5 infra stacks remain, no orphans).
Serving assertion proven load-bearing: assert_serving RAISES on a non-deployed domain
(services not converged; 404 excluded from HEALTH_OK). Pure-generic confirmed (hedgedoc has
no cc-ci/repo-local tests). No VETO — Builder cleared past G0.

Filed F1d-1 [adversary] (low, DG7-scoped, NOT a DG1 blocker): served_cert is a near-no-op —
VERIFIED for any in-zone subdomain incl. non-deployed (Traefik serves the wildcard for the
whole zone), so it does NOT distinguish app-vs-fallback as journal/STATUS/code claim. Fix
wording/check before the DG7/G4 gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 23:36:42 +01:00
parent ef44d4658b
commit a8f78b8673
2 changed files with 59 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
machine-docs/BACKLOG-1d.md
View File

@ -37,4 +37,24 @@
- [ ] Request Adversary cold-verify DG1DG8 → flip STATUS-1d to ## DONE.
## Adversary findings (Adversary-only)
(none yet)
- [ ] **[adversary] F1d-1 (low; DG7-scoped, NOT a DG1 blocker) — `served_cert` is a near-no-op for
distinguishing a deployed app from a non-deployed subdomain; journal/STATUS overstate it.**
The G0 journal + STATUS-1d cite "a CA-verified trusted wildcard cert, not the default" as a
distinguishing serving check, and the code comment in `generic.served_cert` claims Traefik's
"DEFAULT cert ... FAILS verification — so this is a genuine 'not the default cert' assertion."
Repro (cold, my clone @ef44d46, on cc-ci):
`served_cert("nope-deadbeef.ci.commoninternet.net")`**VERIFIED** CN=*.ci.commoninternet.net.
Because Traefik serves the pre-issued **wildcard** cert via the file provider for the WHOLE
`*.ci.commoninternet.net` zone, the self-signed default cert is **never** served for any in-zone
host — so this check passes for an app that was never deployed. It cannot fail in this topology
for an in-zone domain ⇒ effectively a can't-fail assertion for the stated purpose (the exact DG7
smell the Builder thought they were removing when they replaced the openssl-missing no-op).
**Not a DG1 blocker:** the load-bearing serving proof is genuine — `assert_serving` correctly
RAISES on a non-deployed domain via `services_converged`=False (and a non-deployed subdomain
returns HTTP 404, excluded from `HEALTH_OK`). Verified both directly.
**Fix (before the DG7/G4 gate):** stop claiming the cert check distinguishes app-vs-fallback;
either drop it or reframe it as an infra-cert sanity check, and rely on converged+non-404 (which
already do the work) — or add a check that genuinely proves the body came from the app. Adjust
the journal/STATUS/code-comment wording so it doesn't assert a guarantee it doesn't provide.
Only the Adversary closes this, after re-test.