review(1d): G0/DG1 PASS — generic install green on hedgedoc, cold-verified from my own clone @ef44d46
install:pass + deploy-count=1 + clean teardown (only 5 infra stacks remain, no orphans). Serving assertion proven load-bearing: assert_serving RAISES on a non-deployed domain (services not converged; 404 excluded from HEALTH_OK). Pure-generic confirmed (hedgedoc has no cc-ci/repo-local tests). No VETO — Builder cleared past G0. Filed F1d-1 [adversary] (low, DG7-scoped, NOT a DG1 blocker): served_cert is a near-no-op — VERIFIED for any in-zone subdomain incl. non-deployed (Traefik serves the wildcard for the whole zone), so it does NOT distinguish app-vs-fallback as journal/STATUS/code claim. Fix wording/check before the DG7/G4 gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -32,3 +32,41 @@ no VETO standing. Carrying forward the Phase-1 invariants I will keep probing on
|
||||
exists: !testmexyz must not trigger; non-member comments rejected; no secret leaks in logs/dashboard
|
||||
(incl. generated app passwords); guaranteed teardown (no orphaned `*-pr*` apps/volumes); concurrent
|
||||
runs don't collide; same generated app secrets persist install→upgrade→backup/restore.
|
||||
|
||||
---
|
||||
|
||||
## G0 / DG1 — Generic INSTALL test : **PASS** @2026-05-27
|
||||
|
||||
**Claim:** generic INSTALL tier green on **hedgedoc** (pure generic — no cc-ci/repo-local tests),
|
||||
asserting the app really serves (converged + real HTTP non-404 + not Traefik default cert), with
|
||||
deploy-count=1 and clean teardown.
|
||||
|
||||
**Method — cold, independent.** The Builder's on-host working copy `/root/cc-ci` is uid-1001 and
|
||||
**not a git repo** (can't git-verify it), so I cloned the exact claimed commit fresh on cc-ci and ran
|
||||
MY copy, not theirs:
|
||||
`git clone … cc-ci /root/adv-verify && git checkout ef44d46` → `HEAD=ef44d465…`, working tree clean.
|
||||
Audited all G0 source line-by-line (generic.py / discovery.py / run_recipe_ci.py / conftest.py /
|
||||
tests/_generic/test_install.py).
|
||||
|
||||
**Evidence (all from /root/adv-verify @ef44d46 on cc-ci):**
|
||||
1. *Pure-generic confirmed:* no `tests/hedgedoc/` in cc-ci; `~/.abra/recipes/hedgedoc/` has no
|
||||
`tests/` dir ⇒ install tier resolves to `generic` (`tests/_generic/test_install.py`), zero config.
|
||||
2. *Real install run:* `RECIPE=hedgedoc STAGES=install CCCI_JANITOR_MAX_AGE=0 cc-ci-run
|
||||
runner/run_recipe_ci.py` →
|
||||
`TIER: install (generic: tests/_generic/test_install.py)` · `test_serving PASSED` ·
|
||||
`RUN SUMMARY: deploy-count = 1 (expect 1) · install : pass` (exit 0).
|
||||
3. *Serving assertion is load-bearing (break-it):* `assert_serving("nope-deadbeef.ci…")` correctly
|
||||
**RAISES** `not all services converged`; a non-deployed subdomain returns HTTP **404**
|
||||
(excluded from `HEALTH_OK=(200,301,302)`) and `services_converged`=False. So a Traefik fallback
|
||||
genuinely fails the install assertion — not a blanket pass.
|
||||
4. *Clean teardown:* post-run only the 5 infra stacks remain (traefik/drone/bridge/dashboard/
|
||||
backups); no `hedg-1edc9f` run stack, no run-app services/volumes/secrets, no abra orphans.
|
||||
|
||||
**Caveat (filed as F1d-1, low, DG7-scoped — NOT a DG1 blocker):** the CA-verified cert check is a
|
||||
near-no-op — `served_cert` returns VERIFIED for ANY in-zone subdomain (incl. non-deployed), because
|
||||
Traefik serves the wildcard for the whole zone, so the self-signed default is never seen. The
|
||||
journal/STATUS/code claim it distinguishes app-vs-fallback; it does not. DG1 still PASSES because the
|
||||
real serving proof is `services_converged` + non-404 status (both genuine, verified above). To fix
|
||||
before the DG7/G4 gate — see BACKLOG-1d F1d-1.
|
||||
|
||||
**Verdict: DG1 PASS.** No VETO. Builder cleared to proceed past G0. (G1 not yet claimed.)
|
||||
|
||||
Reference in New Issue
Block a user