recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

status(2): Q2 CLAIMED — dep resolver + SSO harness + Q2.4 acceptance proven cold

Browse Source 
Q2.1 keycloak: parity port + JWT password-grant test + client_credentials test (commit d5f5e86).
Q2.2 authentik DEFERRED: SSO harness is provider-pluggable; Q2.4 already proven via keycloak.
Q2.3 dep resolver + SSO-setup harness primitives (commit 4d6b040, subsumes Q0.4). 28/28 unit PASS.
Q2.4 ACCEPTANCE (commit 9e88741): lasuite-docs declares DEPS=['keycloak']; the orchestrator
deploys keycloak as a per-run dep, runs an OIDC password-grant test against it (JWT iss/azp/typ/
exp claim validation), then tears the dep down. deploy-count=2 (1 parent + 1 dep, DG4.1 reconciled
with deps).

Secondary fix (commit 47f7cb4): centralized F2-3 Playwright try/except into
runner/harness/browser.py::goto_with_retry; applied to all install overlays + custom-html
playwright smoke. Lesson: when a hardening pattern bites once, generalize it before fixing
in-place.

Cold-verifiable on cc-ci:
  ssh cc-ci 'cc-ci-run -m pytest tests/unit -v'  # 28 PASS
  ssh cc-ci 'RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
  # DEPS resolves -> keycloak deploys -> install PASS -> OIDC test PASS -> dep teardown clean
  # deploy-count = 2 (expect 2)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-28 08:09:56 +01:00
parent 9e88741864
commit ad6b25982f
3 changed files with 135 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
machine-docs/STATUS-2.md
View File

@ -49,12 +49,76 @@ tree must carry:
- **Q5** — Completeness + docs; flip `## DONE`.
## In flight
**Q2 — SSO providers (keycloak + authentik).** Q1 Adversary PASS landed. Keycloak Phase-2 content
drafted (PARITY.md + 3 functional tests: parity health_check + password_grant_token + create_client_and_use); e2e in flight (background task `bxnhxrolk`, log `/root/ccci-q2-keycloak-r2.log`).
First e2e attempt (`bmdkj7egr`) failed with `not healthy over HTTPS /realms/master (last status
502)` at 600s; bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s in `tests/keycloak/recipe_meta.py`.
Working toward Q3 (SSO-dependent suite). Q2 fully claimed pending Adversary verify (see Gate
below). Q2.1 keycloak (parity + JWT password-grant + client_credentials), Q2.3 dep resolver +
SSO-setup harness primitives, Q2.4 acceptance (lasuite-docs + keycloak dep + OIDC password grant)
all landed. Q2.2 authentik enrollment is the remaining open item — deferred pending Adversary's
Q2 PASS as it's lower-priority (the SSO harness is provider-pluggable and Q2.4 acceptance is
already proven via keycloak).
## Gate
**Gate: Q2 — CLAIMED, awaiting Adversary @2026-05-28** (commits `d5f5e86` Q2.1 keycloak; `4d6b040`
Q2.3 dep resolver + SSO harness primitives; `47f7cb4` harness.browser hardening across all install
overlays; `9e88741` Q2.4 acceptance). Acceptance per plan §6 Q2: "a dependent recipe deploys its
provider + runs an OIDC login test in one run." Proven cold:
**Objective evidence pointers (Q2):**
- **Q2.1 keycloak parity + 2 NEW specific tests** — commit `d5f5e86`:
- `tests/keycloak/functional/test_health_check.py` — parity port.
- `tests/keycloak/functional/test_password_grant_token.py` — password grant, JWT decoded, claims
(iss/azp/typ/exp/iat) validated.
- `tests/keycloak/functional/test_create_client_and_use.py` — admin-API client CRUD +
client_credentials grant + JWT azp/iss validation + idempotent cleanup.
- `oidc_integration.py` parity deferred to Q3 (cross-recipe; see PARITY.md note).
- Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s.
- Cold e2e (log `/root/ccci-q2-keycloak-r3.log`): all 5 stages PASS, deploy-count=1,
`head_ref=666649a6 == chaos-version=666649a6`, version `10.7.0+26.6.1 → 10.7.1+26.6.2`.
- **Q2.3 dep resolver + SSO-setup harness primitives** — commit `4d6b040`:
- `runner/harness/deps.py` — declared_deps + dep_domain + deploy_deps + teardown_deps + JSON
run state. Subsumes Q0.4 (dep resolver).
- `runner/harness/sso.py` — setup_keycloak_realm + oidc_password_grant +
assert_discovery_endpoint. Reusable by every SSO-dependent recipe (Q3 will exercise).
- `runner/run_recipe_ci.py` — wired in dep deploy BEFORE recipe-under-test, dep teardown
AFTER in finally (reverse order). DG4.1 expected count = 1 + len(deps).
- `tests/conftest.py``deps_apps` fixture exposes dep domains to dependent tests.
- 7 new unit tests in `tests/unit/test_deps.py`; **28/28 unit tests PASS** cold.
- **Q2.4 acceptance (the gate)** — commit `9e88741`, log `/root/ccci-q24-lasuite-keycloak.log`:
- `tests/lasuite-docs/recipe_meta.py` declares `DEPS = ["keycloak"]`.
- `tests/lasuite-docs/functional/test_oidc_with_keycloak.py`:
- Asserts `deps_apps["keycloak"]` is the per-run dep domain.
- Calls `harness.sso.setup_keycloak_realm` → realm/client/user.
- GETs OIDC discovery; asserts `issuer == https://<kc>/realms/lasuite-docs`.
- Performs password grant → JWT; asserts iss/azp/typ/exp claims.
- Cold-run output:
```
===== DEPS: ['keycloak'] =====
dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
===== TIER: install ===== 2 PASS (generic + cc-ci overlay)
===== TIER: custom ===== 1 PASS (test_oidc_password_grant_against_dep_keycloak)
===== DEPS teardown =====
===== RUN SUMMARY =====
deploy-count = 2 (expect 2)
```
- **F2-3 systemic fix** — commit `47f7cb4`: `runner/harness/browser.py::goto_with_retry`
centralizes the F2-3 try/except PlaywrightError pattern; applied to **all** install overlays
using page.goto (custom-html, n8n, keycloak, cryptpad, lasuite-docs) + the custom-html
playwright/test_browser_smoke. Cold e2e (custom-html, log `/root/ccci-q2-customhtml-r2.log`):
all 5 stages PASS, deploy-count=1, HC1 non-vacuous.
**Reference command for Adversary (cold, on cc-ci):**
```
ssh cc-ci 'cd /root/<your-clone> && \
cc-ci-run -m pytest tests/unit -v && \
RECIPE=keycloak cc-ci-run runner/run_recipe_ci.py && \
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
```
---
**Gate: Q1 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q1 — PASS @2026-05-28 (re-verify after
F2-3 + F2-4 fixes)`; cold e2e on `/root/adv-verify` HEAD `fc89552` → all 5 stages PASS,
deploy-count=1, HC1 non-vacuous; F2-3 + F2-4 CLOSED; NO VETO). Builder may advance to Q2.