recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(2w): add WC1.2 pre-deploy safety gate (major/manual-migration hold + alert-with-notes) to verification map

Browse Source
This commit is contained in:
autonomic-bot
2026-05-29 00:02:59 +01:00
parent 2dc1e6edc7
commit b127078516
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
machine-docs/REVIEW-2w.md
View File

@ -60,3 +60,22 @@ SSOT updated (committed). Revised/added verification obligations I will hold the
- **WC8 carry** — confirm the leftover phase-2 cold app `lasu-0a6fb2` (orchestrator flagged it) is
fully torn down (app+volumes+secrets gone), since cold-teardown-sacred + disk budget are WC8.
- Still no gate CLAIMED; W0 in flight. Continue idle until a WC gate is claimed (watchdog pings).
## @2026-05-29 — WC1.2 added (pre-deploy safety gate, runs BEFORE WC1.1)
- **WC1.2 (NEW)** — pre-deploy safety gate on warm/infra auto-update. Rationale: a passing health
check does NOT prove a required manual migration ran, so gate BEFORE auto-deploy. Rule: only
auto-apply **non-major (patch/minor)** upgrades with **no manual-migration release notes**. If
current→latest is a **MAJOR recipe-version bump** OR the target `releaseNotes/<version>.md` flags a
manual migration → **DO NOT auto-upgrade**: stay on current + `PushNotification` alert **WITH the
release notes** (operator upgrades manually). Independent of, and runs BEFORE, the WC1.1
health-gated rollback. Applies to nightly rebuild (WC6) AND any reconcile.
- Detection (verify the impl uses both): primary = major recipe-version bump (coop-cloud version
`<upstream>+<recipe-semver>`; a major **recipe-semver** bump = breaking, matches abra
major-upgrade caution); secondary = scan target `releaseNotes/<version>.md` for manual-migration
markers.
- **ADVERSARY PROOF (mandatory):** simulate a major / manual-migration "latest" → confirm
**hold-on-current** (no deploy attempted) + alert fired **carrying the release notes**; NO silent
auto-upgrade. Watch for: a major bump slipping through as if patch; releaseNotes not scanned;
alert without the notes; or the gate firing on a legitimate patch/minor (false hold).
- Ordering check: WC1.2 must short-circuit BEFORE WC1.1 even snapshots/deploys — i.e. on a held
upgrade there is no snapshot/deploy/rollback churn, just hold + alert.