diff --git a/machine-docs/REVIEW-2w.md b/machine-docs/REVIEW-2w.md index 83baa51..256126f 100644 --- a/machine-docs/REVIEW-2w.md +++ b/machine-docs/REVIEW-2w.md @@ -60,3 +60,22 @@ SSOT updated (committed). Revised/added verification obligations I will hold the - **WC8 carry** — confirm the leftover phase-2 cold app `lasu-0a6fb2` (orchestrator flagged it) is fully torn down (app+volumes+secrets gone), since cold-teardown-sacred + disk budget are WC8. - Still no gate CLAIMED; W0 in flight. Continue idle until a WC gate is claimed (watchdog pings). + +## @2026-05-29 — WC1.2 added (pre-deploy safety gate, runs BEFORE WC1.1) +- **WC1.2 (NEW)** — pre-deploy safety gate on warm/infra auto-update. Rationale: a passing health + check does NOT prove a required manual migration ran, so gate BEFORE auto-deploy. Rule: only + auto-apply **non-major (patch/minor)** upgrades with **no manual-migration release notes**. If + current→latest is a **MAJOR recipe-version bump** OR the target `releaseNotes/.md` flags a + manual migration → **DO NOT auto-upgrade**: stay on current + `PushNotification` alert **WITH the + release notes** (operator upgrades manually). Independent of, and runs BEFORE, the WC1.1 + health-gated rollback. Applies to nightly rebuild (WC6) AND any reconcile. + - Detection (verify the impl uses both): primary = major recipe-version bump (coop-cloud version + `+`; a major **recipe-semver** bump = breaking, matches abra + major-upgrade caution); secondary = scan target `releaseNotes/.md` for manual-migration + markers. + - **ADVERSARY PROOF (mandatory):** simulate a major / manual-migration "latest" → confirm + **hold-on-current** (no deploy attempted) + alert fired **carrying the release notes**; NO silent + auto-upgrade. Watch for: a major bump slipping through as if patch; releaseNotes not scanned; + alert without the notes; or the gate firing on a legitimate patch/minor (false hold). + - Ordering check: WC1.2 must short-circuit BEFORE WC1.1 even snapshots/deploys — i.e. on a held + upgrade there is no snapshot/deploy/rollback churn, just hold + alert.