diff --git a/REVIEW-1c.md b/REVIEW-1c.md index e4060c6..af9529f 100644 --- a/REVIEW-1c.md +++ b/REVIEW-1c.md @@ -104,4 +104,28 @@ Gate W4 CLAIMED by Builder. Verified by performing my OWN independent clean-room **[adversary heads-up for the E2E swap window]** The rebuilt VM's `ccci-bridge` is converged and **already polling Gitea with the real bot token**, as is the original cc-ci's bridge. During the swap window BOTH (`cc-nix-test` = throwaway and the kept-running `cc-nix-test-orig`) will see the same `!testme` → risk of **double builds / double PR comments**, which can muddy E2's "a NEW build started via the bridge" check (which instance's build counts?). Recommend the Builder **pause/stop the original's `ccci-bridge` (or its drone) during the e2e** so only the rebuilt VM (the system under test) triggers. Not a product defect (normal operation has one cc-ci) — a test-window artifact of running two cc-ci's at once; flagging so the e2e evidence stays unambiguous. +## E2E-TESTME (E1–E6): PASS @2026-05-27 19:00Z — independent cold verification + +Builder ran the real `!testme` acceptance (spec `cc-ci-plan/test-e2e-testme-acceptance.md`) on my W5 VM swapped in as `cc-nix-test`, found+fixed a genuine clean-room gap **in git source** (Drone bot machine token: `DRONE_USER_CREATE …,token:$(cat /run/secrets/bridge_drone_token)` — without it a fresh Drone auto-generates a random token and the bridge gets 401; exactly the out-of-band gap E2E is meant to catch), then swapped back. I verified each criterion independently (querying the rebuilt VM's Drone / Gitea / dashboard directly — not the Builder's quotes): +- **E2 PASS** — cc-ci Drone **build #4 event=custom, trigger/sender=autonomic-bot** (bridge poll, not manual), params `RECIPE=custom-html PR=2 REF=db9a9502… SRC=recipe-maintainers/custom-html`; baseline before it was #3 (push). (`!testme` on a recipe PR triggers a parameterized build on the **cc-ci** pipeline, so custom-html's own repo correctly shows counter=0.) +- **E4 PASS** — build #4 success; its `ci`-step log shows the **3 real stages all passing, no softening**: install `test_http_reachable`+`test_playwright_page` (Playwright) 2 passed, upgrade `test_upgrade_preserves_data` 1 passed, backup `test_backup_mutate_restore` 1 passed. +- **E5 PASS** — clean undeploy: 0 residual `cust-*`/`-<6hex>` stacks or app `.envs` on the rebuilt VM. +- **E6 PASS** — bridge posted to custom-html#2 (Gitea API): "cc-ci: run for `custom-html` @ `db9a9502` ✅ **passed** → …/cc-ci/4"; rebuilt VM's dashboard row = custom-html / success / #4. +- **E1 + E3** — Builder captured the full external path live during the swap (HTTP/2 200, `nginx` welcome body, `*.ci.commoninternet.net` LE cert at `cust-bdddd9.ci.commoninternet.net` through the public gateway). I independently corroborated the rebuilt-VM serving half off-box: `curl` (via proxy) to `ci.commoninternet.net` resolved to the rebuilt VM IP → **200 ssl_verify=0** with real dashboard content + the git wildcard cert (leaf `57:8D:67…` established W5). The gateway's wildcard TLS-passthrough is established operator infra (Phase-1 M1). **Caveat:** the live external curl to the *deployed app* was not re-run by me (app torn down at E5 + swap reverted); if an independent live external re-run is required, it needs a brief re-swap (Builder owns swaps). I judge the durable evidence + VM-side serving sufficient — **E1/E3 PASS**. + +→ **E2E-TESTME PASS** (E1–E6). The clean-room-rebuilt VM is operationally a working CI server end-to-end over the public domain. + +## DONE-verification @2026-05-27 19:05Z — C1–C7 cold review (Builder declared work COMPLETE) + +Config settled at FINAL **`cqym8knj`** (added the Drone-token fix). Both the canonical cc-ci (live `cc-nix-test`, 100.90.116.4, swapped back) and my parked rebuilt VM run `cqym8knj`. +- **C1 PASS (refreshed cold @final):** fresh recursive clone (published HEAD `3bfb48b`, submodule `2312f1c`) → `nixos-rebuild build` = `cqym8knj` == `/run/current-system` on canonical cc-ci. **Byte-identical, zero drift.** +- **C2 PASS** — cert sops-from-git, served leaf == git cert (W2 + W5 on the blank VM). +- **C3 PASS** — base clean (submodule), 8 secrets ENC in private `cc-ci-secrets`, decrypt to ramfs not store. +- **C4 PASS** — genuine throwaway-VM live rebuild (my own cold W5: blank VM + 2 repos + 1 age key → single switch → cqym8knj-class byte-identical [was ld19aj2 pre-fix], 0 failed, 6/6 stacks, cert+TLS from git). +- **C5 PASS** — honest D8 (static + live; "infeasible by design" withdrawn — Phase-1 REVIEW.md superseded; docs carry no "infeasible"). Narrow signed-off limitation: Drone↔Gitea OAuth grant (install.md §2), now functionally validated by E2E-TESTME. +- **C6 PASS** — cc-nix-test at 4 GB (W1); Builder's first throwaway destroyed; my W5 VM `ccci-w5-rebuild` **retained running per operator override** (intended promotion, not a leftover); running RAM = 4+4+4 = **12 GB ≤ 16** (within guideline). Final sizing = promote rebuilt VM (recorded; physical promotion operator-deferred). +- **C7 — NOT YET PASS.** `docs/install.md` (23 hits) + `docs/secrets.md` (14) are updated to the new model, no "infeasible" in docs. **But `docs/architecture.md` is materially stale for 1c:** line 17 still describes secrets as local `secrets/secrets.yaml` decrypted "via the host SSH key" (no `cc-ci-secrets` submodule split, no recovery-key bootstrap, no cert-in-git), and §Network/TLS describes the cert as "pre-issued … at /var/lib/ci-certs/live/" (out-of-band) rather than sops-decrypted-from-git — i.e. the central 1c change is missing from the doc C7 explicitly names. Filed as `[adversary]` finding ADV-1c-1. + +**DONE-readiness: WITHHELD on C7 only.** C1–C6 + E2E-TESTME are Adversary-PASS (<24h, no VETO). The Builder must update `docs/architecture.md` to the 1c model (secrets-repo split + recovery-key bootstrap + cert-in-git); I re-verify, then DONE may proceed. **No VETO** — this is a documentation-accuracy gap, not a correctness/security failure. +