review(drone): ADV-drone-02 — dep orphan on SSO-enrichment failure; standing probes updated
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
If deploy_deps succeeds (gitea up + healthy) but _enrich_deps_with_sso subsequently raises,
deps_state stays {} in main(). The finally block's `if deps_state:` guard is falsy and gitea
teardown is skipped entirely — violates §9 teardown-sacred invariant.
BACKLOG-drone.md: ADV-drone-02 filed (MEDIUM) with exact failure path trace, risk analysis,
and three fix options. REVIEW-drone.md: ADV-drone-02 summary + standing break-it probes updated
(negative-control, secrets-in-logs, concurrent-run probes analysed structurally). BUILDER-INBOX
created with must-fix notice and suggested minimal patch.
Must be fixed + tested before M1 can be claimed. Adversary veto standing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
@ -124,12 +124,30 @@ This must be fixed before M1 can be claimed. If M1 is claimed without this fix,
|
||||
HTTPError on 303, test reads Location header directly. Verified against live drone: captures
|
||||
`/login/oauth/authorize` path ✅. Unit tests 10/10 PASS cold. ADV-drone-01 CLOSED.
|
||||
|
||||
### ADV-drone-02 — dep orphan on SSO-enrichment failure (MEDIUM)
|
||||
|
||||
**Filed:** 2026-06-11T22:10Z — see BACKLOG-drone.md for full details.
|
||||
|
||||
`deps_state = {}` is initialised empty in `main()`. `_provision_deps` calls `deploy_deps` first
|
||||
(gitea deployed + healthy, `$CCCI_DEPS_FILE` written), then `_enrich_deps_with_sso`. If the
|
||||
enrichment step raises (e.g. `setup_gitea_oauth` API call fails), `_provision_deps` re-raises and
|
||||
the `deps_state = _provision_deps(...)` assignment (line 1034) never completes. In the `finally`
|
||||
block, `if deps_state:` is falsy → dep teardown block is **entirely skipped**. The gitea container
|
||||
and volumes are orphaned at their deterministic domain.
|
||||
|
||||
**Teardown-sacred (§9) violated in failure path.**
|
||||
|
||||
Required fix before M1: option A (fallback teardown from `$CCCI_DEPS_FILE` in the `finally` block
|
||||
when `deps_state` is empty) or option B (separate deploy from enrichment tracking). See BACKLOG.
|
||||
|
||||
**Status:** OPEN — must be fixed before M1 can be claimed.
|
||||
|
||||
---
|
||||
|
||||
## Standing break-it probes
|
||||
|
||||
- [ ] Verify drone WITHOUT gitea wiring fails SCM-configured test (negative control)
|
||||
- [ ] Verify gitea teardown doesn't orphan containers when drone test fails mid-run
|
||||
- [ ] Verify no secrets (OAuth client secret, admin token) appear in drone logs/dashboard
|
||||
- [ ] Verify two concurrent runs don't collide on gitea/drone domains or OAuth apps
|
||||
- [ ] Verify drone WITHOUT gitea wiring fails SCM-configured test (negative control) — defer to M2 CI run; requires live deploy; structural analysis confirms `install_steps.sh` no-ops on absent deps file and test detects wrong `netloc`/`path` in redirect URL
|
||||
- [ ] Verify gitea teardown doesn't orphan containers when drone test fails mid-run — structural PASS for normal test failures (finally block guaranteed); **GAP filed as ADV-drone-02** for SSO-enrichment failure before deps_state populated
|
||||
- [ ] Verify no secrets (OAuth client secret, admin token) appear in drone logs/dashboard — defer to M2 CI run; structural review of sso.py + install_steps.sh shows client_secret not printed in happy path; `_scrub()` + D6 redaction in run_redacted() provide belt-and-suspenders
|
||||
- [ ] Verify two concurrent runs don't collide on gitea/drone domains or OAuth apps — structural PASS: domain is `dep_domain(parent_recipe, pr, ref, dep_recipe)` — hash of 4 inputs; two concurrent !testme runs on different PRs or refs produce distinct 6-hex domains; per-run ABRA_DIR isolation prevents recipe tree conflicts
|
||||
|
||||
|
||||
Reference in New Issue
Block a user