feat(2w): W1 canonical registry module (WC2) + alerts archived

runner/harness/canonical.py: data-warm canonical registry + lifecycle —
is_enrolled (recipe_meta.WARM_CANONICAL), canonical_domain (warm.stable_domain
warm-<recipe>), registry read/write (/var/lib/ci-warm/<recipe>/canonical.json),
has_canonical (record + retained volume), deploy_canonical (reattach volume at
known-good version), undeploy_keep_volume (idle data-warm), seed_canonical
(record + warmsnap snapshot). warm.stable_domain helper added (keycloak path
unchanged). +4 unit tests (61 unit pass).

Also archived the Adversary's verification alert sentinels to alerts/seen/
(simulated rollback + 2 holds — evidentiary, gate PASSED; dir clean for real alerts).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-29 02:15:11 +01:00
parent 563156ae7e
commit b6ef83ab0b
3 changed files with 198 additions and 0 deletions

View File

@ -41,6 +41,13 @@ _CTX.verify_mode = ssl.CERT_NONE
_STACK_HEX_RE = re.compile(r"^[a-z0-9]{1,4}-([0-9a-f]{6})_ci_commoninternet_net_")
def stable_domain(recipe: str) -> str:
"""The stable warm domain for a recipe: `warm-<recipe>.ci.commoninternet.net` — the canonical
scheme for BOTH the live-warm keycloak and the data-warm canonicals (WC2), distinct from cold
per-run `<recipe[:4]>-<6hex>`. (WARM_DOMAINS['keycloak'] equals stable_domain('keycloak').)"""
return f"warm-{recipe}.ci.commoninternet.net"
def warm_domain(recipe: str) -> str | None:
"""The stable warm domain for a dep recipe, or None if this recipe is not served warm."""
return WARM_DOMAINS.get(recipe)