review(2): Q3.1 lasuite-docs PASS — COLD full lifecycle GREEN (my clone, log adv-lasuite-docs-q31) 5 tiers, deploy-count=1 + deps ['keycloak'], real upgrade crossover 0.3.2+v5.1.0→0.3.3+v5.1.0, P4 postgres ci_marker survives restore (recipe's own restore.post-hook, no PR; non-vacuous drop+assert), clean teardown w/ per-run realm deletion + warm-keycloak preserved; CRITICAL: all 5 custom functional PASSED **NOT SKIPPED** — requires_deps guard did NOT fire — incl §4.3 test_create_doc_and_read_back (OIDC JWT→POST doc→GET roundtrip) + test_oidc_password_grant_against_dep_keycloak (per-run namespaced realm, real JWT iss/azp/typ/exp); P5 SSO-dep auto-deploy proven; no veto
This commit is contained in:
@ -1809,3 +1809,61 @@ DONE-blocker is CLEARED.**
|
||||
upgrade}.py / functional/{_ghost,test_post_roundtrip}.py) + the `a7e2af4` HC1 diff + the STATUS
|
||||
Gate-Q4.4 verification info + my own cold PR=1 full run AND PR=0 negative control. JOURNAL-2 not
|
||||
consulted before this verdict.
|
||||
|
||||
## Q3.1 lasuite-docs — PASS @2026-05-30T07:20Z (COLD, first-hand, my clone /root/adv-verify @origin/main a15c087)
|
||||
|
||||
Cold full-lifecycle re-run from my OWN clone — the exact claimed command
|
||||
`RECIPE=lasuite-docs STAGES=install,upgrade,backup,restore,custom cc-ci-run runner/run_recipe_ci.py`
|
||||
— log `/root/adv-lasuite-docs-q31.log`. First SSO-dependent recipe formally gated this session.
|
||||
|
||||
**Full lifecycle GREEN.**
|
||||
- RUN SUMMARY: `deploy-count = 1 (expect 1)`; `deps deployed: ['keycloak']`;
|
||||
`install/upgrade/backup/restore/custom` **all pass**.
|
||||
- Upgrade: `head_ref=290a8ad7 chaos-version=290a8ad7 version=0.3.2+v5.1.0→0.3.3+v5.1.0` (HC1,
|
||||
head_ref==chaos-version, real prev→PR-head crossover); `test_upgrade_preserves_data PASSED`.
|
||||
- P4: `test_backup_captures_state PASSED` + `test_restore_returns_state PASSED` — the postgres
|
||||
`ci_marker` survives the recipe's pg_backup.sh dump→restore. Non-vacuous: `ops.pre_restore` DROPs
|
||||
the table AND asserts the drop took (`to_regclass` empty). **No recipe-PR needed** — lasuite-docs's
|
||||
recipe HAS a real `restore.post-hook` that reloads the dump (unlike ghost/mattermost/immich).
|
||||
- Clean teardown: post-run no lasuite-docs stack; 0 lasuite/docs secrets / 0 volumes; `===== DEPS
|
||||
teardown =====` ran (per-run realm deleted); the shared `warm-keycloak` stack correctly preserved.
|
||||
|
||||
**P3/P5 — the SSO crux — all 5 custom functional PASSED, and (critically) NONE SKIPPED.** The OIDC
|
||||
and create-doc tests carry `@pytest.mark.requires_deps`, which SKIPs them with `deps-not-ready` if the
|
||||
keycloak dep setup fails — a skipped test would NOT fail the tier, so a green "custom: pass" with these
|
||||
SKIPPED would be a false health-only pass. I grepped specifically: **no SKIPPED, no deps-not-ready** —
|
||||
every one genuinely RAN:
|
||||
- `test_create_doc::test_create_doc_and_read_back PASSED` (6.01s, §4.3) — obtains a real OIDC JWT via
|
||||
password grant against the dep keycloak → `POST /api/v1.0/documents/` (unique title) → `GET
|
||||
/api/v1.0/documents/<id>/` → asserts id+title round-trip through nginx→backend→postgres. Real
|
||||
create-an-object + read-back, unique per run.
|
||||
- `test_oidc_with_keycloak::test_oidc_password_grant_against_dep_keycloak PASSED` (0.67s) — asserts the
|
||||
per-run realm is namespaced `lasuite-docs-<6hex>` (WC1 collision-safety), discovery issuer matches,
|
||||
and a REAL JWT comes back with iss/azp/typ/exp verified (decoded payload). Genuine OIDC against the
|
||||
live provider, not mocked.
|
||||
- `test_oidc_login::test_oidc_login_via_keycloak PASSED`,
|
||||
`test_auth_required::test_users_me_requires_auth PASSED` (auth-gating),
|
||||
`test_health_check::test_lasuite_docs_returns_200 PASSED`.
|
||||
- **P5 dependency resolution proven:** the orchestrator auto-provisioned a per-run keycloak realm/
|
||||
client/user on the warm provider before the recipe deploy (`deps deployed: ['keycloak']`) and tore
|
||||
the realm down in `finally` — exactly the pluggable SSO-dep path the plan requires.
|
||||
|
||||
**P2 parity** ported (`tests/lasuite-docs/PARITY.md`). **P6 N/A** (collaborative-editor UI exercised
|
||||
at the API level; no browser-only flow owed for this gate). **P7** — no weakened/mocked tests; the
|
||||
requires_deps SKIP guard did NOT fire (tests ran for real); OIDC is against a real keycloak.
|
||||
|
||||
**Break-it checks:** (1) confirmed the requires_deps tests RAN, not SKIPPED (the key vacuousness risk
|
||||
for SSO-dep recipes); (2) in-band pre_restore drop+assert-took proves P4 teeth; (3) per-run unique doc
|
||||
title defeats stale-response false-pass; (4) deploy-count=1 (no hidden redeploy); (5) clean teardown
|
||||
incl. per-run realm deletion + warm-keycloak preserved.
|
||||
|
||||
**Verdict: Q3.1 lasuite-docs PASS.** Full lifecycle GREEN cold, deploy-count=1 + keycloak dep, real
|
||||
upgrade crossover 0.3.2→0.3.3, P4 data-integrity non-vacuous (recipe's own restore hook, no PR),
|
||||
§4.3 create-doc real, OIDC-with-keycloak real (per-run namespaced realm, real JWT) — all RAN not
|
||||
skipped, clean teardown with realm deletion. No `## VETO`. Advances P1 coverage (lasuite-docs full
|
||||
green) + demonstrates the P5 SSO-dep auto-deploy path end-to-end.
|
||||
|
||||
**Isolation note:** verdict from the plan (P1–P8) + the test code (ops.py / test_{restore,backup,
|
||||
upgrade}.py / functional/{test_create_doc,test_oidc_with_keycloak,test_oidc_login,test_auth_required}.py)
|
||||
+ recipe_meta DEPS + the STATUS Gate-Q3.1 verification info + my own cold full-lifecycle run.
|
||||
JOURNAL-2 not consulted before this verdict.
|
||||
|
||||
Reference in New Issue
Block a user