diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md index 38f6477..b1db38c 100644 --- a/machine-docs/REVIEW-2.md +++ b/machine-docs/REVIEW-2.md @@ -1809,3 +1809,61 @@ DONE-blocker is CLEARED.** upgrade}.py / functional/{_ghost,test_post_roundtrip}.py) + the `a7e2af4` HC1 diff + the STATUS Gate-Q4.4 verification info + my own cold PR=1 full run AND PR=0 negative control. JOURNAL-2 not consulted before this verdict. + +## Q3.1 lasuite-docs — PASS @2026-05-30T07:20Z (COLD, first-hand, my clone /root/adv-verify @origin/main a15c087) + +Cold full-lifecycle re-run from my OWN clone — the exact claimed command +`RECIPE=lasuite-docs STAGES=install,upgrade,backup,restore,custom cc-ci-run runner/run_recipe_ci.py` +— log `/root/adv-lasuite-docs-q31.log`. First SSO-dependent recipe formally gated this session. + +**Full lifecycle GREEN.** +- RUN SUMMARY: `deploy-count = 1 (expect 1)`; `deps deployed: ['keycloak']`; + `install/upgrade/backup/restore/custom` **all pass**. +- Upgrade: `head_ref=290a8ad7 chaos-version=290a8ad7 version=0.3.2+v5.1.0→0.3.3+v5.1.0` (HC1, + head_ref==chaos-version, real prev→PR-head crossover); `test_upgrade_preserves_data PASSED`. +- P4: `test_backup_captures_state PASSED` + `test_restore_returns_state PASSED` — the postgres + `ci_marker` survives the recipe's pg_backup.sh dump→restore. Non-vacuous: `ops.pre_restore` DROPs + the table AND asserts the drop took (`to_regclass` empty). **No recipe-PR needed** — lasuite-docs's + recipe HAS a real `restore.post-hook` that reloads the dump (unlike ghost/mattermost/immich). +- Clean teardown: post-run no lasuite-docs stack; 0 lasuite/docs secrets / 0 volumes; `===== DEPS + teardown =====` ran (per-run realm deleted); the shared `warm-keycloak` stack correctly preserved. + +**P3/P5 — the SSO crux — all 5 custom functional PASSED, and (critically) NONE SKIPPED.** The OIDC +and create-doc tests carry `@pytest.mark.requires_deps`, which SKIPs them with `deps-not-ready` if the +keycloak dep setup fails — a skipped test would NOT fail the tier, so a green "custom: pass" with these +SKIPPED would be a false health-only pass. I grepped specifically: **no SKIPPED, no deps-not-ready** — +every one genuinely RAN: +- `test_create_doc::test_create_doc_and_read_back PASSED` (6.01s, §4.3) — obtains a real OIDC JWT via + password grant against the dep keycloak → `POST /api/v1.0/documents/` (unique title) → `GET + /api/v1.0/documents//` → asserts id+title round-trip through nginx→backend→postgres. Real + create-an-object + read-back, unique per run. +- `test_oidc_with_keycloak::test_oidc_password_grant_against_dep_keycloak PASSED` (0.67s) — asserts the + per-run realm is namespaced `lasuite-docs-<6hex>` (WC1 collision-safety), discovery issuer matches, + and a REAL JWT comes back with iss/azp/typ/exp verified (decoded payload). Genuine OIDC against the + live provider, not mocked. +- `test_oidc_login::test_oidc_login_via_keycloak PASSED`, + `test_auth_required::test_users_me_requires_auth PASSED` (auth-gating), + `test_health_check::test_lasuite_docs_returns_200 PASSED`. +- **P5 dependency resolution proven:** the orchestrator auto-provisioned a per-run keycloak realm/ + client/user on the warm provider before the recipe deploy (`deps deployed: ['keycloak']`) and tore + the realm down in `finally` — exactly the pluggable SSO-dep path the plan requires. + +**P2 parity** ported (`tests/lasuite-docs/PARITY.md`). **P6 N/A** (collaborative-editor UI exercised +at the API level; no browser-only flow owed for this gate). **P7** — no weakened/mocked tests; the +requires_deps SKIP guard did NOT fire (tests ran for real); OIDC is against a real keycloak. + +**Break-it checks:** (1) confirmed the requires_deps tests RAN, not SKIPPED (the key vacuousness risk +for SSO-dep recipes); (2) in-band pre_restore drop+assert-took proves P4 teeth; (3) per-run unique doc +title defeats stale-response false-pass; (4) deploy-count=1 (no hidden redeploy); (5) clean teardown +incl. per-run realm deletion + warm-keycloak preserved. + +**Verdict: Q3.1 lasuite-docs PASS.** Full lifecycle GREEN cold, deploy-count=1 + keycloak dep, real +upgrade crossover 0.3.2→0.3.3, P4 data-integrity non-vacuous (recipe's own restore hook, no PR), +§4.3 create-doc real, OIDC-with-keycloak real (per-run namespaced realm, real JWT) — all RAN not +skipped, clean teardown with realm deletion. No `## VETO`. Advances P1 coverage (lasuite-docs full +green) + demonstrates the P5 SSO-dep auto-deploy path end-to-end. + +**Isolation note:** verdict from the plan (P1–P8) + the test code (ops.py / test_{restore,backup, +upgrade}.py / functional/{test_create_doc,test_oidc_with_keycloak,test_oidc_login,test_auth_required}.py) ++ recipe_meta DEPS + the STATUS Gate-Q3.1 verification info + my own cold full-lifecycle run. +JOURNAL-2 not consulted before this verdict.