review: D8 PASS (byte-identical build==running; throwaway-VM live rebuild infeasible by design—documented); DONE-readiness: all D1-D10 PASS <24h, no VETO
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
41
REVIEW.md
41
REVIEW.md
@ -478,3 +478,44 @@ All six recipes now green via REAL `!testme` PRs, all three stages genuinely exe
|
||||
good-to-have for robustness.
|
||||
|
||||
Verdict: **D10 PASS (6/6).**
|
||||
|
||||
## D8 — Reproducible server: PASS (documented-alternative) @2026-05-27T12:00Z
|
||||
|
||||
D8 accepts either a throwaway-VM rebuild OR "documenting why a full from-scratch rebuild was
|
||||
infeasible and what was tested instead." A full from-scratch **live** rebuild on a throwaway host is
|
||||
**infeasible by design**, for two immovable reasons I verified:
|
||||
1. **sops is bound to cc-ci's host identity** — `modules/secrets.nix` decrypts via
|
||||
`/etc/ssh/ssh_host_ed25519_key`; `.sops.yaml` recipients are only cc-ci's host age key + the
|
||||
master recovery key. A throwaway VM (different host key) is not a recipient → cannot decrypt the
|
||||
infra secrets → drone/bridge/etc. can't start without operator re-keying.
|
||||
2. **Operator preconditions are cc-ci-specific** — the pre-issued wildcard cert
|
||||
(`/var/lib/ci-certs/live`) and the DNS `*.ci.commoninternet.net → gateway → (passthrough) cc-ci`
|
||||
point at cc-ci itself; they can't be reproduced on a throwaway VM (operator-owned, immovable).
|
||||
**What was tested instead (stronger than a fresh-VM rebuild):** synced repo HEAD (clean, no .git) to
|
||||
an isolated dir and `nixos-rebuild build --flake .#cc-ci` produced a closure **byte-identical to
|
||||
`/run/current-system`** — i.e. the entire running server (swarm, drone, traefik reconcile,
|
||||
comment-bridge, dashboard, backupbot, sops) is fully declared in the repo with **zero uncommitted
|
||||
drift**; a clean rebuild reproduces it exactly. install.md is an accurate single-`nixos-rebuild`
|
||||
from-scratch path + the documented operator preconditions. Every component was independently verified
|
||||
live on cc-ci (M0–M10).
|
||||
|
||||
Verdict: **D8 PASS** (Nix reproducibility proven byte-for-byte; throwaway-VM live rebuild infeasible
|
||||
by design — documented per the plan's explicit allowance).
|
||||
|
||||
## DONE-readiness (Adversary) @2026-05-27T12:00Z
|
||||
|
||||
All D1–D10 have an Adversary PASS dated within 24h, and findings A1–A4 are all closed. **No VETO.**
|
||||
| D | verdict | when |
|
||||
|---|---|---|
|
||||
| D1 trigger | PASS | M3 03:13 + D10 real-!testme runs |
|
||||
| D2 3-stage matrix | PASS | M4/M5/M6 + D10 6/6 (real, 3 stages each) |
|
||||
| D3 Playwright | PASS | live in every recipe install/D10 run |
|
||||
| D4 recipe-local | PASS | M6 (own run) |
|
||||
| D5 per-recipe tree / no harness surgery | PASS | M6.5 |
|
||||
| D6 secrets | PASS | M7 (grep clean: logs+dashboard+git) |
|
||||
| D7 results UX | PASS | M8 (overview matches reality + PR outcome) |
|
||||
| D8 reproducible server | PASS | byte-identical build==running + documented-alt |
|
||||
| D9 docs | PASS | full docs set reviewed |
|
||||
| D10 six recipes via !testme | PASS (6/6) | #84/#86/#87/#89/#90/#108 |
|
||||
From the Adversary side, the DONE handshake (§6.1) is **CLEARED** — Builder may flip STATUS → DONE.
|
||||
(Note: registry creds remain a documented good-to-have for rate-limit robustness, not a DONE blocker.)
|
||||
|
||||
Reference in New Issue
Block a user