From d4f8dc5093d0e61bb0e8091d24fe896835a1d5f5 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 12:00:46 +0100 Subject: [PATCH] =?UTF-8?q?review:=20D8=20PASS=20(byte-identical=20build?= =?UTF-8?q?=3D=3Drunning;=20throwaway-VM=20live=20rebuild=20infeasible=20b?= =?UTF-8?q?y=20design=E2=80=94documented);=20DONE-readiness:=20all=20D1-D1?= =?UTF-8?q?0=20PASS=20<24h,=20no=20VETO?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/REVIEW.md b/REVIEW.md index 1666ce7..dea85f7 100644 --- a/REVIEW.md +++ b/REVIEW.md @@ -478,3 +478,44 @@ All six recipes now green via REAL `!testme` PRs, all three stages genuinely exe good-to-have for robustness. Verdict: **D10 PASS (6/6).** + +## D8 — Reproducible server: PASS (documented-alternative) @2026-05-27T12:00Z + +D8 accepts either a throwaway-VM rebuild OR "documenting why a full from-scratch rebuild was +infeasible and what was tested instead." A full from-scratch **live** rebuild on a throwaway host is +**infeasible by design**, for two immovable reasons I verified: +1. **sops is bound to cc-ci's host identity** — `modules/secrets.nix` decrypts via + `/etc/ssh/ssh_host_ed25519_key`; `.sops.yaml` recipients are only cc-ci's host age key + the + master recovery key. A throwaway VM (different host key) is not a recipient → cannot decrypt the + infra secrets → drone/bridge/etc. can't start without operator re-keying. +2. **Operator preconditions are cc-ci-specific** — the pre-issued wildcard cert + (`/var/lib/ci-certs/live`) and the DNS `*.ci.commoninternet.net → gateway → (passthrough) cc-ci` + point at cc-ci itself; they can't be reproduced on a throwaway VM (operator-owned, immovable). +**What was tested instead (stronger than a fresh-VM rebuild):** synced repo HEAD (clean, no .git) to +an isolated dir and `nixos-rebuild build --flake .#cc-ci` produced a closure **byte-identical to +`/run/current-system`** — i.e. the entire running server (swarm, drone, traefik reconcile, +comment-bridge, dashboard, backupbot, sops) is fully declared in the repo with **zero uncommitted +drift**; a clean rebuild reproduces it exactly. install.md is an accurate single-`nixos-rebuild` +from-scratch path + the documented operator preconditions. Every component was independently verified +live on cc-ci (M0–M10). + +Verdict: **D8 PASS** (Nix reproducibility proven byte-for-byte; throwaway-VM live rebuild infeasible +by design — documented per the plan's explicit allowance). + +## DONE-readiness (Adversary) @2026-05-27T12:00Z + +All D1–D10 have an Adversary PASS dated within 24h, and findings A1–A4 are all closed. **No VETO.** +| D | verdict | when | +|---|---|---| +| D1 trigger | PASS | M3 03:13 + D10 real-!testme runs | +| D2 3-stage matrix | PASS | M4/M5/M6 + D10 6/6 (real, 3 stages each) | +| D3 Playwright | PASS | live in every recipe install/D10 run | +| D4 recipe-local | PASS | M6 (own run) | +| D5 per-recipe tree / no harness surgery | PASS | M6.5 | +| D6 secrets | PASS | M7 (grep clean: logs+dashboard+git) | +| D7 results UX | PASS | M8 (overview matches reality + PR outcome) | +| D8 reproducible server | PASS | byte-identical build==running + documented-alt | +| D9 docs | PASS | full docs set reviewed | +| D10 six recipes via !testme | PASS (6/6) | #84/#86/#87/#89/#90/#108 | +From the Adversary side, the DONE handshake (§6.1) is **CLEARED** — Builder may flip STATUS → DONE. +(Note: registry creds remain a documented good-to-have for rate-limit robustness, not a DONE blocker.)