M6.5: cryptpad (recipe #3) full 3-stage green on host; record set_env/RESTIC backup fix
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
10
BACKLOG.md
10
BACKLOG.md
@ -78,7 +78,15 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
|
||||
build #39 success (~31m): install 2✓ (realm health + Playwright admin login), upgrade 1✓
|
||||
(`test_upgrade_preserves_realm` — DB data survives), backup 1✓ (`test_backup_mutate_restore`).
|
||||
Clean teardown (0 keyc services/volumes). Proves DB-backed data survival + integration path.
|
||||
- [ ] Enroll recipes 3–6 covering remaining D10 categories, no harness surgery
|
||||
- [x] cryptpad (stateful/no-DB, recipe #3) full 3-stage green on host (cc-ci-run): install 2✓
|
||||
(http + Playwright), upgrade 1✓ (marker in cryptpad_data survives), backup 1✓
|
||||
(`test_backup_mutate_restore`). No harness surgery — added generic per-recipe EXTRA_ENV
|
||||
(handles cryptpad's SANDBOX_DOMAIN). Fixed a real backup bug en route: set_env glued
|
||||
RESTIC_REPOSITORY onto a comment → backupbot had no restic repo (now newline-safe). Drone
|
||||
canonical run = build #46 (in flight).
|
||||
- [ ] Enroll recipes 4–6 covering remaining D10 categories (multi-service+S3, large-volume,
|
||||
TLS-passthrough), no harness surgery
|
||||
- [ ] Re-verify keycloak backup post set_env fix (build #39 ran off an earlier backupbot deploy)
|
||||
- [ ] Gate: M6.5 — recipes 3–6 three-stage green
|
||||
|
||||
### M7 — Secrets hardening (D6)
|
||||
|
||||
27
JOURNAL.md
27
JOURNAL.md
@ -544,3 +544,30 @@ the 60m build timeout; that's why the run took ~31m. No harness surgery (D5): ke
|
||||
This both advances M6.5 (first DB-backed recipe full 3-stage) and confirms the recipe-ci integration
|
||||
works on a heavy DB-backed recipe (Drone→harness→3 stages→teardown). Next M6.5: enroll recipes 3–6
|
||||
covering the remaining D10 categories (stateful-no-DB, multi-service+S3, large-volume, etc.).
|
||||
|
||||
---
|
||||
## 2026-05-27 — M6.5: cryptpad (recipe #3) enrolled + full 3-stage green; fixed a real backup bug
|
||||
|
||||
Enrolled **cryptpad** (stateful, no external DB — the D10 "stateful/no-DB" category). No shared-harness
|
||||
surgery beyond a *generic* feature: added per-recipe **EXTRA_ENV** (recipe_meta.py dict or
|
||||
domain-callable) applied in `deploy_app` at every deploy path. cryptpad uses it for its required
|
||||
distinct `SANDBOX_DOMAIN` (a sibling subdomain under the wildcard, so no cert work). Data-survival
|
||||
tests write a marker into the backed-up `cryptpad_data` volume and read it via `exec_in_app`
|
||||
(cryptpad's datastore isn't HTTP-served like custom-html).
|
||||
|
||||
Host runs (HOME=/root, cc-ci-run): install **2 passed** (~2m; http 200 + Playwright loads cryptpad),
|
||||
upgrade **1 passed** (~1m; marker survives previous→current), backup **1 passed** after a fix
|
||||
(below). Clean teardown (0 cryp services/volumes).
|
||||
|
||||
**Real bug found+fixed — backups were silently mis-wired (set_env newline).** cryptpad backup first
|
||||
failed: `abra app backup create` → backup-bot-two's `/usr/bin/backup` raised
|
||||
`KeyError: 'RESTIC_REPOSITORY'`. Root cause: backup-bot-two's `.env.sample` ends with a *newline-less*
|
||||
comment line, and the reconcile's `set_env` did a bare `printf >> .env`, gluing
|
||||
`RESTIC_REPOSITORY=/backups/restic` onto that comment → commented out. abra `--debug` confirmed the
|
||||
backupbot env map lacked `RESTIC_REPOSITORY`, and `docker exec backupbot printenv RESTIC_REPOSITORY`
|
||||
was empty. Fix: `set_env` now ensures a trailing newline before appending (modules/backupbot.nix +
|
||||
modules/drone.nix, same latent bug). After rebuild: `.env` has a clean `RESTIC_REPOSITORY=` line, the
|
||||
backupbot container has `RESTIC_REPOSITORY=/backups/restic`, and cryptpad backup→mutate→restore
|
||||
passes. NOTE: keycloak backup (build #39) passed off an *earlier, non-corrupted* backupbot deploy;
|
||||
worth a re-verify, but the mechanism is now correct/reproducible. Triggered Drone build #46 (cryptpad)
|
||||
as the canonical recipe-ci run.
|
||||
|
||||
12
STATUS.md
12
STATUS.md
@ -3,12 +3,12 @@
|
||||
**Phase:** M0/M1/M2/M4/M5 PASS; M3 PASS (Adversary-verified); M6 CLAIMED (awaiting Adversary).
|
||||
Bridge→Drone→harness integration DONE (recipe-ci pipeline). M6.5 underway: keycloak full 3-stage
|
||||
GREEN through Drone (build #39). Next: enroll recipes 3–6 (remaining D10 categories), M7, M8.
|
||||
**In-flight:** M6.5 breadth — recipe #3 = **cryptpad** (stateful/no-DB category, mirrored). Recon:
|
||||
services `app`(cryptpad)+`web`(nginx), many on-disk volumes (`cryptpad_data/files/blob/...`), no DB;
|
||||
health likely on `/`. Data-survival test = marker file in a backed-up volume checked via
|
||||
`exec_in_app` (data isn't HTTP-served like custom-html). Then recipes 4–6 (multi-service+S3,
|
||||
large-volume, TLS-passthrough). Also pending: full single-`!testme`-on-a-recipe-PR E2E.
|
||||
**Last updated:** 2026-05-27 (M6.5: keycloak full 3-stage green via build #39; cryptpad next)
|
||||
**In-flight:** M6.5 breadth — cryptpad (recipe #3, stateful/no-DB) full 3-stage GREEN on host;
|
||||
canonical Drone run = build #46 (polling). Fixed a real backup bug en route (set_env glued
|
||||
RESTIC_REPOSITORY onto a comment → backupbot had no restic repo; now newline-safe). Next: recipes
|
||||
4–6 (multi-service+S3 e.g. lasuite-docs, large-volume e.g. matrix/immich, TLS-passthrough e.g.
|
||||
bluesky-pds). Pending: re-verify keycloak backup post-fix; full single-`!testme`-on-a-recipe-PR E2E.
|
||||
**Last updated:** 2026-05-27 (M6.5: cryptpad 3-stage green on host; set_env/RESTIC backup fix)
|
||||
|
||||
## Gates
|
||||
- **Gate: M0 — CLAIMED, awaiting Adversary** (2026-05-26). Evidence: flake rebuilds cc-ci from repo
|
||||
|
||||
Reference in New Issue
Block a user