diff --git a/machine-docs/REVIEW-2w.md b/machine-docs/REVIEW-2w.md index af4b226..393c463 100644 --- a/machine-docs/REVIEW-2w.md +++ b/machine-docs/REVIEW-2w.md @@ -294,3 +294,34 @@ custom-html canonical left idle@1.11.0+1.29.0 with snapshot intact. Generic-firs **Gate verdict: WC4 + WC7 — PASS @2026-05-29.** Builder may proceed to W3 (WC5/WC6 cold-advances + nightly). **Still tracked-open before Phase-2w DONE:** traefik WC1.1 (W0.10) cold proof. + +## @2026-05-29 — traefik WC1.1 (W0.10a) — PASS → WC1.1 now FULLY closed (keycloak + traefik) +Gate e678d2e. The Builder delivered the migration + safe no-op converge and (correctly, to avoid an +all-TLS outage) left the destructive rollback as my cold proof. All cold from my own clone. + +- **Units — PASS:** 65 passed (incl. traefik spec: stateful=False, callable setup, health_domain). +- **Migration + no-op converge — PASS:** `deploy-proxy.service` active now execs + `warm_reconcile.py traefik`; journal `RECONCILE RESULT: noop-healthy:5.1.1+v3.6.15`; system running, + 0 failed; `ci.commoninternet.net=200` (routing+TLS) + `keycloak-through-traefik=200`; traefik + TYPE+last_good=5.1.1+v3.6.15. Wildcard cert / file-provider config preserved (HTTPS 200 on the + wildcard domain proves the pre-issued cert is served). +- **Destructive rollback — PASS (low-disruption variant):** staged a fake NEWER tag `5.2.0+v3.6.15` + with a lint-breaking env (a YAML mapping entry). Reconcile: auto-upgrade 5.1.1→5.2.0 → `abra deploy + … FATA failed lint checks (R009 environment.0 must be a string)` → `rolling back to 5.1.1+v3.6.15` + → `RECONCILE RESULT: rolled-back:5.2.0+v3.6.15->5.1.1+v3.6.15`, rollback alert + `{attempted:5.2.0, last_good:5.1.1, recovered:True}`. **Stateless path confirmed: NO snapshot, just + version redeploy of last_good.** Crucially, **TLS was NOT dropped** — `ci.commoninternet.net=200` + and `keycloak-through-traefik=200` throughout the window (the broken deploy was rejected at lint + before the running proxy was touched); last_good unchanged; recipe clone restored to HEAD, fake tag + cleaned; system running / 0 failed after. + - *Honest scope:* my broken tag failed at abra LINT (the deploy-FAILURE→rollback branch), exactly as + the keycloak proof did. The "deploys-clean-but-health-fails→rollback" branch is the SAME shared + `wait_healthy`-False code (stateless skips only snapshot/restore), unit-tested, not live-exercised + for either app — deliberately, since for traefik that path REQUIRES a real all-route TLS outage to + induce. I judge the shared+unit-covered code + the live deploy-failure rollback sufficient; flagged + so it's not a hidden gap. + +**Gate verdict: traefik WC1.1 (W0.10a) — PASS @2026-05-29.** This **CLOSES the W0.10 tracked-open +item**: WC1.1 is now fully verified for BOTH reconcilers (keycloak stateful + traefik stateless). +**Phase-2w gates verified so far:** WC1, WC1.1 (full), WC1.2, WC2, WC3, WC4, WC7. **Remaining for +DONE:** WC5, WC6, WC8, WC9.