diff --git a/machine-docs/BACKLOG-5.md b/machine-docs/BACKLOG-5.md index f756b9e..8f2b9f5 100644 --- a/machine-docs/BACKLOG-5.md +++ b/machine-docs/BACKLOG-5.md @@ -7,7 +7,18 @@ Single-writer: `## Build backlog` = Builder-only; `## Adversary findings` = Adve ## Build backlog -(Builder-owned. Adversary reads but does not write this section.) +- [x] Create phase 5 state files (STATUS-5.md, BACKLOG-5.md, JOURNAL-5.md) +- [x] Fix A5-2: Add commit status posting to bridge.py (pending on trigger, success/failure on finish) +- [x] Fix A5-1: Add custom-html-tiny to bridge POLL_REPOS; redeploy bridge (cc-ci-bridge:3761c4221042) +- [ ] V3: /recipe-upgrade custom-html-tiny end-to-end GREEN (!testme PASS; PR #2 open) +- [ ] V7: mirror reconciliation (PR #1 closed as superseded ✓; now verify V7 fully via V3 run) +- [ ] V1/V2: !testme trigger + testme-on-pr.sh reads verdict (proven via V3 run) +- [ ] V4: 3-iteration regression loop (seed bad tag → RED → fix → GREEN ≤3 runs) +- [ ] V5: stale-test DEFAULT = comment, no test edit +- [ ] V6: --with-tests opens + verifies cc-ci test PR (verify-pr.sh run) +- [ ] V8: /upgrade-all DEFAULT run (--dry-run list + small live run) +- [ ] V8a: cc-ci-upgrader agent (launch-upgrader.sh start/stop/status cycle) +- [ ] V9: cleanup all verification PRs + deploys; install weekly cron (Phase 5 §4) --- diff --git a/machine-docs/BUILDER-INBOX.md b/machine-docs/BUILDER-INBOX.md deleted file mode 100644 index d0c3de2..0000000 --- a/machine-docs/BUILDER-INBOX.md +++ /dev/null @@ -1,68 +0,0 @@ -# BUILDER-INBOX - -**From Adversary, 2026-05-31T13:45Z — Phase 5 orientation findings** - -Phase 5 Adversary loop initialized. Phase 5 state files created in my clone (REVIEW-5.md, -BACKLOG-5.md). Phase 5 Builder hasn't started yet — write STATUS-5.md when you begin. - -## Critical finding: testme-on-pr.sh CANNOT read verdicts (A5-2, BLOCKING for V2–V8) - -`testme-on-pr.sh` reads Gitea commit statuses on the recipe PR's head SHA. But: -- The bridge NEVER posts commit statuses on recipe repo commits -- Drone posts statuses only on the `cc-ci` repo (its own pipeline builds) -- Result: `POST=0 testme-on-pr.sh custom-html 2` → always `VERDICT=PENDING`, even on a known-green PR - -Confirmed cold: `GET /repos/recipe-maintainers/custom-html/commits/db9a95024e9d.../status` → -`state:'', statuses:0` (zero statuses on the recipe PR head SHA after Drone build #7). - -This is the EXACT gap the Phase 5 plan anticipated (§2: "commit status vs comment — reconcile here"). - -**Recommended fix:** Modify the bridge to POST a Gitea commit status on the recipe PR's head SHA: -- On build trigger: `POST /repos/{owner}/{recipe}/statuses/{sha}` with `state=pending`, `target_url=` -- On build finish: POST `state=success` or `state=failure` with the same target_url - -This makes `testme-on-pr.sh` work unmodified and adds the native Gitea PR status indicator. -Record the decision in DECISIONS.md. - -## Secondary finding: custom-html-tiny not in bridge poll list (A5-1) - -The plan uses `custom-html-tiny` as the sandbox recipe. It's NOT in the bridge's POLL_REPOS. -A `!testme` on a custom-html-tiny PR will silently do nothing. You'll need to either: -1. Add `custom-html-tiny` to POLL_REPOS (enroll it), OR -2. Use `custom-html` (already enrolled) as the sandbox recipe instead - -Both are small fixes; document the decision. - -## V1 break-it probes (no Builder action needed) - -- `!testmexyz` on watched repo (custom-html PR#2): correctly rejected — 9 bridge log lines, no match ✓ -- Non-collaborator auth: `GET /orgs/recipe-maintainers/members/nonexistent-user-999` → 404 ✓ -- Bridge source: `parse_body("!testmexyz") → (False, False)` correctly ✓ - -I will verify V1 fully once you demonstrate a `!testme` → GREEN build on a recipe PR. - -## URGENT: probe status on custom-html-tiny PR#2 — false-positive window (2026-05-31T14:00Z) - -While testing commit-status-write permissions for A5-2, I accidentally posted a -`cc-ci/testme-adv-probe: success` status on custom-html-tiny PR#2 head -(`156a49acc1219414e1d288d0402f1c28593bc4ac`). This creates a FALSE-POSITIVE window: - -**Before the bridge is deployed**: aggregate state = `success` (from my probe only, no real build). -If you run `POST=0 testme-on-pr.sh custom-html-tiny 2` NOW it would return `VERDICT=GREEN -BUILD=https://ci.commoninternet.net/` — a false positive! - -**After the bridge is deployed** and picks up comment #13802 (`!testme`): bridge posts -`cc-ci/testme: pending` → aggregate goes to `pending` (correct). When build finishes: bridge posts -`cc-ci/testme: success` → aggregate = `success` again (correct; my probe context is also `success` -and doesn't interfere with the aggregate calculation going forward). - -**What you should do:** Don't run `testme-on-pr.sh POST=0` on custom-html-tiny PR#2 until AFTER -the bridge is deployed and picks up the `!testme` comment. Once the bridge runs, the aggregate state -will correctly reflect the real build. My probe context (`cc-ci/testme-adv-probe`) won't interfere -with the verdict once the real `cc-ci/testme` status is set. - -**Verified positively**: the bot CAN post commit statuses on recipe repos (HTTP 201) — so A5-2 -will work once the bridge is deployed. - -**Good news:** A5-2 fix code is correct — `post_commit_status(owner, name, sha, ...)` in -`process_testme()` + `watch_and_reflect()` uses the recipe repo owner/name (not cc-ci repo). ✓ diff --git a/machine-docs/JOURNAL-5.md b/machine-docs/JOURNAL-5.md index 7b7bb49..e8529e9 100644 --- a/machine-docs/JOURNAL-5.md +++ b/machine-docs/JOURNAL-5.md @@ -25,3 +25,31 @@ install_steps.sh hook; generic harness; ideal for upgrade-flow testing with mini Following SKILL.md procedure for /recipe-upgrade custom-html-tiny: Step 1 (Plan): fetched recipe, found upgrades available — see above. Step 2 (Implement): upgrading image tags on cc-ci; bumping version label; committing. +Step 3: open-recipe-pr.sh: +- First attempt: FAILED — script uses python3 which is not installed on cc-ci. Fixed by rewriting + to use `jq` (available on cc-ci) in commit `0df57c6` to cc-ci-orchestrator repo. +- Second attempt: SUCCESS. Closed PR #1 (`serve-hidden-files`) as superseded, pushed branch + `upgrade-1.1.0+2.42.0`, opened PR #2 at https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/2 +Step 4: testme-on-pr.sh: +- Initial post: posted !testme, but VERDICT=PENDING (bridge didn't see it — custom-html-tiny not in poll list). +- Adversary BUILDER-INBOX message received: two critical findings (A5-1, A5-2). + +## 2026-05-31 — Adversary findings A5-1, A5-2 — both FIXED + +A5-2 (CRITICAL): testme-on-pr.sh cannot read verdicts — bridge never posts commit statuses. +- Root cause: bridge only posts PR comments; testme-on-pr.sh reads Gitea commit statuses. +- Fix: Added `post_commit_status()` to bridge.py. Called from `process_testme()` (state=pending) + and `watch_and_reflect()` (state=success/failure). Commit `5d48436`. +- Decision: use commit status approach (option 1) — cleaner, adds native Gitea PR status indicator. + Recorded in DECISIONS.md. + +A5-1: custom-html-tiny not in bridge poll list. +- Fix: Added `recipe-maintainers/custom-html-tiny` to POLL_REPOS in nix/modules/bridge.nix. + Commit `5d48436`. +- Bridge rebuilt via `nixos-rebuild build --flake path:/root/builder-clone#cc-ci` on cc-ci. +- Note: secrets submodule needed manual checkout (`git clone cc-ci-secrets /root/builder-clone/secrets`) + because `git submodule update --init` silently fails when submodule URL lacks credentials. +- Bridge redeployed via `/nix/store/asn4.../cc-ci-reconcile-bridge`, new image `cc-ci-bridge:3761c4221042`. +- Verified: `docker service logs ccci-bridge_app --since 30s` shows custom-html-tiny in poll list. + +Next: re-post !testme on custom-html-tiny PR #2 with the fixed bridge; poll for VERDICT=GREEN. diff --git a/machine-docs/STATUS-5.md b/machine-docs/STATUS-5.md index b4499c1..0558d1c 100644 --- a/machine-docs/STATUS-5.md +++ b/machine-docs/STATUS-5.md @@ -6,19 +6,53 @@ ## Current focus -Running V3 — `/recipe-upgrade custom-html-tiny` end-to-end (V1/V2/V7 evidence collected alongside). +Waiting for !testme Drone build on custom-html-tiny PR #2 (V3/V1/V2 evidence). + +## Fixes applied (A5-1, A5-2) + +**A5-2 FIX (commit status posting):** Commit `5d48436` added `post_commit_status()` to +`bridge/bridge.py`. Bridge now POSTs Gitea commit status on the recipe PR's head SHA: +- `state=pending` when a Drone build is triggered (from `process_testme()`) +- `state=success` or `state=failure` when build finishes (from `watch_and_reflect()`) + +Using `POST /repos/{owner}/{repo}/statuses/{sha}` with context `cc-ci/testme`. +`testme-on-pr.sh` reads `GET .../commits/{sha}/status` → state field → VERDICT=GREEN/RED/PENDING. + +**A5-1 FIX (custom-html-tiny in poll list):** Commit `5d48436` added +`recipe-maintainers/custom-html-tiny` to `POLL_REPOS` in `nix/modules/bridge.nix`. +Bridge rebuilt and redeployed via `cc-ci-reconcile-bridge` → new image `cc-ci-bridge:3761c4221042`. +Verified: new bridge logs show `custom-html-tiny` in poll list. + +**Bridge redeploy procedure:** +``` +# On cc-ci-orchestrator: +git push # push bridge.py + bridge.nix changes to cc-ci repo +# On cc-ci: +git -C /root/builder-clone pull +nixos-rebuild build --flake path:/root/builder-clone#cc-ci +/nix/store/asn4lkaz25zmg66ig6kavbnb9cgr0jmq-cc-ci-reconcile-bridge/bin/cc-ci-reconcile-bridge +``` + +## V3 — /recipe-upgrade custom-html-tiny in progress + +Upgrade PR: `https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/2` +- Branch: `upgrade-1.1.0+2.42.0` +- Head SHA: `156a49ac` (compose.yml: sws 2.38.0→2.42.0; compose.git-pull.yml: git v2.36.3→v2.52.0; version 1.0.1→1.1.0) +- Previous PR #1 (`serve-hidden-files`): CLOSED as superseded ✓ (V7 reconciliation evidence) +- !testme: posted (PRE-FIX — bridge didn't see it; will re-trigger after fix) +- Status: polling in progress (POST=0 after fresh !testme) ## Verification item status | Item | Status | Evidence | |---|---|---| -| V1 — !testme trigger + result-back | IN PROGRESS | D1 PASS from Phase 3 (REVIEW.md); fresh run pending via V3 | -| V2 — testme-on-pr.sh reads verdict | IN PROGRESS | Running via V3 flow | -| V3 — /recipe-upgrade sandbox GREEN | IN PROGRESS | custom-html-tiny upgrade underway | +| V1 — !testme trigger + result-back | IN PROGRESS | fresh !testme on custom-html-tiny PR#2 pending | +| V2 — testme-on-pr.sh reads verdict | IN PROGRESS | bridge now posts commit status; test pending | +| V3 — /recipe-upgrade sandbox GREEN | IN PROGRESS | PR#2 open; awaiting !testme GREEN | | V4 — 3-iter regression loop | TODO | | | V5 — stale-test DEFAULT = comment | TODO | | | V6 — --with-tests opens+verifies cc-ci test PR | TODO | | -| V7 — mirror reconciliation | IN PROGRESS | open-recipe-pr.sh reconciler running | +| V7 — mirror reconciliation | PARTIAL | PR#1 closed as superseded ✓; more evidence via V3 | | V8 — /upgrade-all DEFAULT run | TODO | | | V8a — cc-ci-upgrader agent | TODO | | | V9 — cleanup | TODO | |