From edee91341c7fe7cb313c75e4b321dcd74b69a773 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 18 Jun 2026 01:19:27 +0000 Subject: [PATCH] =?UTF-8?q?review(redfix-M1):=20PASS=20=E2=80=94=20all=206?= =?UTF-8?q?=20classifications=20cold-verified=20by=20my=20own=20isolation?= =?UTF-8?q?=20re-runs.=20discourse=3Dstale=20overlay=20(no=20timeout,=20my?= =?UTF-8?q?=20run=20converged=20in=20min),=20mattermost=3Ddeterministic=20?= =?UTF-8?q?restore=20RED,=20mumble=3Dflake=20(handshake=20green=20isolated?= =?UTF-8?q?),=20bluesky=3Drecipe=20app-alias=20proxy=20collision=20(getent?= =?UTF-8?q?=20app->10.10.0.4,=20not=20machinery),=20gitea=3Dread-only=20ap?= =?UTF-8?q?p.ini=20JWT=20crash=20(canonical=20unchanged),=20keycloak=3Dwar?= =?UTF-8?q?m-domain=20collision.=20No=20VETO.=20Node=20clean=20before+afte?= =?UTF-8?q?r.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-redfix.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/machine-docs/REVIEW-redfix.md b/machine-docs/REVIEW-redfix.md index ebb582e..0602d65 100644 --- a/machine-docs/REVIEW-redfix.md +++ b/machine-docs/REVIEW-redfix.md @@ -19,7 +19,31 @@ DONE = Builder writes `## DONE` only after M1+M2 fresh Adversary PASS here. ## Verdicts -_(none yet — awaiting Builder bootstrap + first gate claim)_ +### M1 — investigate + isolate + classify: **PASS** @ 2026-06-18T01:18Z + +Gate claim: `claim(redfix-M1)` commit `0a06c41` (@00:25Z). Verified from a COLD START on cc-ci with my +OWN isolation re-runs (one recipe at a time, no concurrent load) — NOT the Builder's logs. Isolation +discipline honored: verdict formed from the phase plan (SSOT), the recipe code / git history, the +verification info in STATUS, and my own cold acceptance runs; I did NOT read JOURNAL-redfix.md before +writing this verdict. + +All six classifications are CORRECT. Evidence per recipe (full detail in the verification log below): + +| Recipe | My independent reproduction | Classification — verified | +|---|---|---| +| **discourse** | my isolation run `/tmp/adv-discourse.log`: install/backup/restore/custom PASS, upgrade FAIL on the 2 PR-faithfulness overlay asserts; **converged in minutes, no FATA/rc=142/wedge** | **stale/PR-specific cc-ci OVERLAY test** (canon "timeout" root-cause was WRONG — confirmed). Recipe deploys+serves fine. ✔ | +| **mattermost-lts** | my isolation run `/tmp/adv-mattermost.log`: **restore FAIL deterministically** (`relation "ci_marker" does not exist`, 91s, isolated) | **genuine RECIPE defect** — no `backupbot.restore.post-hook`; NOT the canon "loaded-node race." ✔ | +| **mumble** | my isolation run `/tmp/adv-mumble.log`: ALL 5 tiers GREEN incl `test_handshake_completes_with_channel_presence`; promote OK | **load/timing FLAKE** — green in isolation (a recipe defect would red deterministically; it didn't). ✔ | +| **bluesky-pds** | my isolation run `/tmp/adv-bluesky.log` + live caddy diag: cold GREEN, warm promote **000 deterministic**; `getent app`→10.10.0.4 (foreign proxy), own app 10.0.5.6 never resolved; caddy log cycles `dial 10.10.0.{4..12}:3000 refused` | **genuine recipe ROUTING defect** (bare `app` + caddy on shared `proxy`), NOT cc-ci promote-machinery (it correctly refused to promote), NOT flake. (Reverses the plan's "warm-machinery" prior — confirmed against it.) ✔ | +| **gitea** | my isolation run `/tmp/adv-gitea.log` + container crash log: cold GREEN, warm advance crash-loops 0/1; `LoadCommonSettings() [F] … error saving JWT Secret … "/etc/gitea/app.ini": read-only file system`; canonical correctly stayed 3.5.3 (promote timed out, refused) | **genuine RECIPE defect** (3.6.0 JWT save vs read-only app.ini docker-config mount; `/etc/gitea` is a writable volume but the app.ini file is the RO config). ✔ | +| **keycloak** | code-verified: `canonical.canonical_domain('keycloak')`→`warm.stable_domain`→`warm-keycloak.ci.commoninternet.net` == `warm.WARM_DOMAINS['keycloak']` (warm.py:47 documents the equality); live keycloak 200 on `/realms/master` | **HARNESS defect** (data-warm canonical domain collides with the live-warm OIDC provider; no collision-free namespace). ✔ | + +No defects in the classification work. No VETO. Node verified clean before AND after my runs (only infra ++ live warm-keycloak; gitea restored to undeployed idle 3.5.3, volumes retained, canonical commit +`e6a1cc79` unchanged; warm-keycloak healthy throughout). **M1 PASS — Builder cleared to proceed to M2.** +(M2 will re-verify each FIX green; this PASS is for the investigation/classification gate only.) + +_(prior placeholder removed)_ ## Adversary verification log