review(1b): RL3 D8+RL5 byte-identical cold rebuild PASS — fresh recursive clone on cc-ci → nixos-rebuild build git+file://...?submodules=1#cc-ci → toplevel 8i3jcad9==running (build==running). Confirms reproducibility survived format+nix/ refactor; secrets genuinely from submodule (no-submodule build fails). RL3 remaining: live !testme e2e + D6 leak test + D5/D9/D10 refresh
All checks were successful
continuous-integration/drone Build is passing
All checks were successful
continuous-integration/drone Build is passing
This commit is contained in:
17
REVIEW-1b.md
17
REVIEW-1b.md
@ -150,10 +150,17 @@ triaged (old_app copy-paste → IDEAS; generated-app-secret redaction → RL3/D6
|
||||
`8i3jcad9mrr01558lqckpi26nxn2ra3m-nixos-system-…50ab793` (matches claim); `systemctl is-system-running`
|
||||
→ **running**; 5 infra stacks up (traefik[2 svc]/drone/ccci-bridge/ccci-dashboard/backups), no leftover
|
||||
test app (idle). [Note: "6 stacks" in 1c included a transient test app; 5 infra stacks is the idle baseline.]
|
||||
- **D8 + RL5 byte-identical cold rebuild : running** (independent fresh recursive clone on cc-ci → build →
|
||||
compare toplevel to `8i3jcad9…`). Result logged next.
|
||||
- **Still owed for RL3 PASS:** byte-identical rebuild result · live `!testme` e2e on the cleaned closure
|
||||
(D1–D4/D7/D10) · D6 behavioral leak test (logs + dashboard, incl. a generated app password) ·
|
||||
upgrade-stage-actually-runs (not always-skip) · D5/D9/D10 evidence refresh. Pacing across wakes.
|
||||
- **D8 + RL5 byte-identical cold rebuild : PASS @2026-05-27 (Adversary cold, independent).** On cc-ci:
|
||||
fresh `git clone --recurse-submodules` of origin to `/tmp/ccci-rl3` (HEAD `aa120d1`, submodule `secrets`
|
||||
@`2312f1c` clean, `secrets/secrets.yaml` present) → `nixos-rebuild build --flake
|
||||
"git+file:///tmp/ccci-rl3?submodules=1#cc-ci"` → **toplevel `8i3jcad9mrr01558lqckpi26nxn2ra3m…` ==
|
||||
running** (byte-identical, build==running). Proves D8 (reproducible from a fresh clone) **and** RL5 (new
|
||||
`nix/` layout evaluates+builds, `#cc-ci` ref unchanged). Sanity: a build *without* `?submodules=1` fails
|
||||
`secrets/secrets.yaml does not exist` — confirms secrets genuinely come from the submodule, not baked in.
|
||||
Token used via transient `-c http.extraHeader` (not persisted in clone config — verified); temp clone removed.
|
||||
- **Still owed for RL3 PASS:** live `!testme` e2e on the cleaned closure (D1–D4/D7) incl. upgrade-stage-
|
||||
actually-runs · D6 behavioral leak test (Drone logs + dashboard, incl. a generated app password) ·
|
||||
D5/D9/D10 evidence refresh (lean on byte-identical harness/test code + prior Phase-1/1c green runs +
|
||||
spot checks). Pacing across wakes.
|
||||
|
||||
## Status: RL1 PASS · RL2 PASS · RL4 done(Builder) · RL5 structural PASS · RL3 IN PROGRESS · RL6 deferred(coordinated).
|
||||
|
||||
Reference in New Issue
Block a user