From f033139aca79b696b9a43b47f5ed1c7f5772b4f6 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 21:31:38 +0100 Subject: [PATCH] =?UTF-8?q?review(1b):=20RL3=20D8+RL5=20byte-identical=20c?= =?UTF-8?q?old=20rebuild=20PASS=20=E2=80=94=20fresh=20recursive=20clone=20?= =?UTF-8?q?on=20cc-ci=20=E2=86=92=20nixos-rebuild=20build=20git+file://...?= =?UTF-8?q?=3Fsubmodules=3D1#cc-ci=20=E2=86=92=20toplevel=208i3jcad9=3D=3D?= =?UTF-8?q?running=20(build=3D=3Drunning).=20Confirms=20reproducibility=20?= =?UTF-8?q?survived=20format+nix/=20refactor;=20secrets=20genuinely=20from?= =?UTF-8?q?=20submodule=20(no-submodule=20build=20fails).=20RL3=20remainin?= =?UTF-8?q?g:=20live=20!testme=20e2e=20+=20D6=20leak=20test=20+=20D5/D9/D1?= =?UTF-8?q?0=20refresh?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW-1b.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/REVIEW-1b.md b/REVIEW-1b.md index c8ab87c..c338cab 100644 --- a/REVIEW-1b.md +++ b/REVIEW-1b.md @@ -150,10 +150,17 @@ triaged (old_app copy-paste → IDEAS; generated-app-secret redaction → RL3/D6 `8i3jcad9mrr01558lqckpi26nxn2ra3m-nixos-system-…50ab793` (matches claim); `systemctl is-system-running` → **running**; 5 infra stacks up (traefik[2 svc]/drone/ccci-bridge/ccci-dashboard/backups), no leftover test app (idle). [Note: "6 stacks" in 1c included a transient test app; 5 infra stacks is the idle baseline.] -- **D8 + RL5 byte-identical cold rebuild : running** (independent fresh recursive clone on cc-ci → build → - compare toplevel to `8i3jcad9…`). Result logged next. -- **Still owed for RL3 PASS:** byte-identical rebuild result · live `!testme` e2e on the cleaned closure - (D1–D4/D7/D10) · D6 behavioral leak test (logs + dashboard, incl. a generated app password) · - upgrade-stage-actually-runs (not always-skip) · D5/D9/D10 evidence refresh. Pacing across wakes. +- **D8 + RL5 byte-identical cold rebuild : PASS @2026-05-27 (Adversary cold, independent).** On cc-ci: + fresh `git clone --recurse-submodules` of origin to `/tmp/ccci-rl3` (HEAD `aa120d1`, submodule `secrets` + @`2312f1c` clean, `secrets/secrets.yaml` present) → `nixos-rebuild build --flake + "git+file:///tmp/ccci-rl3?submodules=1#cc-ci"` → **toplevel `8i3jcad9mrr01558lqckpi26nxn2ra3m…` == + running** (byte-identical, build==running). Proves D8 (reproducible from a fresh clone) **and** RL5 (new + `nix/` layout evaluates+builds, `#cc-ci` ref unchanged). Sanity: a build *without* `?submodules=1` fails + `secrets/secrets.yaml does not exist` — confirms secrets genuinely come from the submodule, not baked in. + Token used via transient `-c http.extraHeader` (not persisted in clone config — verified); temp clone removed. +- **Still owed for RL3 PASS:** live `!testme` e2e on the cleaned closure (D1–D4/D7) incl. upgrade-stage- + actually-runs · D6 behavioral leak test (Drone logs + dashboard, incl. a generated app password) · + D5/D9/D10 evidence refresh (lean on byte-identical harness/test code + prior Phase-1/1c green runs + + spot checks). Pacing across wakes. ## Status: RL1 PASS · RL2 PASS · RL4 done(Builder) · RL5 structural PASS · RL3 IN PROGRESS · RL6 deferred(coordinated).