From f85e54b155dab5da317f18682ea11eabbcde4b9b Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Mon, 15 Jun 2026 20:52:56 +0000
Subject: [PATCH] =?UTF-8?q?review(gtea):=20M2=20pre-verify=20=E2=80=94=20t?=
 =?UTF-8?q?wo=20critical=20blockers=20filed=20@2026-06-15T20:50Z?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Run 674 (main): upgrade FAIL ("not intended PR-head"); run 676 (PR#1 LFS): test_lfs_roundtrip
fails at git-push batch endpoint (LFS not enabled in deployed container). Builder must fix before M2.
---
 machine-docs/BACKLOG-gtea.md | 51 +++++++++++++++++++++++++++++++++++
 machine-docs/REVIEW-gtea.md  | 52 ++++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)

diff --git a/machine-docs/BACKLOG-gtea.md b/machine-docs/BACKLOG-gtea.md
index 92fa006..c215ec1 100644
--- a/machine-docs/BACKLOG-gtea.md
+++ b/machine-docs/BACKLOG-gtea.md
@@ -25,6 +25,57 @@
 ## Adversary findings
 (Adversary-owned — only the Adversary writes this section)
 
+### [critical — M2 blocker] LFS test fails in run 676 @2026-06-15T20:36Z
+
+Drone build 676 (RECIPE=gitea, PR=1, REF=357926f2): all lifecycle stages PASS but
+custom FAIL — `test_lfs_roundtrip` fails at `git push` with:
+```
+batch response: Repository or object not found:
+https://ci_admin:<passwd>@gite-e1cb78.ci.commoninternet.net/ci_admin/ci-lfs-test.git/info/lfs/objects/batch
+```
+Level=3 (install+upgrade+backup_restore pass, functional FAIL).
+
+Diagnosis: gitea ran WITHOUT LFS enabled at server level (`LFS_START_SERVER = false` in app.ini).
+`_lfs_available()` returned True (compose.lfs.yml was in the per-run ABRA_DIR at test time —
+recipe reflog confirms checkout to 357926f2 at 20:35:58, 38s before the test at 20:36:36).
+
+Root cause under investigation: EXTRA_ENV sets COMPOSE_FILE to include compose.lfs.yml when
+`_lfs_enabled()` is True. But the upgrade tier's abra base-deploy internally checks out
+`3.5.2+1.24.2-rootless` tag in the recipe dir (reflog: 20:35:37) removing compose.lfs.yml, then
+harness re-checkouts 357926f2 at 20:35:58. Depending on WHEN the install deploy runs relative to
+these checkouts, COMPOSE_FILE and/or SECRET_LFS_JWT_SECRET_VERSION may not have been correctly
+resolved.
+
+Most likely cause: compose.lfs.yml was NOT included in the actual `docker stack deploy` command
+(either because EXTRA_ENV was evaluated before compose.lfs.yml existed, or because the lfs_jwt_secret
+Docker secret was not generated since SECRET_LFS_JWT_SECRET_VERSION=v1 only exists in the EXTRA_ENV
+dict, not in the .env FILE that `abra secret generate` reads).
+
+Builder must: reproduce locally with RECIPE=gitea, PR=1, REF=357926f2; verify compose.lfs.yml is
+in COMPOSE_FILE at deploy time; verify lfs_jwt_secret Docker secret is generated; verify
+LFS_START_SERVER=true and LFS_JWT_SECRET=<value> appear in /etc/gitea/app.ini inside the container.
+
+### [critical — M2 blocker] Upgrade fails on main-branch CI run (run 674) @2026-06-15T20:36Z
+
+Drone build 674 (RECIPE=gitea, PR=0, REF=main): upgrade FAIL with:
+"upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
+to the code under test failed, so the upgrade is not exercised."
+Level=1 (install pass only).
+
+This is the M2 main-branch CI run that must be level=5. With upgrade failing, M2 cannot pass.
+Builder must investigate why REF=main doesn't work correctly for the upgrade tier.
+
+### [non-blocking — concurrency] Run 675 install failure @2026-06-15T20:36Z
+
+4 !testme comments were posted concurrently → 4 Drone builds triggered simultaneously (674, 675,
+676, +). Builds 674 and 675 both have PR=0/REF=main → same app domain → lock contention.
+Run 675 started while 674 had the lock → found stale state → ci_admin creds cached but user
+gone (409 create path) → 401 on API calls → level=0.
+
+Not a code bug. Builder should post ONE !testme at a time to avoid concurrency collisions.
+The concurrent lock mechanism should prevent partial-state damage, but the stale cred cache
+(`/tmp/ccci-gitea-admin-<domain>.json`) persists and causes 401s.
+
 ### [non-blocking] Stale screenshot in manual runs @2026-06-15T20:32Z
 
 `/var/lib/cc-ci-runs/manual/screenshot.png` mtime = June 13, not from today's M1 run.
diff --git a/machine-docs/REVIEW-gtea.md b/machine-docs/REVIEW-gtea.md
index c838fe3..c91800f 100644
--- a/machine-docs/REVIEW-gtea.md
+++ b/machine-docs/REVIEW-gtea.md
@@ -121,3 +121,55 @@ All M1 DoD satisfied:
 - No secrets in run artifacts: no_secret_leak=true ✓
 
 Gate M1: **ADVERSARY PASS** (commit bac3662, run_id=manual, all stages pass)
+
+---
+
+## M2 pre-verification @2026-06-15T20:50Z
+
+Builder triggered !testme on PR #1 (gitea recipe mirror, git.autonomic.zone) and on main branch.
+Bridge is live with recipe-maintainers/gitea in POLL_REPOS. 3 CI runs completed:
+
+### Run 674 — main branch (RECIPE=gitea, PR=0, REF=main)
+
+level=1. install: PASS. upgrade: **FAIL**.
+Error: "upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
+to the code under test failed."
+backup/restore/custom: PASS (ran on the existing install despite upgrade failure).
+LFS test: correctly SKIP (REF=main, compose.lfs.yml absent from main branch). ✓
+
+**M2 main-branch DoD NOT met.** Upgrade tier must PASS for level=5.
+
+### Run 675 — main branch concurrent (PR=0, REF=main)
+
+level=0. All stages FAIL.
+Root cause: concurrent collision with run 674 (same domain from same recipe+pr+ref hash).
+ci_admin creds cached at /tmp/ccci-gitea-admin-<domain>.json from run 674 → 401 on API calls
+because gitea was in a stale state. Non-blocking bug (triggered by multiple !testme comments).
+
+### Run 676 — PR #1 (RECIPE=gitea, PR=1, REF=357926f2)
+
+level=3. install/upgrade/backup/restore: PASS ✓. custom: **FAIL**.
+LFS test failure: `git push` batch endpoint returns "Repository or object not found".
+`_lfs_available()` returned True (compose.lfs.yml present in recipe dir at test time — confirmed
+via recipe reflog: checkout to 357926f2 at 20:35:58, test ran at 20:36:36).
+But gitea LFS server was not accepting LFS batch requests → `LFS_START_SERVER = false` in app.ini.
+
+PR #1 code verified correct:
+- compose.lfs.yml: GITEA_LFS_START_SERVER=true + lfs_jwt_secret external secret ✓
+- app.ini.tmpl: LFS_START_SERVER rendered from env, LFS_JWT_SECRET conditional ✓
+- abra.sh: APP_INI_VERSION v22 (triggers re-render on deploy) ✓
+
+Likely harness-level bug: either (a) lfs_jwt_secret not generated (SECRET_LFS_JWT_SECRET_VERSION=v1
+only in EXTRA_ENV dict, not in disk .env file read by `abra secret generate`), or (b) compose.lfs.yml
+not included in COMPOSE_FILE at actual docker deploy time due to abra base-deploy checkout timing
+(abra checked out 3.5.2+1.24.2-rootless tag at 20:35:37 removing compose.lfs.yml, harness
+re-checked 357926f2 at 20:35:58 restoring it, but EXTRA_ENV may have been evaluated before that).
+
+Filed as critical M2 blockers in BACKLOG-gtea.md. Builder must fix before M2 can be claimed.
+
+## M2 VERDICT: PENDING — two critical blockers
+
+1. LFS test fails in run 676 (PR #1 custom tier fail, level=3 not level=5)
+2. Upgrade fails on main branch run 674 (level=1, not level=5)
+
+Gate M2: **NOT CLAIMED** — Builder must fix and re-trigger CI