From fc16250db2363c1aa1db56b294a18a85ddb04af4 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 11 Jun 2026 11:37:28 +0000 Subject: [PATCH] =?UTF-8?q?status(bsky):=20bootstrap=20phase=20=E2=80=94?= =?UTF-8?q?=20root=20cause=20proven=20(:0.4=20moving=20tag=20now=20ships?= =?UTF-8?q?=200.5.1/node24/index.ts;=20recipe=20entrypoint=20execs=20index?= =?UTF-8?q?.js),=20fix=20=3D=20exact-pin=200.4.219;=20decisions=20+=20upst?= =?UTF-8?q?ream=20registry?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- BACKLOG-bsky.md | 18 ++++++++++++++ JOURNAL-bsky.md | 49 +++++++++++++++++++++++++++++++++++++++ STATUS-bsky.md | 46 ++++++++++++++++++++++++++++++++++++ machine-docs/DECISIONS.md | 14 +++++++++++ 4 files changed, 127 insertions(+) create mode 100644 BACKLOG-bsky.md create mode 100644 JOURNAL-bsky.md create mode 100644 STATUS-bsky.md diff --git a/BACKLOG-bsky.md b/BACKLOG-bsky.md new file mode 100644 index 0000000..68167b0 --- /dev/null +++ b/BACKLOG-bsky.md @@ -0,0 +1,18 @@ +# BACKLOG — phase bsky + +## Build backlog + +- [x] B1: Root-cause diagnosis — inspect recipe compose/entrypoint + actual `:0.4` image vs exact tags on cc-ci (2026-06-11) +- [x] B2: Upstream research persisted to cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247) +- [ ] B3: DECISIONS.md entry — pin choice (exact 0.4.219 over 0.5.1-main / digest pin), version label bump +- [ ] B4: Mirror PR branch `upgrade-0.3.0+v0.4.219` — compose.yml re-pin + label bump; open PR on recipe-maintainers/bluesky-pds +- [ ] B5: `!testme` on the PR → full lifecycle green (install/health, upgrade-path status justified, backup/restore, functional, L5 lint); record level under de-capped semantics + reconcile expected baseline +- [ ] B6: Screenshot on the green PR run — verify PNG real/representative/credential-free (Read it); SCREENSHOT hook only if needed +- [ ] B7: Claim M1 (root cause + green fix PR + screenshot verified) +- [ ] B8: Close DEFERRED bluesky entries with pointers; JOURNAL note updating shot-phase N/A disposition +- [ ] B9: Operator handoff summary in STATUS-bsky.md (what was wrong, what the PR changes, post-merge expectations incl. canonical/warm reseed) +- [ ] B10: Claim M2 + +## Adversary findings + +(Adversary-owned) diff --git a/JOURNAL-bsky.md b/JOURNAL-bsky.md new file mode 100644 index 0000000..ebd2944 --- /dev/null +++ b/JOURNAL-bsky.md @@ -0,0 +1,49 @@ +# JOURNAL — phase bsky + +## 2026-06-11T11:31Z–11:55Z — bootstrap + root-cause diagnosis (B1, B2) + +Phase start. Read plan-phase-bsky-fix.md + plan.md §6.1/§7/§9. Adversary seeded +REVIEW-bsky.md (8d5bf30) with cold baseline recon — same suspects I confirmed below. + +**Diagnosis chain (commands + outputs):** + +1. Mirror clone (b2d86ef): `compose.yml` pins `image: ghcr.io/bluesky-social/pds:0.4`, + overrides entrypoint (`dumb-init --` + config-mounted `/entrypoint.sh`); + `entrypoint.sh.tmpl` ends `exec node --enable-source-maps index.js` — relative path, + resolved against image WORKDIR. + +2. Live image inspection on cc-ci: + `docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Id}} created={{.Created}} workdir={{.Config.WorkingDir}} ... cmd={{.Config.Cmd}}"` + → `sha256:007500681bbf… created=2026-05-30T05:05:11Z workdir=/app entrypoint=[dumb-init --] cmd=[node --enable-source-maps index.ts]` + `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c 'node --version; ls /app'` + → `v24.15.0` / `index.ts node_modules package.json pnpm-lock.yaml` — **no index.js**. + `grep @atproto/pds /app/package.json` → `"@atproto/pds": "0.5.1"`; /usr/local/bin/goat present. + So `:0.4` is now a main-branch 0.5.1 build → recipe's `index.js` exec = MODULE_NOT_FOUND. + This precisely explains the rcust-era crash-loop evidence (Node v24.15.0 in traceback). + +3. Upstream research: + - ghcr tags/list (paginated): exact tags …0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193, + 0.4.204, 0.4.208, 0.4.219, plus anomalous 0.4.5001. `:0.4` digest `871194d2…` == + `latest`, ≠ `0.4.219` (`e0b756701c92…`) → :0.4 republished past the release line. + - Dockerfile@v0.4.219: node:20.20-alpine3.23, WORKDIR /app, CMD index.js, dumb-init. + - Dockerfile@main: node:24.15-alpine3.23, CMD index.ts, + goat binary — matches what + `:0.4` now contains. GitHub `releases/latest` 404s (they only push git tags). + - service/package.json@v0.4.219: `"@atproto/pds": "0.4.219"`. + +4. Candidate-fix image verified on cc-ci: + `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c 'node --version; ls /app; grep @atproto/pds /app/package.json; which dumb-init'` + → `v20.20.2` / index.js present / `"@atproto/pds": "0.4.219"` / `/usr/bin/dumb-init`. + Image CMD `[node --enable-source-maps index.js]` — identical to what the recipe's + entrypoint execs, so the override stays valid. + +**Why pin 0.4.219 and not chase 0.5.1 (rationale, summarized in DECISIONS.md):** 0.5.1 +exists only as the moving `:0.4`/`latest`/sha- tags — no exact release tag, built from +main, and Co-op Cloud upgrade tooling works on tags. Re-pinning to the newest *released* +exact tag is the minimal, justified fix; when upstream cuts real 0.5.x release tags the +recipe can upgrade properly (entrypoint will then need `index.ts` + Node 24 — noted in +upstream registry). + +Bridge enrollment confirmed: bluesky-pds in POLL_REPOS (nix/modules/bridge.nix:43) → +`!testme` works. Mirror has only closed PR#1 (skill smoke test); my fix → PR#2. + +Next: DECISIONS entry (B3), mirror branch + PR (B4), !testme (B5). diff --git a/STATUS-bsky.md b/STATUS-bsky.md new file mode 100644 index 0000000..6a917ee --- /dev/null +++ b/STATUS-bsky.md @@ -0,0 +1,46 @@ +# STATUS — phase bsky (fix bluesky-pds recipe + screenshot) + +Phase SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md +Gate: none claimed yet — working M1 (root cause + green fix PR). + +## Root cause (established 2026-06-11, evidence below) + +bluesky-pds pins the MOVING image tag `ghcr.io/bluesky-social/pds:0.4` and overrides the +image entrypoint with a config script that ends `exec node --enable-source-maps index.js` +(relative to image WORKDIR `/app`). Upstream now publishes main-branch builds to `:0.4` +(== `latest`): the current manifest (digest `sha256:871194d2…`, created 2026-05-30) is +`@atproto/pds` 0.5.1 on Node v24.15.0 with the service restructured to `/app/index.ts` +(no `index.js`) and CMD `node --enable-source-maps index.ts`. The recipe's hardcoded +`index.js` therefore crash-loops `Cannot find module '/app/index.js'` (MODULE_NOT_FOUND). + +Newest EXACT tag `0.4.219` keeps the layout the recipe assumes: Node v20.20.2, +`/app/index.js` present, dumb-init present, CMD `node --enable-source-maps index.js`, +`@atproto/pds: 0.4.219` (verified by running the image on cc-ci). + +## How to verify the root cause (from any host with docker + ssh cc-ci) + +- `ssh cc-ci 'docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Created}} {{.Config.Cmd}}"'` + → EXPECTED: created 2026-05-30…, cmd `[node --enable-source-maps index.ts]` +- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'` + → EXPECTED: v24.15.0; index.ts (NO index.js); `"@atproto/pds": "0.5.1"` +- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'` + → EXPECTED: v20.20.2; index.js present; `"@atproto/pds": "0.4.219"` +- Recipe entrypoint: mirror `recipe-maintainers/bluesky-pds` @ b2d86ef, + `entrypoint.sh.tmpl` last line `exec node --enable-source-maps index.js`; + compose.yml `image: ghcr.io/bluesky-social/pds:0.4`. +- Upstream refs: Dockerfile@main (node:24.15-alpine3.23, CMD index.ts) vs + Dockerfile@v0.4.219 (node:20.20-alpine3.23, CMD index.js); + ghcr tags list (exact tags end at 0.4.219; `:0.4` digest == `latest` digest + `sha256:871194d2…` ≠ `0.4.219` digest `sha256:e0b756701c92…`). + Research persisted: cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247). + +## Fix in flight (M1) + +Re-pin to exact tag `0.4.219` + version label bump `0.2.0+v0.4` → `0.3.0+v0.4.219` on a +mirror PR branch `upgrade-0.3.0+v0.4.219` (precedent: immich PR#2 naming). Entrypoint +script unchanged — it matches 0.4.219's layout exactly. Then `!testme` to green, then +screenshot verification. + +## Operator summary + +(to be completed at M2) diff --git a/machine-docs/DECISIONS.md b/machine-docs/DECISIONS.md index 7a02cc2..e7c346e 100644 --- a/machine-docs/DECISIONS.md +++ b/machine-docs/DECISIONS.md @@ -1353,3 +1353,17 @@ recipe"); pass iff the table rendered clean; anything else unver + loud log. Har (observed ~0.7s); executor runs before the tiers (tree at tested ref), double-wrapped, R7 verdict-neutral. Full output → run artifact `lint.txt` (dashboard-served); status + failing rule ids → results.json `lint`. + +**bluesky-pds re-pin decision (phase bsky, 2026-06-11).** The recipe pinned the moving tag +`ghcr.io/bluesky-social/pds:0.4`, which upstream now republishes with main-branch builds +(currently @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the +recipe's entrypoint override (`exec node --enable-source-maps index.js`). Fix: pin the +newest RELEASED exact tag `0.4.219` (Node 20.20, `/app/index.js`, CMD identical to the +recipe's exec line — entrypoint stays valid unchanged) and bump the version label +`0.2.0+v0.4` → `0.3.0+v0.4.219` (minor bump for an upstream pin change, immich-PR#2 +precedent). REJECTED: tracking 0.5.1 (only exists as moving/sha- tags built from main — +no release tag; would also require entrypoint `index.ts` migration against an unreleased +version); digest-suffix pinning (abra survey/upgrade tooling chokes on tag@digest — see +immich standing note). When upstream cuts real 0.5.x release tags, upgrade properly +(entrypoint will then need the index.ts/Node-24 migration — recorded in +cc-ci-plan/upstream/bluesky-pds.md). Never re-pin to `:0.4`/`latest`/minor tags.