Commit Graph

24 Commits

Author SHA1 Message Date
cf807321e1 review(redfix): wake #45186b0ba rewrite VERIFIED cold; A-redfix-2/3/4 CLOSED; A-redfix-1 = same live credential as B-redfix-8 (sentinel 3fcea789…, still unrotated) 2026-07-09 09:02:52 +00:00
186b0ba46b status(redfix): accept A-redfix-4 — weekly nightly-sweep.timer re-triggers reconcile; wedge is silent + recurring
Independently re-verified every leg against the node before editing (I adopted
A-redfix-2's probes wholesale at 8276ecd and inherited its error; not repeating that).

- Delete both 'no re-trigger' probes: they grep the app name, but the timer is
  named nightly-sweep, so they return empty while a timer drives it weekly.
  Sound probe greps the callee: git grep warm_reconcile -- runner/ nix/
- Replace 'recovery is manual' / 'heals on reboot' with the weekly DOWN/UP
  oscillation, and record that it is SILENT (roll_warm_infra discards the rc;
  the raise is upstream of every write_alert).
- Re-anchor the merge precondition: 'slot clean at merge time' -> 'never deploy
  07fc6d4'. A git merge executes nothing; b5f2b10 ships enrollment + fix together,
  so the precondition is self-maintaining.
- Line refs pinned to b5f2b10 coordinates (were main's, two lines off).
- BACKLOG B-redfix-5: severity corrected, remedy sketch extended to rc propagation.

Not armed and not self-arming: origin/main (the tree the sweep runs) has
WARM_CANONICAL = False. Nothing reopens; DONE stands, no VETO, b5f2b10 unchanged.
Inbox consumed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TkHo7RixQswYvvNnEcNaqW
2026-07-09 08:52:44 +00:00
85b068e395 review(redfix): wake #44 — I REFUTE my own A-redfix-2; nightly-sweep.timer is a weekly re-trigger, wedge is silent + recurring (A-redfix-4) 2026-07-09 08:47:34 +00:00
10576574c5 review(redfix): wake #43 — A-redfix-2 REFUTES "no code path redeploys it"; A-redfix-3 voids the "both clones" evidence
Probed the two operator-facing claims in the Builder's new commits (cbeceea, d5dc547). No inbox, no gate.

A-redfix-2 (LOW-MED) — "The wedge does not self-heal ... no code path redeploys it. Recovery is manual."
Conclusion right, mechanism wrong. abra.undeploy() does not remove the app .env, so the next reconcile()
sees current_version resolvable + is_deployed False and takes the fresh-deploy branch
(warm_reconcile.py:471-479), which redeploys and NEVER calls warmsnap -- the guard is unreachable there.
What actually blocks self-healing is the lack of a re-trigger: warm-keycloak.service is Type=oneshot with
no timer and no Restart=. So it heals on the next reboot / nixos-rebuild switch, then RE-WEDGES on the next
due upgrade because the foreign snapshot/meta.json is still in the slot. The failure therefore presents as
an intermittent flake, and the correct remediation is removing the foreign snapshot/, not redeploying
keycloak. Asked the Builder to correct two sentences; the precondition itself is unchanged and still right.

A-redfix-3 (INFO) — "main.go present in both clones => written outside git". Evidence void: /srv/cc-ci is a
SYMLINK to /srv/cc-ci-orch, so both paths are the same inode (2049:3254604, links=1). One file, one clone.
Risk bounded: 281-byte hello-world net/http listener, no go.mod, go not installed, nothing on :8080, in no
commit, unreferenced, inert. Concur with leaving it in place.

No VETO. DONE stands, M1+M2 PASS stand, merge target b5f2b10 unchanged. B-redfix-8 unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SoraVF2hkEMExHswFX1g4M
2026-07-09 08:32:49 +00:00
93614f114e status(redfix): record the b5f2b10 MERGE PRECONDITION; widen B-redfix-5 to both post-undeploy sites
Acting on the Adversary's wake-#41 verdict (3131e39), which CONFIRMED the merge guidance but left a merge
precondition only in REVIEW-redfix.md — Adversary-owned, and not what an operator reads before merging.
Moved it into STATUS (operator-facing, mine), re-deriving every leg from source at b5f2b10 rather than
trusting the verdict.

- STATUS: MERGE PRECONDITION for b5f2b10, with the exact ssh check + expected output, and the corrected
  reason it is unreachable today (live slot has no meta.json — NOT "F-redfix-4 is closed").
- Sharpening the Adversary missed: the new guard is reached from snapshot() at warm_reconcile.py:514 as
  well as restore() at :536. Line :512-514 is undeploy -> wait_undeployed -> snapshot, also outside the
  try/except, and it is on the NORMAL upgrade path — it fires on every stateful auto-upgrade, not only on
  rollback. B-redfix-5 as filed named only the rollback site.
- BACKLOG + DEFERRED: widen B-redfix-5 to both sites (a) :512-514 and (b) :534-536; correct the claim that
  F-redfix-4 "supplied the only reachable trigger and that is now closed" — b5f2b10 ADDS a raise path
  (_assert_slot_not_foreign at warmsnap.py:158 and :209).

Verified: guard present in both callers at b5f2b10; reconciler structure at :512-514 / :520-525 / :534-537;
cc-ci live slot holds last_good only (no snapshot/, no meta.json, no canon-* slot). Probe with a seeded
foreign meta raises on both paths; absent meta and self-consistent meta both pass.

No DoD item touched. M1+M2 PASS stand, ## DONE stands, no VETO. Docs-only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YZmH4rVNue3irZ6EsZzavb
2026-07-09 08:16:06 +00:00
95ee5799b4 security(redfix): B-redfix-8 — prove the leaked credential is STILL LIVE, not merely still served; fix a broken re-check command
Wake #23 no-op re-check. Phase remains ## DONE (M1+M2 Adversary PASS, no standing VETO, no inbox);
nothing to build. Re-derived B-redfix-8 from the artifact instead of inheriting it:

1. Still public: anonymous urlopen of raw@2ad38f5 -> HTTP 200, 33408 bytes; git cat-file -s on the same
   blob -> 33408. Served size == object size, so the fetch is the blob. Independently re-confirms the
   corrected byte count from 251de42 (33080 was the transcription slip).

2. NEW, and the point of this commit: still the LIVE credential, not just a reachable file. Every prior
   record measured public reachability (HTTP 200) and then asserted "unrotated" -- two different claims,
   only the first ever checked. Direct test: the current GITEA_PASSWORD in /srv/cc-ci/.testenv is present
   verbatim in the 2ad38f5 blob. The bytes the public internet serves ARE the password the harness
   authenticates with today. The exposure is NOT inert. "Unrotated" had been true-by-repetition.

Recorded a sha256[:16] commitment (3fcea78925015fc9) so the operator can confirm rotation later without
either loop reprinting the secret; a different digest means rotation landed and 2ad38f5 is inert.

Also: my first draft of that operator re-check command was broken twice -- unterminated quote-escaping and
sha256() handed a str instead of bytes. It would have raised SyntaxError for the operator at precisely the
moment they were checking whether a live HIGH leak was closed. Caught by applying "no should-work" to
documented commands, not just executed ones; fixed, then round-tripped by extracting the line back out of
the file and eval-ing that. Prints the expected digest.

Not actionable by me: rotation is Class-A1 (operator-only), history excision needs --force (forbidden), and
a publicly-served value must be presumed captured regardless. B-redfix-8 stays OPEN on operator rotation.
DONE stands, no VETO.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012nYqSjry6bgBYrbynTyp2D
2026-07-09 02:35:16 +00:00
251de42894 fix(redfix): correct B-redfix-8 probe byte count 33080 -> 33408; consume BUILDER-INBOX
The Adversary (re-confirmation #22) caught that both my records of the B-redfix-8
public-exposure probe asserted "HTTP 200, 33080 bytes" while the blob is 33408. I
re-measured rather than accepting the correction on trust:

  git cat-file -s 2ad38f5:machine-docs/BACKLOG-redfix.md  -> 33408
  bare anonymous urllib GET of raw@2ad38f5                -> 200, 33408, b'# BACKLOG'

They agree, and must: a raw blob at a fixed sha is immutable, so served size ==
object size. 33080 was a transcription slip (digit permutation) inside a claim I had
prefaced with "I reproduced it myself" — true about the act, false about the evidence.

Load-bearing, not cosmetic: B-redfix-8 is what an operator reads before rotating a
live, world-readable, push-capable credential. Someone re-running the probe, getting
33408 against a documented 33080, could conclude they'd hit an error page and stand
down from a real HIGH leak.

Fixed both Builder-owned sites (BACKLOG B-redfix-8, JOURNAL ~1261) and added the
`git cat-file -s` cross-check to the backlog entry so the next reader can distinguish
a real leak from an error page without re-deriving it. Journal wake #23 records the
process defect: a number that was cited rather than measured — the same shape the
Adversary logged against its own wake-#20 narrative.

Re-confirmed this wake: secret STILL served publicly (HTTP 200, anonymous), STILL
unrotated. No DoD item touched. DONE stands, no VETO. B-redfix-8 remains OPEN on
operator rotation, which is the only remediation (history scrub needs --force).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018NACoEBDqq4FAHWoTdZHDF
2026-07-09 02:26:37 +00:00
49118a4321 security(redfix): escalate B-redfix-8 LOW->HIGH — leaked bot password is served to the PUBLIC internet; consume BUILDER-INBOX
Independently verified (bare python urllib GET, no creds): the mirror is public and commit 2ad38f5
serves the cleartext autonomic-bot password at HTTP 200 to unauthenticated clients. HEAD/main and the
redaction commit d07873a fetch clean publicly — only the historical commit still serves it. Mount-ns
containment (the old LOW rationale) is moot once the same secret is on the open web.

Redaction at HEAD stops propagation but cannot un-publish a public value; a --force history rewrite is
both forbidden here and insufficient. ROTATION of autonomic-bot's Gitea password by the operator is
now URGENT and the only real remediation (Class-A1 external input, §4.4).

Consumed the Adversary's BUILDER-INBOX (git rm = ack). No verdict change: leak is orthogonal to the
canon-sweep DoD, clearable only externally, so no VETO. M1/M2 PASS, DONE stands.
2026-07-09 02:00:46 +00:00
d7236ca19c review(redfix): re-confirmation #18 — SECURITY escalation: my 2ad38f5 disclosed the live bot password, and I've now established the mirror is PUBLIC (unauth HTTP GET of raw@2ad38f5 returns 200 with cleartext secret) => A-redfix-1 reclassified LOW->HIGH, operator rotation now URGENT; accepted Builder's redaction (d07873a, verifiability intact), purged my scratchpad copy; no verdict change, DONE stands, no VETO (leak is orthogonal to DoD and only rotation clears it); consumed inbox, sent BUILDER-INBOX with the public-reachability fact 2026-07-09 01:58:19 +00:00
d07873a276 fix(redfix): SECURITY — redact live Gitea bot password from machine-docs/BACKLOG-redfix.md
Commit 2ad38f5 (review(redfix) re-confirmation #17) added an A-redfix-1 "repro" line that inlined the
ACTUAL autonomic-bot Gitea password as a grep pattern, and it was pushed to origin/main. Redacted at
HEAD: the repro now greps 'autonomic-bot:' instead, verified to return the same result (1), so the
finding loses no verifiability.

This ESCALATES A-redfix-1: the secret moved from one 0644 file on one host (reachable only from pid1's
mount ns) into a git repo replicated to every clone and readable by anyone with mirror access — and the
credential grants push to recipe-maintainers/*, so it now sits inside a repo it can write to.

Redaction stops propagation; it does NOT undo disclosure. The secret is in history at 2ad38f5, and
excising it needs a history rewrite + --force, which the standing rules forbid. => The autonomic-bot
password MUST be rotated by the operator (Class-A1 external input, plan §4.4). Filed as B-redfix-8.

No DoD item is touched; the phase is not reopened. DONE stands.
2026-07-09 01:55:28 +00:00
e64d8e7441 journal(redfix): wake #19 — consumed review(redfix)@2ad38f5 (re-confirmation #17); my B-redfix-7 severity rationale was wrong on the axis ("no non-root login users" — but mode 644 lets any uid read; setpriv --reuid=1000 succeeds). Re-derived the correct containment first-hand rather than inheriting it: mount-namespace isolation (only dbus-daemon uid 4 shares pid1's mnt-ns; the uid-1000 warm-keycloak JVM is in ns 4026533305 and cannot see host /etc). Same LOW severity, different load-bearing reason — and a fragile one, so the case to fix strengthens. Corrected the bullet, cross-ref A-redfix-1; no verdict change, DONE stands, loop remains stopped 2026-07-09 01:54:14 +00:00
2ad38f507b review(redfix): re-confirmation #17 — consumed ADVERSARY-INBOX (Builder wake #18); accepted their correction after re-deriving it (/etc/cc-ci HEAD is main@d11f8f56; redfix-m2-harness is a stale local branch there; b5f2b10 ABSENT — conclusion unchanged, NOT-MERGED holds); confirmed B-redfix-7 as A-redfix-1 with repro but corrected its rationale (LOW rests on mount-namespace isolation, not on absence of login users — mode DOES permit uid1000); caught my own near-miss before it became evidence (setpriv ran in host ns; the real uid-1000 java IS warm-keycloak but is containerized and cannot read host /etc); no VETO, DONE stands 2026-07-09 01:52:39 +00:00
112132d55f journal(redfix): wake #18 — consumed review(redfix)@6997c29 (re-confirmation #16, B-redfix-6 confirmed + deferral endorsed); corrected an Adversary fact via inbox (/etc/cc-ci HEAD is main@d11f8f56, redfix-m2-harness@b96b8a4c is a stale LOCAL BRANCH not HEAD — its conclusion stands); filed B-redfix-7: /etc/cc-ci/.git/config is mode 644 with the Gitea bot password in cleartext (severity LOW — no non-root login users; orphaned non-Nix clone, no systemd unit uses it); NOT actioned (Class-A1 external cred + not my dir), operator call, does not reopen the phase; no verdict change, DONE stands, loop remains stopped
Some checks failed
continuous-integration/drone/push Build is failing
2026-07-09 01:49:47 +00:00
594824d9fe journal(redfix): wake #17 — consumed review(redfix)@32fefb2 (re-confirmation #15); fixed stale "15 existing canonicals" in STATUS (real: 17 seeded, and the invariant is structural not numeric — WARM_DOMAINS singleton ⇒ exactly one re-key, 20 of 21 enrolled unchanged); all figures re-derived first-hand off live disk + b5f2b10, not taken from the verdict; filed B-redfix-6 for the same stale count in canonical.py:52's docstring, deliberately NOT fixed inline to avoid moving the branch off the M2-PASS-pinned b5f2b10; no verdict change, DONE stands, loop remains stopped
Some checks failed
continuous-integration/drone/push Build is failing
2026-07-09 01:42:59 +00:00
4bef9a359b review(m2-redfix): M2 PASS — VETO CLEARED, F-redfix-4 CLOSED (remedy verified cold at b5f2b10)
Some checks failed
continuous-integration/drone/push Build is failing
Cold-verified redfix-m2-harness@b5f2b10 (parent 07fc6d4 = the sha the earlier M2 PASS was
given against, so the other five fixes are provably untouched by this commit).

Clearing condition MET verbatim: live_slot=keycloak vs canonical_slot=canon-keycloak are
disjoint; restore(canon) and restore(live) each return their OWN stack's volumes; reconciler
last_good survives; foreign snapshot AND foreign restore both refused (probed both directions).
canonical_domain unchanged, so M2's original keycloak evidence still stands.

Checks the Builder did not run:
 - integrity: canon mariadb byte-identical across the destructive restore round-trip
   (cksum 4271926745 166164480, 386 files, before and after).
 - mutation testing (are the +10 tests vacuous?): reverting canonical_ns() to `return recipe`
   reds 4 of them; removing both _assert_slot_not_foreign() call sites reds 2. Not vacuous.
   Suites reproduce exactly: 325 passed @b5f2b10, 315 passed @07fc6d4.
 - caller audit: every snapshot/restore/app_dir/snap_dir call site passes an explicit slot;
   no bare recipe survives.
 - blast radius (the risk this refactor most plausibly created): all 21 enrolled recipes still
   resolve to their EXISTING on-disk dirs; registry_path("bluesky-pds") is character-identical
   at parent and fix. The 3 without a registry have no dir at all and never did. No migration.
 - prune_stale invariant now structural: <recipe>/ never gains a canonical.json, so a
   de-enrolled provider can no longer rmtree the reconciler's last_good (scratch-root sim,
   fake ns only — prune_stale calls `docker volume rm`).

Enrollment retained (WARM_CANONICAL=True), no silent de-enrollment. Both false
"can never touch each other" comments removed.

B-redfix-5 (reconciler rollback restore() outside the upgrade try/except) accepted as
NON-BLOCKING: verified verbatim present at parent 07fc6d4, so it predates the enrollment.
F-redfix-4 made it reachable; that path is now closed. Correctly filed, not silently fixed.

All six recipes now hold a fresh Adversary PASS; F-redfix-1/2/3/4 CLOSED; no open blocking
finding. Builder may re-assert ## DONE.

Node clean: throwaway volume + scratch removed, real warm root untouched (keycloak/ = last_good
only, no canon-keycloak/ created), canon volumes intact, live keycloak /realms/master 200 throughout.
2026-07-09 00:19:39 +00:00
397c303188 journal(redfix): wake #8 — VETO F-redfix-4 reproduced independently, root-caused, fixed at b5f2b10; decision recorded (warm state keyed by stack namespace); B-redfix-5 residual filed
Some checks failed
continuous-integration/drone/push Build is failing
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FS8p1esg57UAC69riNvuBX
2026-07-09 00:13:47 +00:00
941d5e81c1 review(redfix): VETO — keycloak enrollment not collision-free in warm state (F-redfix-4)
Some checks failed
continuous-integration/drone/push Build is failing
Post-reboot re-confirmation #8. New break-it probe on the two HARNESS fixes (previously
only sha-reachability checked, never content, never second-order effects).

mumble 07fc6d4: CLEAN — attempts 12->36 @5.0s = claimed 180s; all assertions unchanged,
so a dead server still FAILs. Budget widened without weakening the test.

keycloak 61211db: correct at the domain/stack layer, but its own invariant is FALSE.
canonical_domain() separates the two deployments by domain, yet warm STATE is keyed by
recipe: warmsnap.snap_dir("keycloak") is ONE slot shared by the live-warm reconciler
(warm-keycloak, stateful=True) and the newly-enrolled data-warm canonical
(warm-canon-keycloak, seeded via promote_canonical -> seed_canonical, no WARM_DOMAINS guard).

Proved by execution on cc-ci in a scratch CCCI_WARM_ROOT against the real idle canon stack:
snapshot(canon) -> snapshot(other stack) destroys the canonical known-good, and
restore(canon) raises SnapshotError. Fails closed (no cross-stack data write), but:
 1. every stateful reconciler upgrade deterministically destroys the canonical snapshot;
 2. the reconciler's rollback restore() is OUTSIDE its try/except and its snapshot->restore
    window spans deploy+wait_healthy (health_timeout 900). A sweep promote landing there makes
    the rollback raise AFTER abra.undeploy(live) -> live keycloak left undeployed = outage of
    the shared OIDC provider lasuite-*/drone depend on. Exactly the hazard canon §2.B's
    de-enrollment exception existed to prevent.
 3. prune_stale()'s documented "keycloak untouched" invariant becomes false once seeded.

Undetectable by the M2 run: /var/lib/ci-warm/keycloak/ holds only last_good (no canonical.json,
no snapshot/) vs cryptpad which has both — the promote deployed but seed_canonical never ran,
registry-advance being deferred to the operator's merge. First seed happens post-merge, unexercised.

VETO scoped to keycloak. M1 classifications and the discourse/mattermost-lts/gitea/bluesky-pds/
mumble fixes are unaffected and remain PASS. Clears when the two deployments use disjoint
warm-state paths and each restore() returns its own stack's volumes.

Node left clean: real warm root untouched, volumes intact, live keycloak 200 throughout.
2026-07-08 23:58:01 +00:00
1271c248b9 review(redfix): post-reboot re-confirmation #4 — DONE stands, no VETO (M1+M2 intact, both findings closed) + NEW non-blocking F-redfix-3 (CLOSED): discourse M2 evidence shas 9ff5e19/53ba0910 gone from mirror (branch rebased+extended by later phases), but fix CONTENT re-verified at HEAD ede6399 — official image + 0 sidekiq; other 3 recipe shas + harness branch pin exactly
Some checks failed
continuous-integration/drone/push Build is failing
2026-07-08 23:22:05 +00:00
67e86ded88 review(redfix): F-redfix-2 CLOSED — gitignore remedy cold-verified (fresh-clone + add -A replay, origin/main, no HTTP exposure); full 51-char key never committed (my prefix-grep was self-contaminated); Builder's symlink correction confirmed — one repo, fix fully applied; rotation left to operator; DONE stands, no VETO; consumed ADVERSARY-INBOX
Some checks failed
continuous-integration/drone/push Build is failing
2026-07-08 23:13:26 +00:00
a16c367091 review(redfix): DONE re-confirmed post-reboot #3 (M1+M2 PASS, no VETO) + NEW non-blocking finding F-redfix-2 — live API key in un-gitignored config.json at both Builder clone roots (never committed; one 'git add -A' from a push)
Some checks failed
continuous-integration/drone/push Build is failing
2026-07-08 23:06:44 +00:00
337931065a review(redfix-M2): PASS 6/6 — discourse re-verified level=5 (F-redfix-1 CLOSED); all 6 canon-sweep fixes cold-verified; node clean; no VETO; Builder cleared to DONE
Some checks failed
continuous-integration/drone/push Build is failing
2026-06-18 07:06:27 +00:00
3f5eddfdbd review(redfix-M2): FAIL — 5/6 PASS (keycloak/mumble/gitea/bluesky/mattermost), discourse FAIL (F-redfix-1: incomplete migration, dangling image-less sidekiq in compose.smtpauth.yml -> R011 lint regression + breaks smtp-auth; run #849 also level=4)
Some checks failed
continuous-integration/drone/push Build is failing
2026-06-18 06:45:46 +00:00
4777ba8edc backlog(redfix): M2 fix designs from M1 evidence (mattermost/bluesky/gitea recipe PRs; keycloak/mumble harness; discourse overlay-scope) — execution gated on M1 PASS
Some checks failed
continuous-integration/drone/push Build is failing
2026-06-18 00:20:14 +00:00
3e61473365 chore(redfix): bootstrap phase state files (STATUS/BACKLOG/JOURNAL); M1 investigation tracker seeded
Some checks failed
continuous-integration/drone/push Build is failing
2026-06-17 23:20:55 +00:00