Mechanical port to the assertion-only contract (no softened/skipped assertions): install uses
live_app + generic.assert_serving (extend) + the recipe's http/playwright/api checks; upgrade seeds
its data marker then generic.do_upgrade + asserts survival; backup/restore split into test_backup.py
(seed->do_backup->mutate) + new test_restore.py (do_restore->assert original). Recipe-specifics
preserved verbatim (keycloak realm+admin-console+kc_admin, matrix/lasuite db-service psql markers,
cryptpad/n8n volume markers). No recipe now double-deploys under the deploy-once orchestrator.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cold my clone @ce3c0f8 (has G3 files), both directions: custom-html-tiny install FAILS gracefully
without install_steps.sh (404, per-op, deploy-count=1) and PASSES with it (hook seeds index.html).
DG3 N/A-skip confirmed: non-backup-capable => backup/restore skip while install/upgrade pass. Move
-assertion robust to image-identical version bump (1.0.0->1.0.1, same image 2.38.0, label moved).
Clean teardown. DG5 PASS. Only G4 (DG6/DG7/DG8) remains, not yet claimed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cold my clone @c965f6c: unit tests 5/5 (precedence repo-local>cc-ci>generic + no-overlay=>generic);
full custom-html lifecycle shows all 4 TIER lines as (cc-ci: ...) overlays — override LIVE — all
green with data-continuity (upgrade-survives marker; backup original->mutate->restore->original);
deploy-count=1 (no redeploy); clean teardown. DG4+DG4.1 PASS. G3 (DG5) verification next.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tests/custom-html-tiny/install_steps.sh seeds content into the volume pre-deploy. Proof: install
FAILS without the hook (404, graceful-generic), PASSES with it. Same run shows backup/restore=skip
(custom-html-tiny non-backup-capable) — DG3 N/A-skip. deploy-count=1. recipe_meta shortens timeouts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cold my clone @c965f6c: genuine prev->target MOVES (deploy 3.0.9->image 1.10.7; upgrade->1.10.8;
version label changed) AND a no-op upgrade now RAISES 'did not move'. DG2 non-vacuous +
regression-locked; DG3 genuine. Closed F1d-2. G2 (custom-html overlays) verification in progress
(unit tests 5/5; full overlay lifecycle pending — Builder run in flight on the node, waiting).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
custom-html overlays override+extend the generic for all 4 ops, data-continuity round-trips,
deploy-count=1, clean teardown. Discovery precedence unit tests 5/5. hedgedoc generic lifecycle
green with genuine 1.10.7->1.10.8 upgrade (move-assertion).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- deploy_app: checkout the pinned tag + deploy NON-chaos when a version is pinned (chaos only for
version=None / PR-head). Was always -C, which ignored the pin and deployed LATEST -> upgrade no-op.
- do_upgrade: assert the deployment actually MOVED (coop-cloud version label and/or image changed)
via lifecycle.deployed_identity -> a vacuous no-op upgrade can no longer pass (DG2).
- G2: migrate custom-html overlays to the assertion-only contract (override + extend-by-composition
+ data-continuity; split backup/restore). tests/unit/test_discovery.py proves precedence (5/5).
Probe (Adversary's F1d-2 test): hedgedoc deploy-prev=1.10.7 -> upgrade=1.10.8, CHANGED=True.
hedgedoc full generic lifecycle green (install/upgrade/backup/restore, deploy-count=1).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cold-verified my own clone @9d771a1. Full lifecycle runs green + deploy-count=1 + clean
teardown, and DG3 backup/restore mechanism is genuine — BUT DG2 is vacuous:
deploy_app(version='3.0.9+1.10.7') runs hedgedoc:1.10.8 (LATEST), upgrade->newest is
latest->latest (CHANGED:False; upgrade tier finished in 1.97s). Root cause: abra app new
<version> positional does not check out the tag — recipe dir stays at HEAD 3.0.10+1.10.8.
The still-serving-only assertion can't catch it. Filed F1d-2 (HIGH, blocks G1); Builder must
pin the base version for real + assert the version actually changes prev->target, then re-claim.
Also closed F1d-1: cert-check reframe (6c5d8f2) verified honest. No global VETO (DONE far off).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- backup artifact: read snapshot_id from 'abra app backup create' output (snapshots needs a TTY);
generic.parse_snapshot_id + do_backup assert it
- restore serving race: lifecycle.http_fetch (one request -> status+body, never raises) +
assert_serving is now a bounded poll (settles a post-op reconverge, no bare sleep); drop wait_serving
- F1d-1 (Adversary, low): reframe served_cert/assert_serving honestly as an INFRA TLS sanity check
(catches a lapsed/mis-rotated wildcard cert), NOT app-vs-fallback (Traefik serves the wildcard
zone-wide); the genuine serving proof is services_converged + non-404 status. Awaiting re-test.
DG1 Adversary PASS @ef44d46. G1 full-lifecycle re-verification in flight.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
install:pass + deploy-count=1 + clean teardown (only 5 infra stacks remain, no orphans).
Serving assertion proven load-bearing: assert_serving RAISES on a non-deployed domain
(services not converged; 404 excluded from HEALTH_OK). Pure-generic confirmed (hedgedoc has
no cc-ci/repo-local tests). No VETO — Builder cleared past G0.
Filed F1d-1 [adversary] (low, DG7-scoped, NOT a DG1 blocker): served_cert is a near-no-op —
VERIFIED for any in-zone subdomain incl. non-deployed (Traefik serves the wildcard for the
whole zone), so it does NOT distinguish app-vs-fallback as journal/STATUS/code claim. Fix
wording/check before the DG7/G4 gate.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
git mv STATUS*/BACKLOG*/JOURNAL*/DECISIONS.md -> machine-docs/. README.md kept at root (operator
decision). Updated in-repo refs: README (status line + lint section + Loop-state section) and
docs/install.md -> machine-docs/...
Safe to move now: launch.sh already has resolve_state() (prefers machine-docs/ else root) used by
every STATUS/REVIEW read, and the running watchdog (pid 133191) was restarted AFTER that update, so
it is location-agnostic. scripts/lint.sh -> lint: PASS post-move. Adversary moves its own REVIEW*.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
