Active nix store (km6173hm5a...) calls ls5d6s7q...-runner/warm_reconcile.py which
still has health_domain=ci.commoninternet.net (OLD probe). Fix 0e9fd38 in git but not
deployed. Waiting for: cd /root/builder-clone && git pull && nixos-rebuild switch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cold verification of commit 0e9fd38:
1. Code change correct: health_path="/api/version", health_domain absent (falls back to
traefik.ci.commoninternet.net). Probe is traefik's own API, no backend dependency.
2. Controlled repro (dashboard=0): new probe → 200; old probe → 404. Cycle broken.
3. Consumer ordering unchanged: all After=deploy-proxy services unaffected; deploy-proxy
itself has no After=dashboard. Fix does not change any service ordering.
4. Alert dir empty: stale alert cleared.
5. proxy.nix comment updated correctly.
6. Gate has teeth: on curl failure, health_code() returns 0 (not 999 as STATUS claimed —
non-blocking doc discrepancy); 0 not in health_ok=(200,) → rollback triggers. Functional PASS.
7. DEFERRED entry closed, DECISIONS logged.
No blocking findings. M2 pending orchestrator cold-boot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Independent cold read confirms the circular dependency (proxy health-gate polls
ci.commoninternet.net served by dashboard which is After=deploy-proxy). Root cause
is PROVEN LIVE by today's alert: 20260613T054428Z-traefik-unhealthy-on-latest.json.
Fix endpoint independently verified: /api/version on traefik.ci.commoninternet.net
returns 200 as soon as traefik is up, no dashboard dependency.
REVIEW-pxgate.md: orientation, M1/M2 acceptance criteria.
BACKLOG-pxgate.md: break-it probes P1–P5 to run at M1 gate.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cold re-clone @a6f967f: cardinal (recipe,filename) set identical 64=64; 0 added/0
deleted test files, 5 non-R100 renames are docstring/comment only (no assertion/wait/
skip/sys.path change); orphan-test hunt found no droppable recipe-local test; alias
probe warns on both deprecated dirs; unit suite 18 passed; cfold sweep evidence audited
directly (all 20 recipes 5/5, custom counts match baseline, live_pr_apps=0). M1+M2 PASS.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Build #612 level 5/5 PASS (post-proxy, 06:13Z). All prior failures pre-proxy-fix.
PR#4 operator-ready; PR#3 and PR#5 closed. No ghost leaks. Adversary signed off @06:38Z.
PR#4 (d88f5801) is the correct upgrade PR. All prior failures were pre-proxy-fix (2026-06-12).
Fresh !testme triggered at 06:12:48Z on 2026-06-13 — post proxy /16 fix (05:38Z).
PR#5 is a cfold probe artifact (close after M2); PR#3 superseded (close).
Cold verify 2026-06-13T06:10Z: proxy 10.10.0.0/16/7 endpoints confirmed,
all 9 services 1/1, ci=200/drone=303/report=200, zero VIP exhaustion since
05:38Z, swarm.nix e6349a9 confirmed, Step-0 guard text updated in 84e13a7.
[A2] closed — stale description fix confirmed in orchestrator.
5 concurrent throwaway stacks deploy+rm. Zero leaked endpoints, zero GC races,
zero VIP exhaustion errors, zero residue after prune. /16 headroom confirmed cold.
Still waiting for Builder M1/M2 claims.
Cold verify: proxy 10.10.0.0/16 confirmed, all 9 services 1/1, routes 200/303.
No VIP exhaustion errors post-05:38Z. Step-0 guard verified present in upgrade-all skill.
[A2] filed: stale description in SKILL.md (guard text still says 'until that lands').
M1 and M2 pending Builder claim.
Patch nix/modules/swarm.nix to create the `proxy` overlay with
--subnet 10.10.0.0/16 (~65k VIPs, 258× headroom over the exhausted /24).
Live host survey confirms 10.10.0.0/16 is clear of all existing
Docker networks (ingress 10.0.0.0/24, existing per-stack overlays
10.0.1-4.0/24, host routes). Exact maintenance procedure in
STATUS-pvfix.md including pre-checks, stack teardown order, drain
wait, remove/recreate proxy, nixos-rebuild, deploy-* restart chain,
and health verification steps.
Adversary: please cold-review the patch + procedure before any live
disruptive action.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cold-ran all 12 acceptance checks: 64 custom tests, 0 stale folders, IDENTICAL
(recipe,filename) set pre vs post cfold, 18 unit tests pass, RUNG name unchanged,
deprecated-alias probe fires warnings + discovers all 3 subdirs. cf55+cf48 agree.
Also seeds pvfix Adversary state files (REVIEW-pvfix.md, BACKLOG-pvfix.md):
live host confirmed at 10.0.1.0/24, swarm.nix has no --subnet. Fix needed.
Awaiting Builder M1 claim (patch + procedure + live inspection).
Independent cross-validation of cfold 44e0242. All 7 categories PASS:
cardinal (recipe,filename) coverage set identical pre/post (64=64), per-recipe
counts match baseline, no assertions weakened, deprecated aliases warn, lifecycle
overlays top-level, RUNG name intact, cfold M2 sweep all-20 L5 zero leaks.
cf55(sonnet-4.6) vs cf48(opus-4.8) FULL agreement; cf48 also caught a cf55
narrative slip (keycloak sys.path unchanged, not depth-adjusted).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Cold-verified all 8 Builder checks against claim commit 8b23f7b:
- 64 canonical custom tests, 0 in deprecated dirs, per-recipe counts match
- 18 unit tests pass, 0 lifecycle overlays in custom/, RUNG name unchanged
- Deprecated-alias probe: 2 warnings + both files found
- Clean working tree
All 7 required review categories pass independently. No coverage lost.
Builder may write ## DONE.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Full cf55 review of cfold commit 44e0242:
- 64 custom tests in canonical custom/ dirs, per-recipe counts exact match
- zero tests in deprecated functional/+playwright/ trees
- assertions preserved: all moves were git mv + path-comment/sys.path adjustments
- deprecated-alias warnings fire; lifecycle overlays at top-level only
- RUNG name 'functional' unchanged; unit suite 18 passed
- cfold M1+M2 evidence audited; full sweep green at L5 across 20 recipes
Verdict: NO COVERAGE LOST. Awaiting Adversary PASS.
