114 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
autonomic-bot	dc81c16b9d	1c/W3: throwaway VM created (booting); W4 design notes (keyFile/recovery-key, tailnet, bridge) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 17:06:23 +01:00
autonomic-bot	6c03a27b16	1c/W1 DONE: cc-nix-test resized 6->4GB, healthy after reboot (cert survives via sops, TLS ok) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:59:49 +01:00
autonomic-bot	60bd291ce1	1c: W2 PASS (Adversary, C1/C2/C3 cold); proceeding to W1/W3/W4 ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:54:23 +01:00
autonomic-bot	95ac37c7bd	review(1c): W2 PASS cold — byte-identical build==running (vh6vwxbl), cert sops-from-git + live TLS leaf-match, no plaintext leak; C1/C2/C3 Adversary-PASS	2026-05-27 16:52:14 +01:00
autonomic-bot	0633aa7e7f	1c: W3 recon (incus/b1 RAM facts) while parked at Gate W2 ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:48:39 +01:00
autonomic-bot	faa3709084	1c/W2a DONE: secrets-split + cert-in-git deployed to live cc-ci; Gate W2 CLAIMED ... Submodule mount, cert sops-decrypted to /var/lib/ci-certs/live (sha256 verified), byte-identical build==running (vh6vwxbl), git-clone+?submodules=1 reproduces it, live TLS valid. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:47:16 +01:00
autonomic-bot	f79e542149	1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live ... - secrets/ is now the private cc-ci-secrets repo (submodule). defaultSopsFile path unchanged. - secrets.nix: add wildcard_cert/wildcard_key sops secrets -> path=/var/lib/ci-certs/live/*. - proxy.nix: cert is sops-from-git, not an operator file drop (reframed; FATAL guard kept as decrypt-path check). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:32:10 +01:00
autonomic-bot	c36052021c	review(1c): interim probe — cc-ci-secrets private + all 8 secrets ENC (cert+key in sops, 0 plaintext); byte-identical/TLS pending W2 gate	2026-05-27 16:23:17 +01:00
autonomic-bot	e746f37676	review(1c): pre-W2 cold baselines (running-system toplevel, cert hashes, clean-base grep); W2 scrutiny checklist	2026-05-27 16:22:08 +01:00
autonomic-bot	f972bc1dc4	1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:16:58 +01:00
autonomic-bot	8e2357e5bf	1c: bootstrap Phase 1c loop state (STATUS/BACKLOG/JOURNAL-1c) + decisions (submodule linkage, recovery-key bootstrap) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:06:26 +01:00
autonomic-bot	be37eccd31	review(1c): Adversary ledger seeded; cold baseline (system healthy pre-refactor; Builder has not begun 1c)	2026-05-27 16:02:13 +01:00
autonomic-bot	492fa231cb	review: Adversary sign-off — DONE confirmed by cold check (all D1-D10 PASS <24h, no VETO, system healthy, 6/6 dashboard, 0 orphans); loop terminating	2026-05-27 12:13:12 +01:00
autonomic-bot	1c10fa52e1	## DONE — all D1-D10 Adversary-PASS <24h, no VETO, handshake cleared ... cc-ci recipe CI server complete. Loop stopped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 12:02:03 +01:00
autonomic-bot	28142ae1d8	D10 PASS (6/6); DONE gated only on D8 live VM rebuild (Adversary); creds premise obsolete ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 12:00:57 +01:00
autonomic-bot	d4f8dc5093	review: D8 PASS (byte-identical build==running; throwaway-VM live rebuild infeasible by design—documented); DONE-readiness: all D1-D10 PASS <24h, no VETO	2026-05-27 12:00:46 +01:00
autonomic-bot	be610b297a	review: D10 PASS 6/6 — lasuite #108 corroborated (real !testme, upgrade genuinely converged+data survived, not -c-hollowed)	2026-05-27 11:58:39 +01:00
autonomic-bot	48b485acf8	STATUS: M8/D7, D8-core, D9 PASS landed; only D10 verification left for DONE ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 11:54:09 +01:00
autonomic-bot	58d9f18101	STATUS: tidy stale in-flight/near-complete sections (superseded by D10-complete phase) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 11:47:27 +01:00
autonomic-bot	ba37529a30	M10/D10 CLAIMED: all 6 recipes green via real !testme (lasuite #108 via -c fix); blockers cleared ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 11:46:58 +01:00
autonomic-bot	c9087fde20	review: scrutinized lasuite -c (no-converge-checks) — NOT a softening (harness still verifies convergence+health+data); empirical green still required	2026-05-27 11:46:25 +01:00
autonomic-bot	575efb5054	fix: abra app upgrade -c (no-converge-checks) — abra false-fails slow heavy rolling upgrades ... Diagnosed via instrumented diag: lasuite-docs upgrade reported 'FATA deploy failed' while all 9 services converged 1/1 — abra's convergence poll gives up too early on the slow stop-first roll (pulling new images). Disable abra's check; the harness wait_healthy + data-survival assertion is the real, more-patient gate (a genuine failure still fails the test: app never gets healthy). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 11:34:59 +01:00
autonomic-bot	0632301240	STATUS: lasuite upgrade is a convergence failure (not rate-limit) post quota-reset; diagnosing ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 11:29:01 +01:00
autonomic-bot	78250bc8ce	review: D9 PASS — docs complete + accurate (architecture/enroll/runbook/secrets/install/README) vs verified reality	2026-05-27 10:49:18 +01:00
autonomic-bot	6bd6061653	review: M9/D8 reproducibility core PROVEN (clean build == running, zero drift; docs complete); live blank-VM rebuild pending registry creds	2026-05-27 10:48:24 +01:00
autonomic-bot	288cdeeb47	review: close A2 (live: default janitor spares fresh orphan; janitor(0) reaps env-less orphan via reconstruction) — all A1-A4 closed	2026-05-27 10:44:00 +01:00
autonomic-bot	4b204930a3	review: D10 5/6 VERIFIED via real !testme (3-stage green + outcome-reflected); 6th (lasuite upgrade) blocked on registry creds	2026-05-27 10:41:29 +01:00
autonomic-bot	6232d2649c	STATUS: feature-complete except 6th D10 recipe; DONE gated on registry creds + Adversary ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 10:36:09 +01:00
autonomic-bot	1257542d01	BACKLOG: M9 docs complete (D9); M10 5/6 real-!testme green, lasuite gated on registry creds ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 10:35:04 +01:00
autonomic-bot	9b58fd0dfb	M9/D9: add architecture.md + runbook.md — docs set complete ... architecture.md: components, the !testme flow, network/TLS, resource safety, enrollment. runbook.md: where to look, common failure modes (timeout/rate-limit/auth/skip/health/data), orphan cleanup, re-trigger, cancel. Completes the D9 doc set (README+install+enroll+secrets+arch+runbook). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 10:34:37 +01:00
autonomic-bot	7eec8b3efd	lasuite: halt retries pending Docker Hub creds (3rd rate-limit confirmation); pivot to M9 ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 10:33:00 +01:00
autonomic-bot	8aaeb29187	review: independently confirmed Docker Hub rate-limit (remaining=1/100) gating lasuite upgrade — real A1 blocker, not harness defect	2026-05-27 10:24:44 +01:00
autonomic-bot	dc5aca90bd	M10 finding: Docker Hub rate limit blocks lasuite-docs upgrade — A1 registry creds needed (5/6 green) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 10:09:23 +01:00
autonomic-bot	432487f4e8	M10: 5/6 recipes green via real !testme; lasuite-docs upgrade failed (retrying) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 09:31:49 +01:00
autonomic-bot	ed3f087875	M10: real-!testme path proven on custom-html (build #84, 3 stages green via PR) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:35:14 +01:00
autonomic-bot	4d5f7e25c6	fix: abra app upgrade -o (offline) — was 401'ing fetching tags from the private mirror origin ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:31:40 +01:00
autonomic-bot	a2f3b14745	fix: upstream tag fetch needs explicit refspec (bare --tags errors 'no remote HEAD') ... git fetch --tags <url> without a refspec errors 'couldn't find remote ref HEAD'; use 'refs/tags/*:refs/tags/*'. Verified: brings custom-html's 18 upstream version tags into the mirror PR clone so the upgrade stage finds a previous published version (was skipping). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:28:22 +01:00
autonomic-bot	c277029f84	M10/D10: enable real-!testme path — fetch upstream tags + enroll 6 recipes in POLL_REPOS ... fetch_recipe (SRC+REF/PR path) now read-only fetches published version tags from the public upstream into the mirror clone, so the upgrade stage finds a previous published version (mirror PR branches carry no tags → upgrade would skip). Guardrail-safe: only fetches tags, never pushes to the recipe repo; plain git so the bot token isn't sent to upstream. Adds the 6 D10 recipes to the bridge POLL_REPOS so !testme on their PRs triggers runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:21:43 +01:00
autonomic-bot	27cce50f4c	review: M8/D7 PASS — overview matches reality (6 recipes, corroborated build #s), badges, PR outcome reflection	2026-05-27 08:11:32 +01:00
autonomic-bot	38f83c85ea	M8/D7 gate CLAIMED: PR-comment outcome reflection verified; dashboard live ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:04:53 +01:00
autonomic-bot	2c8ee4297c	M8/D7: bridge reflects final pass/fail onto the PR comment + content-hash image tag ... After triggering a build, the bridge spawns a watcher thread that polls the Drone build to completion and edits its run-link PR comment to ✅ passed / ❌ <status> (Gitea PATCH issues/comments/{id}, verified). post_comment now returns the comment id. Also gives the bridge image a content-hash tag so the swarm service actually rolls on bridge.py changes (was stuck on :latest). Completes the D7 'PR comment reflects outcome' requirement. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 08:00:40 +01:00
autonomic-bot	6bb3df0139	review: M7/D6 PASS — secret-grep clean across logs+dashboard+git; sops rotation doc matches reality	2026-05-27 07:55:33 +01:00
autonomic-bot	537fd47818	M7/D6 gate CLAIMED: rotation doc + redaction; M6.5 PASS recorded ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:45:19 +01:00
autonomic-bot	fc07d15800	M7/D6: secrets rotation doc + log redaction filter ... docs/secrets.md documents the 3 secret classes (A1 external, A2 internal-generated, B recipe-app), the sops-nix decryption chain, and rotation procedures for each (cert version bump, sops re-encrypt + swarm-secret version bump, recipe-app ephemeral). run_recipe_ci streams each stage's output through a redaction filter that masks any /run/secrets/* value (>=8 chars) before it reaches Drone logs — belt-and-suspenders over 'harness never prints secrets + abra doesn't echo'. Live streaming + exit code preserved (locally tested). Recipe-ci clones cc-ci fresh per build, so this applies next run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:44:53 +01:00
autonomic-bot	b832a8d844	STATUS/BACKLOG: M8 dashboard overview+badges live; remaining = PR-outcome reflection, M7, M9 ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:27:40 +01:00
autonomic-bot	c39d4fb936	M8/D7: dashboard overview + badges live at ci.commoninternet.net (verified via gateway) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:27:02 +01:00
autonomic-bot	307c7dc91e	review: M6.5 PASS — all 6 recipes 3-stage green (Drone builds corroborated) + D5 (no harness surgery) + bluesky-swap documented	2026-05-27 07:24:43 +01:00
autonomic-bot	2f3d1df1c7	dashboard: content-hash image tag so stack deploy rolls on code change (not stuck on :latest) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:24:21 +01:00
autonomic-bot	9ede87c7cc	dashboard: don't list the cc-ci repo itself as a recipe row (Adversary !testme noise) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:20:42 +01:00
autonomic-bot	60d917646b	M8/D7: results dashboard — overview + SVG badges at ci.commoninternet.net ... Stdlib HTTP service (like the bridge): polls the Drone API for recipe-CI builds (event=custom), groups latest-run-per-recipe, renders a YunoHost-CI-like overview table with pass/fail/running badges + links to the canonical Drone run, plus /badge/<recipe>.svg. Nix-built OCI image, swarm service on proxy, traefik Host(ci.commoninternet.net) (the bridge's /hook rule stays higher priority by length). Reuses the Drone token (read-only). Reconcile oneshot like bridge/drone. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 07:17:12 +01:00