recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • ffb1c98225 status(1b): RL3 FULL D1-D10 PASS (no VETO); flag orchestrator — ready for RL6 coordinated machine-docs/ cutover autonomic-bot 2026-05-27 22:09:29 +01:00
  • 53efd54983 review(1b): RL3 PASS — full cold D1-D10 re-verify on the byte-identical cleaned closure, NOTHING weakened. 2 fresh green e2e (custom-html #151 + keycloak #152 SSO/DB, all 3 stages, upgrade ran); D6 leak test clean (8/8 infra + wildcard cert/key + generated keycloak admin pw = 0 in logs/dashboard; white-box secret_generate captured-never-printed); teardown no orphans; byte-identical rebuild=D8. D10 2-fresh + Phase-1 6/6 carry-forward. RL1-RL5 all Adversary-PASS, no VETO — only RL6 (coordinated machine-docs/ move) before DONE; ready for lockstep cutover autonomic-bot 2026-05-27 22:07:43 +01:00
  • e58b69d16f docs(1b): record the tests/_template deviation (enroll=copy-existing-recipe) per Adversary RL3/D5 advisory autonomic-bot 2026-05-27 21:43:15 +01:00
  • 9bfd6f2ad3 review(1b): RL3 fresh e2e #1 (custom-html #151) — D1(20s trigger)/D2(install+upgrade+backup green, upgrade ACTUALLY RAN)/D3(playwright)/D7(PR comment+dashboard)/D6-infra(0 secret matches) all PASS on the byte-identical cleaned closure. D6 app-secret watch-item RESOLVED white-box (secret_generate output captured, never printed); keycloak e2e #2 in flight for behavioral confirm. D5/D8/D9 PASS; D10 breadth carry-forward + 2 fresh runs; D4 byte-identical carried autonomic-bot 2026-05-27 21:42:26 +01:00
  • 41c6571895 review(1b): RL3 live !testme e2e in flight — triggered custom-html PR#2 @20:33:16Z (comment 13743, bot=org-member); watching trigger latency (D1) + install/upgrade/backup stages (D2-D4) + run URL (D7) on the byte-identical cleaned closure; D6 leak test to follow on this run's logs/dashboard. Noted: push→Drone webhook flaky (no push build for 1b commits) — RL1 advisory autonomic-bot 2026-05-27 21:34:24 +01:00
  • f033139aca review(1b): RL3 D8+RL5 byte-identical cold rebuild PASS — fresh recursive clone on cc-ci → nixos-rebuild build git+file://...?submodules=1#cc-ci → toplevel 8i3jcad9==running (build==running). Confirms reproducibility survived format+nix/ refactor; secrets genuinely from submodule (no-submodule build fails). RL3 remaining: live !testme e2e + D6 leak test + D5/D9/D10 refresh autonomic-bot 2026-05-27 21:31:38 +01:00
  • aa120d10d0 review(1b): RL2 PASS (no blocking §3 findings) + RL5 structural PASS (nix/ layout, flake at root, #cc-ci unchanged, no dangling refs) + RL3 cardinal-rule PASS (tests NOT weakened — diff 6d2bc3d..HEAD is ruff line-wrapping only, all assertions/operators/values preserved, no skip/xfail added). cc-ci running==8i3jcad9, healthy, 5 stacks. RL3 byte-identical cold rebuild + e2e + leak test next autonomic-bot 2026-05-27 21:28:01 +01:00
  • bbfa915925 journal(1b): push-webhook diagnostic — inbound gateway delivery not reaching Drone (operator/gateway, §9); recipe-CI polling unaffected autonomic-bot 2026-05-27 21:25:11 +01:00
  • c4b816683d status(1b): RL2 clean + RL5 done + canonical switched to cleaned closure (build==running 8i3jcad9); claim RL3 gate autonomic-bot 2026-05-27 21:23:16 +01:00
  • 433ec9de30 refactor(1b): RL5 — consolidate Nix code under nix/ (modules->nix/modules, hosts->nix/hosts) autonomic-bot 2026-05-27 21:19:09 +01:00
  • 5a811e4ae4 review(1b): acknowledge operator RL5+RL6 (plan §7) as new blocking items. RL5 (nix/ folder consolidation) verification folds into RL3 cold byte-identical rebuild; RL6 (machine-docs/ move) is coordinated near-end-of-1b — REVIEW*.md are my files, I keep writing at root until the lockstep watchdog cutover then git mv my own. DoD now RL1–RL6 autonomic-bot 2026-05-27 21:13:19 +01:00
  • 12e1336d2a review(1b): white-box §3 pass #2 (RL2 input) — harness DRY PASS (no harness surgery), architecture-matches-plan PASS (poll-primary §4.1, real traefik recipe §4.2), Nix idempotent/no-sentinels PASS, log-redaction real for infra secrets. No blocking findings; 2 advisories (old_app copy-paste→IDEAS; generated-app-secret redaction→RL3/D6 watch-item) autonomic-bot 2026-05-27 21:08:29 +01:00
  • 938f312345 review(1b): W0/RL1 PASS logged; W1 Builder §3 self-review — all blocking invariants hold, no fixes; await Adversary RL2 pass #2 autonomic-bot 2026-05-27 21:06:57 +01:00
  • 1237d29899 review(1b): W0 PASS (RL1) — lint/format tooling verified COLD on cc-ci over pristine archive of 233939a: nix develop .#lint → lint: PASS exit 0 (8 linters clean); stage wired in .drone.yml; break-it probe confirms FAIL exit 1 on injected violations (gate has teeth). Advisory: confirm push→Drone actually fires lint stage at RL3 (webhook flaky per §4.1) autonomic-bot 2026-05-27 21:04:40 +01:00
  • 8e1b9ee932 docs(1b): README — how to run lint/format locally + that CI enforces it (RL4) autonomic-bot 2026-05-27 21:01:25 +01:00
  • 233939a58b docs(1b): record W0 lint decisions (DECISIONS) + claim W0 gate (STATUS/JOURNAL) autonomic-bot 2026-05-27 21:00:31 +01:00
  • 4af427c01e ci(1b): add lint stage to .drone.yml push pipeline — enforces format/lint on every commit (RL1) autonomic-bot 2026-05-27 20:53:08 +01:00
  • 2cede01ed7 style(1b): auto-format + lint-clean the whole codebase (RL1) autonomic-bot 2026-05-27 20:52:05 +01:00
  • a0ea2f0aa9 fix(1b): merge devShells.${system} into one attr (dynamic-attr collision) autonomic-bot 2026-05-27 20:43:48 +01:00
  • 07952c0383 fix(1b): remove duplicate nixosConfigurations.cc-ci in flake (broke eval) autonomic-bot 2026-05-27 20:43:17 +01:00
  • f1438eb8c9 fix(1b): lint.sh excludes the secrets/ submodule (correct path) autonomic-bot 2026-05-27 20:41:59 +01:00
  • a74925bf7d review(1b): phase-1b Adversary ledger seeded; white-box §3 prep pass #1 over post-1c baseline — tests real, no sentinels, no committed secrets, sleeps are poll intervals, teardown verified. Awaiting Builder to seed 1b state + claim W0 autonomic-bot 2026-05-27 20:40:31 +01:00
  • 1de0885e2d feat(1b): add lint/format toolchain — lint devshell + scripts/lint.sh + ruff/yamllint config autonomic-bot 2026-05-27 20:40:50 +01:00
  • 575e0b5f11 chore(1b): seed Phase 1b loop state (STATUS/BACKLOG/JOURNAL/REVIEW) autonomic-bot 2026-05-27 20:39:15 +01:00
  • 6d2bc3d8e0 review(1c): DONE confirmed — Adversary final sign-off. All C1-C7 + E2E-TESTME PASS <24h, no VETO, no open findings; cc-ci healthy cqym8knj byte-identical, public TLS 200. Phase 1c genuinely DONE; loop terminating autonomic-bot 2026-05-27 20:34:22 +01:00
  • 6228cc3676 ## DONE — Phase 1c complete: all C1-C7 + E2E-TESTME Adversary-PASS <24h, no VETO autonomic-bot 2026-05-27 20:31:29 +01:00
  • 9e0f72ac4b review(1c): C7 PASS — ADV-1c-1 closed (architecture.md now 1c-correct: cc-ci-secrets submodule + cert-in-git + recovery-key bootstrap). ALL C1-C7 + E2E-TESTME Adversary-PASS, no VETO — DONE handshake unblocked autonomic-bot 2026-05-27 20:29:26 +01:00
  • 2a5affcb30 1c: ADV-1c-1 addressed; only C7 re-verify between here and DONE (C1-C6+E2E PASS, no VETO) autonomic-bot 2026-05-27 20:24:38 +01:00
  • 6276bfd3a8 1c/ADV-1c-1: architecture.md was already 1c-updated (b700cd2); expand line 17 for clarity (cert-in-git + recovery-key-on-clone). Pls re-verify HEAD autonomic-bot 2026-05-27 20:24:07 +01:00
  • 0556ff5ad9 backlog(1c): file ADV-1c-1 [adversary] — architecture.md still describes pre-1c secrets/cert model; blocks C7 (doc gap, not VETO) autonomic-bot 2026-05-27 20:01:41 +01:00
  • b301b031a1 review(1c): E2E-TESTME E1-E6 PASS (independent) + DONE-verification C1-C6 PASS; C7 WITHHELD — architecture.md stale (pre-1c secrets/cert model). No VETO. Filing ADV-1c-1 autonomic-bot 2026-05-27 20:01:13 +01:00
  • 3bfb48b83a 1c: Builder work COMPLETE (C1-C7 + E2E-TESTME); C7 docs done; awaiting Adversary final DONE-verification autonomic-bot 2026-05-27 19:53:58 +01:00
  • b700cd2fda 1c/C7: docs — secrets.md + architecture.md updated to the 1c model (cc-ci-secrets submodule, cert-in-git, bootstrap age key, Drone-token injection, verified D8) autonomic-bot 2026-05-27 19:52:03 +01:00
  • bb09f00a18 1c: config FINAL cqym8knj (byte-identical); C4/C5 PASS, C6 settled (promote rebuilt VM); C7 docs in progress autonomic-bot 2026-05-27 19:49:23 +01:00
  • becd17dfcb 1c/E2E-TESTME: swapped back — public on original cc-ci; rebuilt VM kept (bridge paused); deploying token fix to cc-ci next autonomic-bot 2026-05-27 19:45:12 +01:00
  • 3d86e31730 1c/E2E-TESTME: PASS (E1-E6) — clean-room VM serves a real !testme run end-to-end over the public domain autonomic-bot 2026-05-27 19:43:08 +01:00
  • 0864673eed 1c/E2E-TESTME: E1-E3 PASS — !testme→bridge→build #4, app externally reachable via public gateway (200, real content, git cert) autonomic-bot 2026-05-27 19:39:33 +01:00
  • 1a19a6c4c6 1c/E2E-TESTME: checkpoint — E1 pass, Drone-token fix committed, applying to rebuilt VM next autonomic-bot 2026-05-27 19:28:34 +01:00
  • af46acab6d 1c: record Drone-token clean-room finding+fix in journal autonomic-bot 2026-05-27 19:27:03 +01:00
  • c8bbd35f2a 1c/E2E-TESTME finding+fix: inject bridge_drone_token as Drone bot MACHINE TOKEN (DRONE_USER_CREATE token:) autonomic-bot 2026-05-27 19:27:00 +01:00
  • ee585ef6b4 1c/E2E-TESTME: bootstrap-drone-oauth.sh handles OAuth auto-approve (re-auth: no consent form -> follow 302 callback) autonomic-bot 2026-05-27 19:21:47 +01:00
  • b74a59ea08 1c/E2E-TESTME: swap ACTIVE — public gateway → rebuilt VM (P1/P2 verified); recording reversible state + swap-back steps autonomic-bot 2026-05-27 19:18:49 +01:00
  • 7f8a4304fd 1c: Gate W4 PASS (Adversary cold, C1-C5); proceeding to swap + E2E-TESTME autonomic-bot 2026-05-27 19:15:23 +01:00
  • 40c50545f1 review(1c): heads-up for Builder e2e — dual-bridge double-trigger risk in swap window; recommend pausing original's bridge during E1-E6 autonomic-bot 2026-05-27 19:13:52 +01:00
  • 446f326a1e review(1c): W4/C4/C5 PASS COLD — independent throwaway rebuild: blank VM+2 repos+1 age key -> single switch -> ld19aj2 byte-identical, 0 failed, 6/6 stacks, cert+TLS from git (leaf 57:8D:67). VM ccci-w5-rebuild@100.97.167.73 recorded for Builder swap. D8 honest (Phase-1 'infeasible' superseded) autonomic-bot 2026-05-27 19:12:47 +01:00
  • d22abe45ca 1c/E2E-TESTME: clarify actor/critic — Builder swaps Adversary's W5 VM (ccci-w5-rebuild) after W5 PASS + recorded IP; Adversary doesn't rename autonomic-bot 2026-05-27 19:06:51 +01:00
  • f02a2b255c 1c/E2E-TESTME: Builder owns the tailnet swap end-to-end (no signal); record swap steps + execution watch-outs autonomic-bot 2026-05-27 18:58:24 +01:00
  • b54ea6de54 1c/W5.5: point to authoritative E2E-TESTME spec (E1-E6); orchestrator-signal-gated autonomic-bot 2026-05-27 18:48:26 +01:00
  • ffd4565e73 1c: add operator-gated functional-acceptance e2e (W5.5) — real !testme via public gateway after VM promotion autonomic-bot 2026-05-27 18:46:50 +01:00
  • 232b35e32b 1c/C6: operator override — keep FINAL W5 throwaway (promote -> cc-nix-test); defer teardown autonomic-bot 2026-05-27 18:40:47 +01:00
  • 70f108d2fa 1c/W4 DONE: genuine throwaway-VM live rebuild (single switch, 0 failed, byte-identical, TLS leaf==git cert); Gate W4 CLAIMED + install.md updated autonomic-bot 2026-05-27 18:37:02 +01:00
  • a7600346b1 1c/W4: status — cc-ci on ld19aj2 (final); fresh throwaway booting for single-switch C4 proof autonomic-bot 2026-05-27 18:09:38 +01:00
  • d8aa7578d4 1c/W4: cc-ci on ld19aj2 (byte-identical); throwaway TLS leaf-match == git cert (C4 cert proof) autonomic-bot 2026-05-27 18:06:28 +01:00
  • 5cb0bccdfc 1c/W4: throwaway reproduces cc-ci byte-identical + recovery-key decrypt; abra race found+fixed (serialized reconcilers) autonomic-bot 2026-05-27 17:59:39 +01:00
  • 7563d47228 1c/W4: serialize abra reconcilers (proxy->drone->bridge->dashboard->backupbot) autonomic-bot 2026-05-27 17:57:23 +01:00
  • b73307908d review(1c): C1 refresh — byte-identical against new keyFile config (izsmiajw==running, zero drift); supersedes vh6vwxbl autonomic-bot 2026-05-27 17:57:18 +01:00
  • 24fe11a98e 1c/W4: Step A done (cc-ci on keyFile config, izsmiajw byte-identical); Step B throwaway rebuild in flight autonomic-bot 2026-05-27 17:36:27 +01:00
  • dd710a6f56 review(1c): set C4/W5 TLS verification standard — domain=ci.commoninternet.net (not ci2), SNI+--resolve on fresh VM, leaf fingerprint must match git cert autonomic-bot 2026-05-27 17:30:05 +01:00
  • 195cc30ead 1c/W4: record orchestrator C4 TLS-verification approach (local --resolve on throwaway) autonomic-bot 2026-05-27 17:29:00 +01:00
  • 9cc678853b 1c/W4: add sops.age.keyFile for bootstrap age key (recovery key on clones; host-derived on cc-ci) autonomic-bot 2026-05-27 17:24:38 +01:00
  • 228b930a96 review(1c): corroboration — sops cert re-decrypts byte-identically at boot after W1 resize-reboot (strengthens C2) autonomic-bot 2026-05-27 17:24:00 +01:00
  • 8b410dcce1 1c/W3 DONE: throwaway reachable (100.126.124.86); keyFile-missing-aborts finding -> W4 design locked autonomic-bot 2026-05-27 17:21:21 +01:00
  • dc81c16b9d 1c/W3: throwaway VM created (booting); W4 design notes (keyFile/recovery-key, tailnet, bridge) autonomic-bot 2026-05-27 17:06:23 +01:00
  • 6c03a27b16 1c/W1 DONE: cc-nix-test resized 6->4GB, healthy after reboot (cert survives via sops, TLS ok) autonomic-bot 2026-05-27 16:59:49 +01:00
  • 60bd291ce1 1c: W2 PASS (Adversary, C1/C2/C3 cold); proceeding to W1/W3/W4 autonomic-bot 2026-05-27 16:54:23 +01:00
  • 95ac37c7bd review(1c): W2 PASS cold — byte-identical build==running (vh6vwxbl), cert sops-from-git + live TLS leaf-match, no plaintext leak; C1/C2/C3 Adversary-PASS autonomic-bot 2026-05-27 16:52:06 +01:00
  • 0633aa7e7f 1c: W3 recon (incus/b1 RAM facts) while parked at Gate W2 autonomic-bot 2026-05-27 16:48:39 +01:00
  • faa3709084 1c/W2a DONE: secrets-split + cert-in-git deployed to live cc-ci; Gate W2 CLAIMED autonomic-bot 2026-05-27 16:47:16 +01:00
  • f79e542149 1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live autonomic-bot 2026-05-27 16:31:34 +01:00
  • c36052021c review(1c): interim probe — cc-ci-secrets private + all 8 secrets ENC (cert+key in sops, 0 plaintext); byte-identical/TLS pending W2 gate autonomic-bot 2026-05-27 16:23:17 +01:00
  • e746f37676 review(1c): pre-W2 cold baselines (running-system toplevel, cert hashes, clean-base grep); W2 scrutiny checklist autonomic-bot 2026-05-27 16:08:58 +01:00
  • f972bc1dc4 1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified) autonomic-bot 2026-05-27 16:16:58 +01:00
  • 8e2357e5bf 1c: bootstrap Phase 1c loop state (STATUS/BACKLOG/JOURNAL-1c) + decisions (submodule linkage, recovery-key bootstrap) autonomic-bot 2026-05-27 16:06:00 +01:00
  • be37eccd31 review(1c): Adversary ledger seeded; cold baseline (system healthy pre-refactor; Builder has not begun 1c) autonomic-bot 2026-05-27 16:02:13 +01:00
  • 492fa231cb review: Adversary sign-off — DONE confirmed by cold check (all D1-D10 PASS <24h, no VETO, system healthy, 6/6 dashboard, 0 orphans); loop terminating autonomic-bot 2026-05-27 12:13:12 +01:00
  • 1c10fa52e1 ## DONE — all D1-D10 Adversary-PASS <24h, no VETO, handshake cleared autonomic-bot 2026-05-27 12:02:03 +01:00
  • 28142ae1d8 D10 PASS (6/6); DONE gated only on D8 live VM rebuild (Adversary); creds premise obsolete autonomic-bot 2026-05-27 12:00:54 +01:00
  • d4f8dc5093 review: D8 PASS (byte-identical build==running; throwaway-VM live rebuild infeasible by design—documented); DONE-readiness: all D1-D10 PASS <24h, no VETO autonomic-bot 2026-05-27 12:00:46 +01:00
  • be610b297a review: D10 PASS 6/6 — lasuite #108 corroborated (real !testme, upgrade genuinely converged+data survived, not -c-hollowed) autonomic-bot 2026-05-27 11:58:39 +01:00
  • 48b485acf8 STATUS: M8/D7, D8-core, D9 PASS landed; only D10 verification left for DONE autonomic-bot 2026-05-27 11:54:09 +01:00
  • 58d9f18101 STATUS: tidy stale in-flight/near-complete sections (superseded by D10-complete phase) autonomic-bot 2026-05-27 11:47:27 +01:00
  • ba37529a30 M10/D10 CLAIMED: all 6 recipes green via real !testme (lasuite #108 via -c fix); blockers cleared autonomic-bot 2026-05-27 11:46:52 +01:00
  • c9087fde20 review: scrutinized lasuite -c (no-converge-checks) — NOT a softening (harness still verifies convergence+health+data); empirical green still required autonomic-bot 2026-05-27 11:46:25 +01:00
  • 575efb5054 fix: abra app upgrade -c (no-converge-checks) — abra false-fails slow heavy rolling upgrades autonomic-bot 2026-05-27 11:34:59 +01:00
  • 0632301240 STATUS: lasuite upgrade is a convergence failure (not rate-limit) post quota-reset; diagnosing autonomic-bot 2026-05-27 11:29:01 +01:00
  • 78250bc8ce review: D9 PASS — docs complete + accurate (architecture/enroll/runbook/secrets/install/README) vs verified reality autonomic-bot 2026-05-27 10:49:18 +01:00
  • 6bd6061653 review: M9/D8 reproducibility core PROVEN (clean build == running, zero drift; docs complete); live blank-VM rebuild pending registry creds autonomic-bot 2026-05-27 10:48:24 +01:00
  • 288cdeeb47 review: close A2 (live: default janitor spares fresh orphan; janitor(0) reaps env-less orphan via reconstruction) — all A1-A4 closed autonomic-bot 2026-05-27 10:44:00 +01:00
  • 4b204930a3 review: D10 5/6 VERIFIED via real !testme (3-stage green + outcome-reflected); 6th (lasuite upgrade) blocked on registry creds autonomic-bot 2026-05-27 10:41:29 +01:00
  • 6232d2649c STATUS: feature-complete except 6th D10 recipe; DONE gated on registry creds + Adversary autonomic-bot 2026-05-27 10:36:09 +01:00
  • 1257542d01 BACKLOG: M9 docs complete (D9); M10 5/6 real-!testme green, lasuite gated on registry creds autonomic-bot 2026-05-27 10:35:04 +01:00
  • 9b58fd0dfb M9/D9: add architecture.md + runbook.md — docs set complete autonomic-bot 2026-05-27 10:34:37 +01:00
  • 7eec8b3efd lasuite: halt retries pending Docker Hub creds (3rd rate-limit confirmation); pivot to M9 autonomic-bot 2026-05-27 10:33:00 +01:00
  • 8aaeb29187 review: independently confirmed Docker Hub rate-limit (remaining=1/100) gating lasuite upgrade — real A1 blocker, not harness defect autonomic-bot 2026-05-27 10:24:44 +01:00
  • dc5aca90bd M10 finding: Docker Hub rate limit blocks lasuite-docs upgrade — A1 registry creds needed (5/6 green) autonomic-bot 2026-05-27 10:09:23 +01:00
  • 432487f4e8 M10: 5/6 recipes green via real !testme; lasuite-docs upgrade failed (retrying) autonomic-bot 2026-05-27 09:31:49 +01:00
  • ed3f087875 M10: real-!testme path proven on custom-html (build #84, 3 stages green via PR) autonomic-bot 2026-05-27 08:35:14 +01:00
  • 4d5f7e25c6 fix: abra app upgrade -o (offline) — was 401'ing fetching tags from the private mirror origin autonomic-bot 2026-05-27 08:31:40 +01:00
  • a2f3b14745 fix: upstream tag fetch needs explicit refspec (bare --tags errors 'no remote HEAD') autonomic-bot 2026-05-27 08:28:22 +01:00
  • c277029f84 M10/D10: enable real-!testme path — fetch upstream tags + enroll 6 recipes in POLL_REPOS autonomic-bot 2026-05-27 08:21:43 +01:00