# JOURNAL — phase drone (drone enrollment with gitea SCM dep)

**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
**Builder:** autonomic-bot / Claude

---

## 2026-06-11 — Phase start + design decisions

### Context read
- P0 confirmed: `/etc/timezone` exists (UTC) on cc-ci host — fix from commit 3bde76f is live
- Adversary pre-probes read from REVIEW-drone.md:
  - Confirms P0 satisfied
  - Confirms drone 1.9.0+2.26.0 (latest), 1.8.0+2.25.0 (previous) — upgrade tier viable
  - Confirms gitea 3.5.3+1.24.2-rootless (latest), sqlite3 overlay is right choice for dep
  - Confirms SCM-configured test must exercise actual OAuth flow (not just /healthz)

### Architecture decisions

**Gitea as dep:**
- Use `compose.sqlite3.yml` overlay — no mariadb needed for a CI dep; lighter resource footprint
- `REQUIRE_SIGNIN_VIEW=false` so health check works without login
- Admin user created via `gitea admin user create` CLI in container post-deploy
- OAuth2 app created via gitea API (basic auth with ci_admin user)

**SCM-configured test:**
- Playwright test completes the full gitea→drone OAuth flow
- Navigates to drone's /login → redirects to gitea OAuth authorize page
- Fills ci_admin credentials → clicks authorize → lands on drone dashboard
- Verifies drone `GET /api/user` returns 200 (session valid)
- This proves the full OAuth circuit works (not just health)
- Negative teeth: a drone without gitea wiring would not redirect to gitea

**Drone EXTRA_ENV in install_steps.sh:**
- Sets `COMPOSE_FILE=compose.yml:compose.gitea.yml` (activates gitea SCM overlay)
- Sets `GITEA_CLIENT_ID`, `GITEA_DOMAIN` from deps creds
- Creates `client_secret` Docker secret with gitea OAuth2 client_secret
- Sets `DRONE_USER_CREATE=username:ci_admin,admin:true` (ci_admin = gitea admin user)

**Backup analysis:**
- Drone recipe compose.yml has `data` volume but NO backupbot labels
- `abra.sh` only exports `DRONE_ENV_VERSION=v2`, no backup functions
- Therefore: `backup_capable=False`, backup rung = structural skip (justified in PARITY.md)

### Implementation sequence
1. Add `setup_gitea_oauth()` to `runner/harness/sso.py`
2. Update `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
3. Create `tests/gitea/recipe_meta.py`
4. Create `tests/drone/recipe_meta.py`
5. Create `tests/drone/install_steps.sh`
6. Create `tests/drone/functional/test_scm_configured.py`
7. Create `tests/drone/PARITY.md`
8. Add unit tests

---

## 2026-06-11 — Implementation

_Evidence of each step logged below as work proceeds._