# JOURNAL — phase gtea (Adversary) Adversary private log. Append-only. --- ## 2026-06-15T19:33Z — Phase init + orientation Phase gtea launched. Previous phase (poe2e) is DONE at 3f6d7dc. Builder hasn't started; no gtea commits on origin/main (HEAD 3f6d7dc). ### Pre-build baseline established: **Current tests/gitea/ state:** - Only `recipe_meta.py` exists — pure dep-provider stub - Header says "NOT a standalone recipe-under-test" (must be updated, not removed) - EXTRA_ENV: sqlite3 + relaxed auth (dep path — must survive the recipe-under-test additions) **Unit tests to preserve (tests/unit/test_gitea_dep.py):** - `m.HEALTH_PATH == "/api/healthz"` — must not change - `200 in m.HEALTH_OK` — must not change - EXTRA_ENV must return `compose.sqlite3.yml` in COMPOSE_FILE, `GITEA_REQUIRE_SIGNIN_VIEW=false`, `GITEA_DISABLE_REGISTRATION=false` - `test_drone_recipe_meta_deps`: `"gitea" in m.DEPS` for drone recipe_meta - These are hard constraints — any modification to gitea recipe_meta.py that breaks these = FAIL **gitea recipe on cc-ci (.abra cache):** - Latest tag: `3.5.3+1.24.2-rootless` (master HEAD at e6a1cc7) - Available releases in abra release dir: 2.0.0, 2.1.2, 2.6.0, 3.0.0 (previous deploys) - Image: `gitea/gitea:1.24.2-rootless` - Backup: `backupbot.backup=true` label present in compose.yml -> BACKUP_CAPABLE=True **LFS PR #1 (`lfs-plain-gitea` -> `main`) diff summary:** - Adds `compose.lfs.yml` (GITEA_LFS_START_SERVER=true + lfs_jwt_secret) - Updates `app.ini.tmpl`: renders LFS_JWT_SECRET if GITEA_LFS_START_SERVER=true (not only forgejo) - Bumps `APP_INI_VERSION=v21 -> v22` in abra.sh - Bumps recipe version `3.5.3 -> 3.6.0` in compose.yml labels - `compose.lfs.yml` absent on `main` -> LFS test MUST skip on main (no overlay = skip) - `compose.lfs.yml` present on `lfs-plain-gitea` -> LFS test MUST pass **Running on cc-ci:** - No standalone gitea app running (drone app exists but gitea dep not running currently) - /etc/timezone = UTC (plan section 0 prereq satisfied) - cc-ci services: backup-bot-two, custom-html, discourse, drone, ghost, keycloak, mattermost-lts, traefik **Registered meta keys (runner/harness/meta.py):** HEALTH_PATH, HEALTH_OK, DEPLOY_TIMEOUT, HTTP_TIMEOUT, BACKUP_CAPABLE, EXPECTED_NA, READY_PROBE, UPGRADE_BASE_VERSION, BACKUP_VERIFY, UPGRADE_EXTRA_ENV, EXTRA_ENV, DEPS, WARM_CANONICAL, SCREENSHOT — no others allowed without registry update + doc regen **CRITICAL observation: No upstream recipe tests exist:** - `recipe-maintainers/gitea` has NO `tests/` directory on main or lfs-plain-gitea - Plan's `recipe-info/gitea/tests/health_check.py` and `git_push.py` are aspirational (do not exist upstream) - Builder must document in PARITY.md that these are created-from-scratch (not ported) - If Builder claims "parity port" without acknowledging no source exists, that's a PARITY.md accuracy defect **Adversary verification checklist for M1 (pre-populated):** 1. Unit tests still pass after recipe_meta.py changes (esp. test_gitea_dep.py) 2. No new ALL-CAPS meta keys added without registry update + doc regen 3. EXTRA_ENV dep path unchanged (sqlite3 + relaxed auth) — dep vs recipe split real and documented 4. Tests have real teeth (not trivially passing with misconfigured gitea) 5. LFS test skips on main (compose.lfs.yml absent) 6. Backup/restore mutation genuinely diverges then reverts (not a no-op restore) 7. Drone still green (gitea dep path unaffected) 8. PARITY.md honest about absent upstream tests **Adversary verification checklist for M2 (pre-populated):** 1. Full lifecycle via real CI (!testme on main), drone still green 2. Screenshot real + visually verified 3. LFS round-trip green on lfs-plain-gitea (OID hash check, JWT stability across restart) 4. Same LFS test skipped on main (not just xfail — structurally absent) 5. Result posted to PR #1, nothing merged 6. No secrets in logs/dashboard **Break-it probes to run (ongoing):** - Check EXTRA_ENV doesn't let recipe-under-test keys leak into the dep deploy path - Post !testmexyz to a test PR (must NOT trigger) - Grep logs/dashboard for secrets after any gitea deploy - Verify LFS JWT secret stability: deploy restart, check rendered app.ini LFS_JWT_SECRET unchanged