# STATUS — phase bsky (fix bluesky-pds recipe + screenshot)

Phase SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md

Gate: M1 — CLAIMED, awaiting Adversary.

## M1 claim — root cause + green fix PR + screenshot (2026-06-11T12:05Z)

### WHAT

1. Root cause proven with evidence (below).
2. Fix PR open on the recipe mirror: **recipe-maintainers/bluesky-pds PR #2**, branch
   `upgrade-0.3.0+v0.4.219`, head `f7b6c8df` — 2-line compose.yml diff (image
   `ghcr.io/bluesky-social/pds:0.4` → `0.4.219`; version label `0.2.0+v0.4` →
   `0.3.0+v0.4.219`). UNMERGED (operator merges).
3. `!testme` on the PR green through the full lifecycle via the real drone path:
   **run 427 = level 5** — install/backup_restore/functional/lint all PASS, upgrade =
   DECLARED intentional skip (justification below), clean_teardown, no_secret_leak.
4. Screenshot captured on that PR run and visually verified by me: the genuine PDS
   HTTP landing page (ASCII Bluesky logo, "This is an AT Protocol Personal Data
   Server", /xrpc/ pointer, upstream links) — real, representative, credential-free.
   No SCREENSHOT hook needed.

### Root cause

The recipe pins MOVING tag `ghcr.io/bluesky-social/pds:0.4` and overrides the entrypoint
with a script ending `exec node --enable-source-maps index.js` (relative to WORKDIR /app).
Upstream now publishes main-branch builds to `:0.4` (== `latest`, manifest
`sha256:871194d2…`, created 2026-05-30): `@atproto/pds` **0.5.1**, Node v24.15.0, service
restructured to `/app/index.ts` (CMD `node --enable-source-maps index.ts`; **no
index.js**) → crash-loop `Cannot find module '/app/index.js'`. Exact tag `0.4.219`
(newest released; ghcr digest `sha256:e0b756701c92…`) keeps the expected layout: Node
v20.20.2, `/app/index.js`, dumb-init, CMD identical to the recipe's exec line.

HOW to verify root cause (any host with ssh cc-ci):
- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'`
  → EXPECTED v24.15.0; index.ts, NO index.js; `"@atproto/pds": "0.5.1"`
- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'`
  → EXPECTED v20.20.2; index.js present; `"@atproto/pds": "0.4.219"`
- Upstream: Dockerfile@main = node:24.15-alpine3.23 + CMD index.ts;
  Dockerfile@v0.4.219 = node:20.20-alpine3.23 + CMD index.js. Registry doc:
  cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247).

### Upgrade-rung justification (the "justify status either way" item)

Published versions exist (0.1.1+v0.4, 0.2.0+v0.4) but BOTH pin the republished `:0.4` →
no published version can deploy as the upgrade base anymore (negative control: run 423,
pre-harness-change, deployed base 0.1.1+v0.4 → identical MODULE_NOT_FOUND crash-loop,
install=fail, PR head never reached; run-423 recipe checkout sat at tag 0.1.1+v0.4).
Harness change e9745c8 (main): declaring the upgrade rung in recipe_meta EXPECTED_NA now
also suppresses the base deploy — single deploy = the PR head; the upgrade tier records
"skip"; derive_rungs classifies it the DECLARED intentional skip; reason fully visible in
results.json `skips.intentional` and on the card. NOT a weakening: the rung is never
reported pass; decision + re-enable path in machine-docs/DECISIONS.md (re-enable =
UPGRADE_BASE_VERSION="0.3.0+v0.4.219" once merged+published).
HOW: `cc-ci-run -m pytest tests/unit/ -q` from a cold clone of main on cc-ci →
EXPECTED 253 passed (6 new in tests/unit/test_upgrade_base.py);
`nix develop .#lint -c bash scripts/lint.sh` → EXPECTED `lint: PASS`.

### Green-run evidence (run 427, drone path)

- Trigger: PR #2 comment 14342 (`!testme`) → bridge log line
  `[poll] triggered build 427 for bluesky-pds@f7b6c8df (PR #2, comment 14342)`;
  outcome line `reflected outcome build 427 (bluesky-pds PR #2): success`; PR result
  comment 14343 "✅ passed @ f7b6c8df".
- HOW: `ssh cc-ci 'cat /var/lib/cc-ci-runs/427/results.json'` → EXPECTED level=5,
  ref=f7b6c8dfb81c, rungs install/backup_restore/functional/lint=pass + upgrade=skip,
  skips.intentional.upgrade=<declared reason>, flags clean_teardown+no_secret_leak true.
- PR-head proof: run-427 per-run recipe checkout
  (`/var/lib/cc-ci-runs/427/abra/recipes/bluesky-pds`) at `f7b6c8d chore: upgrade to
  0.3.0+v0.4.219`, compose.yml line 6 image=…:0.4.219.
- Visuals: https://ci.commoninternet.net/runs/427/summary.png (card: level 5 of 5, all
  tiers PASS, upgrade INTENTIONAL SKIP + reason, screenshot thumb, clean-teardown +
  no-secret-leak chips), …/badge.svg ("cc-ci: level 5", green),
  …/screenshot.png (the PDS landing page described above).

### WHERE

- cc-ci main @ 72b3d6c (harness change e9745c8; journal/decisions 72b3d6c).
- Mirror PR #2: https://git.autonomic.zone/recipe-maintainers/bluesky-pds/pulls/2
  (head f7b6c8df; base main b2d86ef).
- Runs: /var/lib/cc-ci-runs/427 (green, PR head), /var/lib/cc-ci-runs/423 (negative
  control, pre-change base trap).
- Upstream registry: cc-ci-plan/upstream/bluesky-pds.md @ plan-repo f395247.

## Operator summary

(to be completed at M2)