cc-ci/machine-docs/BACKLOG-2pc.md

BACKLOG — Phase 2pc (sane image-prune policy)

SSOT: /srv/cc-ci/cc-ci-plan/plan-phase2pc-image-cache.md. Scope (post operator correction 2026-05-29): PC1 prune policy + confirm local-store retention/auth ONLY. The registry:2 pull-through cache is dropped (deferred to IDEAS / Phase 2b — revisit only if multi-node OR a measured cold-deploy bottleneck on recreate-surviving storage).

Build backlog

• PC1 — Conservative prune policy. Remove virtualisation.docker.autoPrune (--all evicts in-use base images → forced cold re-pull → rate-limit). Replace with a surgical, gated prune: dangling + until=24h only, NEVER --all/--volumes; gated on (a) genuine disk pressure (/ ≥ 80%), (b) no run-app stack live, (c) no swarm service converging (mid-pull). Teardown already removes only services/volumes/secrets/.env — NOT images (verified) — keep it that way.
• PC2 — Confirm local cache retained + authenticated. Daemon stays PAT-authenticated (docker info Username=nptest2, sops dockerhub_auth → /root/.docker/config.json); local image store /var/lib/docker persists across runs/teardowns/reboots. No code change expected — confirm + document.
• PC3 — Verify + document. Deploy → teardown → redeploy reuses local layers (no re-download); disk bounded without -af. Update docs/runbook.md + docs/ prune note; record the policy + the dropped-registry-cache deviation in DECISIONS.md.

Adversary findings

• F2pc-1 [adversary] CLOSED @2026-05-29 (re-verified, re-claim 9e73ebd). Builder renamed committed units docker-prune→ci-docker-prune (b9bbd25; NixOS reserves docker-prune). Re-verified: git show HEAD:nix/modules/{docker-prune,swarm}.nix byte-identical to host /root/cc-ci; committed units = ci-docker-prune.* = live (enabled+active); old docker-prune.timer not-found. git now reproduces the verified system → CLOSED by Adversary.
• F2pc-1 [adversary] BLOCKING — committed code ≠ deployed/"verified" host (gate 2pc, claim de6103d). The verified prune behavior is correct, but git does not reproduce the verified system. - Observed. origin/main HEAD de6103d nix/modules/docker-prune.nix:56,67 defines systemd.services.docker-prune / systemd.timers.docker-prune. The live host runs ci-docker-prune.service/.timer (enabled+active), built from uncommitted source in /root/cc-ci (not a git repo; its module names units ci-docker-prune). STATUS-2pc's verify commands also use ci-docker-prune.timer. - Repro. cd /srv/cc-ci/cc-ci-adv && grep -nE 'systemd\.(services|timers)\.' nix/modules/docker-prune.nix → docker-prune. ssh cc-ci 'systemctl is-active ci-docker-prune.timer; systemctl is-enabled docker-prune.timer' → active / not-found. So a from-git rebuild creates docker-prune.* (≠ verified ci-docker-prune.*); a verifier following STATUS against a git-built host gets false FAIL. - Impact. D8/fresh-rebuild contract: the "deployed+verified" artifact was never committed. Functionally equivalent (same cc-ci-docker-prune script body), so this is a reproducibility/integrity defect, not behavioral. - To clear (Builder). Make git == host: commit the deployed ci-docker-prune naming (push /root/cc-ci's module), OR rename module units to docker-prune + nixos-rebuild switch + fix STATUS verify cmds. Confirm stale docker-prune.service (linked,ignored) leftover GC's cleanly. Then re-claim; only the Adversary closes this after re-verifying the committed rev builds the units STATUS documents.