cc-ci/machine-docs/JOURNAL-1e.md

# JOURNAL — Phase 1e (generic-harness corrections)

Append-only Builder log: what I did + verifying command/output + next.

## 2026-05-28 — Phase 1e bootstrap + orientation
- Read the phase plan (`plan-phase1e-harness-corrections.md`) + plan.md §6.1/§7/§9. Phase 1d is DONE
  (STATUS-1d ## DONE, DG1–DG8 Adversary PASS). Studied the harness: `runner/run_recipe_ci.py`
  (deploy-once orchestrator), `runner/harness/{discovery,generic,lifecycle,abra}.py`, `tests/conftest.py`,
  `tests/_generic/*`, the overlays (custom-html/keycloak/cryptpad/n8n/matrix-synapse), and
  `tests/unit/test_discovery.py`.
- Access re-verified: `ssh cc-ci 'hostname && whoami'` → `nixos` / `root`.
- Settled the three open decisions (HC1 deploy-count, HC2 allowlist, HC3 opt-out) in DECISIONS.md.
- Created STATUS-1e / BACKLOG-1e / JOURNAL-1e. Order of work: E0 (HC2) → E1 (HC3) → E2 (HC1) → E3.
- Key design notes:
  - HC3 op/assertion split: orchestrator performs each mutating op once; generic + overlay both run as
    assertions after. Op results (pre-upgrade identity, snapshot_id) passed via run-scoped
    `$CCCI_OP_STATE_FILE`. Overlays that seed pre-op state move that into an optional
    `tests/<recipe>/ops.py` (`pre_<op>(domain, meta)`); overlay `test_<op>.py` become assertion-only.
  - HC1: re-checkout PR head (recorded as recipe HEAD right after fetch) then `abra app deploy --chaos`;
    moved-assertion accepts the chaos label as proof PR-head deployed; deploy-count counts only
    `deploy_app` (app new), not the in-place chaos redeploy.

Next: E0 — implement the HC2 allowlist + discovery gate + unit tests.

## 2026-05-28 — E0 / HC2 repo-local trust gate (DONE, CLAIMED)
- Implemented the approval allowlist (`tests/repo-local-approved.txt`, default empty ⇒ default-deny)
  + centralized gate in `runner/harness/discovery.py`: `approved_recipes()`/`repo_local_approved()`/
  `_gated()`. Split overlay resolution into `resolve_overlay_op` (repo-local>cc-ci, gated) + `generic_op`
  (the floor) for HC3; kept back-compat `resolve_op` (override). `custom_tests`/`install_steps`/new
  `pre_op_hook` all route repo-local through `_gated`. Allowlist path overridable via
  `CCCI_REPO_LOCAL_APPROVED_FILE`.
- Rewrote `tests/unit/test_discovery.py` for the gate (approved-vs-not for overlay/custom/hook/pre-op +
  the generic floor + default-empty-allowlist invariant).
- Verified on cc-ci (tar-piped working tree → /root/cc-ci; cc-ci has no rsync):
    `cc-ci-run -m pytest tests/unit -q` → **8 passed in 0.06s**
  And the cc-ci-authored hook is unaffected (DG5):
    discovery.install_steps("custom-html-tiny", None) → ('cc-ci', '.../tests/custom-html-tiny/install_steps.sh')
- Committed d38a695, pushed. Gate E0/HC2 CLAIMED for Adversary.

Next: E1 (HC3) — orchestrator op/assertion split + additive generic + opt-out + overlay migration.

## 2026-05-28 — E1 / HC3 additive generic + op/assertion split (implemented + e2e verified)
- **Harness core:** `lifecycle.deployed_identity` now returns `{version,image,chaos}` (chaos label
  captured, ready for HC1). `generic.py` split: op primitives `perform_upgrade/perform_backup/
  perform_restore` (orchestrator-only, no asserts) + assertions `assert_upgraded` (serving + MOVED via
  version/image/chaos), `assert_backup_artifact`, `assert_restore_healthy`, all reading the run-scoped
  `op_state()` (`$CCCI_OP_STATE_FILE`).
- **Orchestrator** (`run_recipe_ci.py`): new `run_lifecycle_tier` = pre-op seed hook (`ops.py
  pre_<op>`, imported in-process w/ recipe dir on sys.path) → perform the op ONCE → run generic
  assertion (unless `_skip_generic`) + overlay assertion, both against the shared post-op deployment.
  Opt-out: `CCCI_SKIP_GENERIC` / `CCCI_SKIP_GENERIC_<OP>` / `recipe_meta.SKIP_GENERIC`. `_scrub`
  factored so op-failure messages are redacted too. Op primitives never call `deploy_app` ⇒
  deploy-count stays 1.
- **Tiers/overlays migrated to assertion-only:** generic `_generic/test_{upgrade,backup,restore}.py`;
  all 6 recipes' `test_{upgrade,backup,restore}.py`. Pre-op seeding (data-continuity markers + the
  backup→restore mutation) moved to per-recipe `ops.py` (`pre_upgrade/pre_backup/pre_restore`).
  install overlays unchanged (no op). No assertion weakened — every data-survival/return check kept.
- **Verified on cc-ci:**
  - `cc-ci-run -m pytest tests/unit -q` → **8 passed**; `nix develop .#lint` → **lint: PASS** (ruff
    format + check clean).
  - Full e2e `RECIPE=custom-html STAGES=install,upgrade,backup,restore,custom` → every tier ran BOTH
    generic AND overlay (additive): install(generic test_serving + overlay test_serving_and_content),
    upgrade(pre_upgrade seed → generic test_upgrade_reconverges + overlay test_upgrade_preserves_data),
    backup(pre_backup → generic test_backup_artifact + overlay test_backup_captures_state),
    restore(pre_restore → generic test_restore_healthy + overlay test_restore_returns_state).
    **RUN SUMMARY: deploy-count=1, install/upgrade/backup/restore=pass, custom=skip; no leftover
    custom-html stack (clean teardown).** Log: /root/ccci-1e-customhtml.log on cc-ci.
  - Opt-out run (`CCCI_SKIP_GENERIC=1`) in flight to show generic skipped + overlay still runs.

Next: confirm opt-out result, claim E1/HC3 gate, then E2 (HC1 chaos-to-PR-head).

## 2026-05-28 — E1 opt-out verified; gate CLAIMED
- Opt-out e2e `RECIPE=custom-html STAGES=install,upgrade,backup,restore CCCI_SKIP_GENERIC=1`:
  every tier logged `generic=skip, overlay=cc-ci`; **0** `_generic/test_*` files ran; only the 4
  cc-ci overlays ran; **deploy-count=1**; install/upgrade/backup/restore=pass; clean teardown (no
  leftover custom-html stack). Log: /root/ccci-1e-optout.log.
- HC3 proven both ways: default = generic+overlay additive on one deployment (op once); opt-out =
  generic floor skipped, overlay still runs. Gate E1/HC3 CLAIMED for Adversary.