recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6c5d8f28ea238fee7ce9ab3b98efcea5f3a6ef0a
cc-ci/machine-docs/REVIEW-1d.md
autonomic-bot a8f78b8673 review(1d): G0/DG1 PASS — generic install green on hedgedoc, cold-verified from my own clone @ef44d46 
install:pass + deploy-count=1 + clean teardown (only 5 infra stacks remain, no orphans).
Serving assertion proven load-bearing: assert_serving RAISES on a non-deployed domain
(services not converged; 404 excluded from HEALTH_OK). Pure-generic confirmed (hedgedoc has
no cc-ci/repo-local tests). No VETO — Builder cleared past G0.

Filed F1d-1 [adversary] (low, DG7-scoped, NOT a DG1 blocker): served_cert is a near-no-op —
VERIFIED for any in-zone subdomain incl. non-deployed (Traefik serves the wildcard for the
whole zone), so it does NOT distinguish app-vs-fallback as journal/STATUS/code claim. Fix
wording/check before the DG7/G4 gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 23:36:42 +01:00

4.7 KiB
Raw Blame History

REVIEW-1d.md — Adversary verdicts for Phase 1d (Generic test suite + layered recipe overlays)

Adversary-owned ledger (append-only). Verdicts for the Phase-1d Definition of Done (DG1DG8) from /srv/cc-ci/cc-ci-plan/plan-phase1d-generic-test-suite.md. Each verdict is logged DGn: PASS @<ts> with cold-start evidence, or FAIL + an [adversary] finding in BACKLOG-1d.md. Veto via ## VETO <reason>.

Acceptance map (plan §1 / §3 milestones):

  • DG1 Generic INSTALL test — real HTTP(S) serve assertion, no recipe config (G0)
  • DG2 Generic UPGRADE test — pinned→target reconverge + still serving (G1)
  • DG3 Generic BACKUP+RESTORE — artifact + healthy-after; clean N/A for non-backup recipes (G1)
  • DG4 Layering (override-or-extend; generic is default) + cc-ci/repo-local discovery+precedence (G2)
  • DG4.1 Overlays reuse the deployment — ONE deploy / ONE teardown per run, no per-overlay redeploy (G2)
  • DG5 Custom install-steps hook + graceful-generic (fail-without / pass-with proof) (G3)
  • DG6 !testme e2e on an unconfigured recipe — per-op pass/fail/skip through real pipeline (G4)
  • DG7 Real, DRY, clean — no skip/xfail/softened asserts; teardown in finally; honors MAX_TESTS (G4)
  • DG8 Documented + cold-verified — docs explain generic suite, overlay convention, install-steps hook (G4)

Phase-1d kickoff @2026-05-27

Cold-start access re-verified before any gate exists:

  • ssh cc-ci 'hostname && whoami'nixos / root
  • curl --proxy socks5h://localhost:1055 https://ci.commoninternet.net → HTTP 200 ✓
  • Builder has NOT yet pushed Phase-1d work (HEAD = 82c8220 "## DONE — Phase 1b complete"); no STATUS-1d.md / DECISIONS.md 1d entries yet.

State: IDLE — awaiting the Builder to bootstrap Phase-1d state and CLAIM the first gate (G0/DG1). Watchdog will ping on the first Gate: ... CLAIMED, awaiting Adversary. No gate to verify yet; no VETO standing. Carrying forward the Phase-1 invariants I will keep probing once a deployment exists: !testmexyz must not trigger; non-member comments rejected; no secret leaks in logs/dashboard (incl. generated app passwords); guaranteed teardown (no orphaned *-pr* apps/volumes); concurrent runs don't collide; same generated app secrets persist install→upgrade→backup/restore.

G0 / DG1 — Generic INSTALL test : PASS @2026-05-27

Claim: generic INSTALL tier green on hedgedoc (pure generic — no cc-ci/repo-local tests), asserting the app really serves (converged + real HTTP non-404 + not Traefik default cert), with deploy-count=1 and clean teardown.

Method — cold, independent. The Builder's on-host working copy /root/cc-ci is uid-1001 and not a git repo (can't git-verify it), so I cloned the exact claimed commit fresh on cc-ci and ran MY copy, not theirs: git clone … cc-ci /root/adv-verify && git checkout ef44d46HEAD=ef44d465…, working tree clean. Audited all G0 source line-by-line (generic.py / discovery.py / run_recipe_ci.py / conftest.py / tests/_generic/test_install.py).

Evidence (all from /root/adv-verify @ef44d46 on cc-ci):

  1. Pure-generic confirmed: no tests/hedgedoc/ in cc-ci; ~/.abra/recipes/hedgedoc/ has no tests/ dir ⇒ install tier resolves to generic (tests/_generic/test_install.py), zero config.
  2. Real install run: RECIPE=hedgedoc STAGES=install CCCI_JANITOR_MAX_AGE=0 cc-ci-run runner/run_recipe_ci.pyTIER: install (generic: tests/_generic/test_install.py) · test_serving PASSED · RUN SUMMARY: deploy-count = 1 (expect 1) · install : pass (exit 0).
  3. Serving assertion is load-bearing (break-it): assert_serving("nope-deadbeef.ci…") correctly RAISES not all services converged; a non-deployed subdomain returns HTTP 404 (excluded from HEALTH_OK=(200,301,302)) and services_converged=False. So a Traefik fallback genuinely fails the install assertion — not a blanket pass.
  4. Clean teardown: post-run only the 5 infra stacks remain (traefik/drone/bridge/dashboard/ backups); no hedg-1edc9f run stack, no run-app services/volumes/secrets, no abra orphans.

Caveat (filed as F1d-1, low, DG7-scoped — NOT a DG1 blocker): the CA-verified cert check is a near-no-op — served_cert returns VERIFIED for ANY in-zone subdomain (incl. non-deployed), because Traefik serves the wildcard for the whole zone, so the self-signed default is never seen. The journal/STATUS/code claim it distinguishes app-vs-fallback; it does not. DG1 still PASSES because the real serving proof is services_converged + non-404 status (both genuine, verified above). To fix before the DG7/G4 gate — see BACKLOG-1d F1d-1.

Verdict: DG1 PASS. No VETO. Builder cleared to proceed past G0. (G1 not yet claimed.)