137 lines
8.8 KiB
Markdown
137 lines
8.8 KiB
Markdown
# REVIEW-dash — Adversary verdicts for phase `dash` (per-recipe run history fix)
|
|
|
|
SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-dash-recipe-history.md
|
|
Gates: M1 (fix implemented + locally verified), M2 (deployed + verified live).
|
|
|
|
---
|
|
|
|
## Pre-claim independent ground truth (Adversary, @2026-06-17T16:20Z, cold)
|
|
|
|
Gathered directly from the host (`ssh cc-ci`), BEFORE any Builder claim — this is my own
|
|
baseline to verify the fix against, not the Builder's narrative.
|
|
|
|
**Run artifacts on host `/var/lib/cc-ci-runs`:**
|
|
- **432** run dirs total; **308** have a parseable `results.json`; **124** dirs have NO
|
|
parseable `results.json` (in-flight / failed-early — contain only `junit/`, `screenshot.png`,
|
|
`abra/`). The fix MUST skip these 124 gracefully (no 500).
|
|
- `results.json` schema 2 keys: `customization, finished, flags, level, lint, pr, recipe, ref,
|
|
results, run_id, rungs, schema, screenshot, skips, stages, summary_card, version`.
|
|
Fields the history needs ARE present: `recipe`, `version`, `level`, `ref`, `finished` (epoch
|
|
float timestamp), `run_id`. Status is derivable from `results`/`rungs` (per-stage pass/fail).
|
|
|
|
**Per-recipe run counts (from parseable results.json):**
|
|
```
|
|
33 plausible 24 ghost 9 mailu 6 cryptpad
|
|
33 custom-html 24 custom-html-tiny 8 lasuite-drive 3 drone
|
|
28 immich 15 mattermost-lts 8 lasuite-docs 3 custom-html-rst-bad
|
|
25 discourse 12 uptime-kuma 8 gitea
|
|
24 (ghost) 12 mumble 8 bluesky-pds
|
|
11 matrix-synapse 7 custom-html-bkp-bad
|
|
10 lasuite-meet 6 keycloak
|
|
9 n8n 6 hedgedoc
|
|
```
|
|
- `bluesky-pds` (named M2 target) → **8 runs**. `plausible`/`custom-html` → 33 (exceed a 30 cap →
|
|
good cap test). A ~30 display cap should show 8 for bluesky-pds, 30 for plausible/custom-html.
|
|
|
|
**bluesky-pds runs — newest-first BY `finished` timestamp (the correct order):**
|
|
```
|
|
run_id ref level finished
|
|
753 dcf933813df9 5 1781663348
|
|
556 f7b6c8dfb81c 5 1781301301
|
|
435 f7b6c8dfb81c 5 1781192858
|
|
427 f7b6c8dfb81c 5 1781178768
|
|
423 f7b6c8dfb81c 0 1781178063
|
|
ab-bluesky-pds-oldmain b2d86efba3f1 0 1781126338
|
|
m2rr-bluesky-pds b2d86efba3f1 0 1781123524
|
|
m2r-bluesky-pds b2d86efba3f1 0 1781121610
|
|
```
|
|
**ADVERSARIAL TRAP TO CHECK:** run ids are MIXED numeric (753,556,…) AND named
|
|
(`m2rr-bluesky-pds`, `ab-bluesky-pds-oldmain`). Sorting by `int(run_id)` would crash or misorder
|
|
the named runs; sorting lexically would put `9...` after `7...` wrongly and scatter named ones.
|
|
**Only a `finished`-timestamp sort yields the correct newest-first order.** I will verify the
|
|
deployed page matches the timestamp order above, and that 423 (older, finished 1781178063) sorts
|
|
BELOW 427 (1781178768) even though 423<427 numerically-close — and that the named runs land in
|
|
their timestamp positions, not bunched at top/bottom.
|
|
|
|
**Current (buggy) code (`dashboard/dashboard.py`):** `history_for(recipe)` returns
|
|
`[_build_row(b) for b in _custom_recipe_builds() …]`; `_custom_recipe_builds` fetches a single
|
|
Drone page `…/builds?per_page=100`. So history is capped at whatever recipe runs fall in the
|
|
latest-100 Drone window → most recipes show 1 row. Confirmed root cause matches plan §1.
|
|
|
|
**Things I will break-test on the fix:**
|
|
1. Count + order per recipe match the host artifacts (esp. bluesky-pds 8, timestamp order above).
|
|
2. The 124 unparseable dirs don't 500 and don't appear as garbage rows.
|
|
3. Path-traversal guard + `/recipe/<name>` validation preserved (try `/recipe/../..`,
|
|
`/recipe/foo%2f..`, arg injection in recipe name).
|
|
4. Overview (`/`), `/badge/<recipe>.svg`, `/runs/<id>/<file>` unchanged.
|
|
5. stdlib-only (no new imports/deps); mount stays read-only.
|
|
6. Display cap actually bounds (plausible/custom-html show cap, not 33) AND newest are kept
|
|
(not oldest) when capped.
|
|
7. Run links resolve — for named run ids too (no Drone build number for m2r*/ab-*).
|
|
|
|
---
|
|
|
|
## Verdicts
|
|
|
|
### M1: PASS @2026-06-17T16:30Z (claim 3595e80, cold-verified)
|
|
|
|
`history_for` rewritten to source per-recipe history from local `/var/lib/cc-ci-runs` artifacts
|
|
(`_local_history` scans dirs → `_results_for` → groups by recipe → sorts newest-first by `finished`,
|
|
caps at `HISTORY_CAP=30`). All checks done COLD from my own fixture (tarred the 308 real
|
|
`results.json` off the host), against my own pre-claim baseline — not the Builder's word:
|
|
|
|
- **Count + order match host exactly.** `history_for("bluesky-pds")` → 8 rows in order
|
|
`['753','556','435','427','423','ab-bluesky-pds-oldmain','m2rr-bluesky-pds','m2r-bluesky-pds']`
|
|
— IDENTICAL to my independent timestamp-derived baseline. **The mixed numeric+named id trap is
|
|
handled correctly**: sort key is `(finished, _numeric_id)` reverse; `_numeric_id` returns -1 for
|
|
named ids (no `int()` crash); 423 (older) sorts below 427 though numerically close; named runs land
|
|
in their timestamp positions, not bunched. Total parseable grouped rows **308**, 23 recipes — match.
|
|
- **Display cap bounds AND keeps newest.** plausible 33→30, custom-html 33→30; verified
|
|
`min(finished in capped) >= max(finished dropped)` (oldest 3 dropped, not newest).
|
|
- **Malformed/empty dirs skipped, no 500.** Injected EMPTYDIR / dir-with-junit-no-json /
|
|
malformed-json dir into fixture → total stayed 308, no exception, none appear as rows
|
|
(`_results_for` returns `{}` on miss/malformed; `_local_history` skips no-recipe rows).
|
|
- **Security preserved.** `_RUN_ID_RE` rejects `../..`, `foo/..`, `a b`, `x;rm`, `..%2f`, ``, `.`,
|
|
`foo;`, `<script>`; accepts `bluesky-pds`. `_results_for("../../etc/passwd")` → `{}` (realpath
|
|
guard intact). Unchanged from before.
|
|
- **No regression to other routes.** `latest_per_recipe` / `_custom_recipe_builds` (overview + badge
|
|
source) untouched; only the history page changed source. Row-key parity: `_local_history_row` emits
|
|
the IDENTICAL 10 keys as `_build_row`, so `render_history` is unchanged.
|
|
- **stdlib-only.** Imports unchanged: html, json, os, re, sys, time, urllib, http.server. No new deps.
|
|
- **Renders.** `render_history("bluesky-pds", …)` → 5384 bytes, 8 data rows; numeric ids link to
|
|
Drone build, named ids link to `/runs/<id>/summary.html` — all four checked artifacts exist on host.
|
|
- **Unit suite: 13 passed** (incl. new `test_history_sourced_from_local_artifacts`).
|
|
|
|
No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
|
|
M2 (deploy + live verify) not yet claimed.
|
|
|
|
### M2: PASS @2026-06-17T16:40Z (claim 4c0b289, cold-verified live)
|
|
|
|
Dashboard redeployed with the M1 fix; per-recipe history verified on the LIVE site
|
|
(`https://ci.commoninternet.net`). All probes run cold against the live service + re-derived host
|
|
ground truth (host now 439 dirs / 23 recipes — re-counted fresh, not trusting the claim):
|
|
|
|
- **Deployed image rolled + healthy.** `docker service ls` → `1/1 cc-ci-dashboard:11ac2a1e6c07`
|
|
(the M1 content-hash tag, rolled from `15addbc7bf45`). The live page serving 8 bluesky-pds rows
|
|
incl. named ids is conclusive proof the NEW code is live (the old Drone-slice code could not).
|
|
- **Live counts = host counts.** bluesky-pds **8**=8, ghost **24**=24, immich **28**=28,
|
|
discourse **25**=25; plausible **30** and custom-html **30** correctly capped from 33. All match my
|
|
freshly re-derived host per-recipe counts.
|
|
- **Live order matches host timestamp order (mixed-id trap).** `/recipe/bluesky-pds` rows in exact
|
|
order `753 556 435 427 423 ab-bluesky-pds-oldmain m2rr-bluesky-pds m2r-bluesky-pds` — identical to
|
|
my baseline. Per-row status/level/version also match: 753/556/435/427 = success L5; 423 + the three
|
|
named runs = failure L0; refs correct.
|
|
- **Cap keeps NEWEST live.** `/recipe/plausible` top row = run **758**, which IS the host's newest
|
|
plausible run by `finished` (1781665203). Oldest dropped, not newest.
|
|
- **Other routes intact.** overview `/` → 200, `/badge/bluesky-pds.svg` → 200; overview still
|
|
latest-per-recipe (Drone-sourced, unchanged).
|
|
- **Security intact live.** Traversal/injection rejected at the live edge: `..%2f..%2fetc%2fpasswd`
|
|
→ 404, `%2e%2e%2f%2e%2e` → 404 (no `root:` leak); `;`-injection → 404. The only 200s are harmless:
|
|
`../..`/`%2e%2e` normalize to `/` (overview, no file content), and a valid-format-but-unknown name
|
|
renders an empty history (0 rows). `_RUN_ID_RE` + realpath guards hold.
|
|
- **Retention adequate (independently confirmed).** `grep -rniE cc-ci-runs nix/` shows NO
|
|
rm/find-delete/prune/maxage/tmpfiles trim — nothing reaps `/var/lib/cc-ci-runs`. 439 dirs span
|
|
2026-05-31 → 2026-06-17. No growth cap needed now (recorded in DECISIONS).
|
|
|
|
No defects. **M1 + M2 both fresh PASS, no VETO** → Builder may write `## DONE`.
|