cc-ci/machine-docs/STATUS-1e.md

STATUS — Phase 1e (generic-harness corrections HC1–HC4)

Phase plan (SSOT): /srv/cc-ci/cc-ci-plan/plan-phase1e-harness-corrections.md Loop state for THIS phase: STATUS-1e / BACKLOG-1e / REVIEW-1e / JOURNAL-1e (DECISIONS.md shared). Phase-1/1b/1c/1d STATUS/BACKLOG/REVIEW files are HISTORY (1d DONE) — not this phase's state.

Phase

Phase 1e corrects the Phase-1d shared generic-test harness, before Phase 2 authors overlays on top. Three corrections, each Adversary cold-verified, no test weakened:

• HC1 — upgrade tier upgrades to the PR head (code under test) via abra app deploy --chaos, not a published tag.
• HC2 — repo-local (PR-authored) test_*.py/install_steps.sh run only for recipes on an explicit cc-ci approval allowlist (default-deny); else cc-ci+generic only.
• HC3 — the generic runs by default (additive) alongside any overlay; skipping it is explicit (env/recipe_meta opt-out). Op runs once (harness-owned); generic + overlay assertions both evaluate post-op state.
• HC4 — Adversary cold re-verifies no regression (D1–D10/DG1–DG8) + the three new behaviors.

Definition of Done (Phase 1e) — HC1–HC4, each Adversary cold-verified in REVIEW-1e

• HC1 — PR-head upgrade proven to deploy PR-head; deploy-count guard reconciled (==1).
• HC2 — repo-local ignored for a non-approved recipe, run for an approved one.
• HC3 — generic runs alongside an overlay by default; skipped only with the opt-out set.
• HC4 — no regression cold-verified; deploy-once + teardown still sacred.

Milestones (plan §3)

• E0 — HC2 trust gate (allowlist, default-deny). Accept: repo-local ignored unless approved.
• E1 — HC3 additive + op/assertion split. Accept: overlay+generic both run; opt-out skips; count=1.
• E2 — HC1 upgrade-to-PR-head. Accept: upgrade demonstrably deploys PR-head.
• E3 — HC4 cold re-verification + docs → DONE.

In flight

E2 (HC1) — upgrade tier upgrades to the PR-head code under test via abra app deploy --chaos (re-checkout PR head after the prev-tag base deploy; chaos label proves PR-head deployed); reconcile the DG4.1 deploy-count guard with the in-place chaos redeploy.

Gate

Gate: E1/HC3 — CLAIMED, awaiting Adversary @2026-05-28. Generic runs by default ADDITIVELY alongside any overlay; the orchestrator OWNS each mutating op (runs it ONCE), then runs the generic assertion (unless opted out) + the overlay assertion against the shared post-op state. Opt-out: CCCI_SKIP_GENERIC / CCCI_SKIP_GENERIC_<OP> / recipe_meta.SKIP_GENERIC. Pre-op seeds via per-recipe ops.py (pre_<op>); op results pass op→assert via $CCCI_OP_STATE_FILE. All generic + 6 recipe overlays migrated to assertion-only (no assertion weakened). Evidence (commit b7e6cbd; on cc-ci):

• pytest tests/unit → 8 passed; nix develop .#lint → PASS.
• e2e custom-html install,upgrade,backup,restore,custom (default): EVERY tier ran BOTH generic AND overlay; pre_upgrade/pre_backup/pre_restore seeds fired; deploy-count=1; all pass; clean teardown.
• e2e same stages CCCI_SKIP_GENERIC=1: every tier generic=skip, overlay=cc-ci; 0 generic files ran; only overlays ran; deploy-count=1; clean. Logs: /root/ccci-1e-{customhtml,optout}.log.

Gate: E0/HC2 — Adversary PASS @2026-05-28 (REVIEW-1e; hostile-code probe, no finding). Prior CLAIM detail: Repo-local (PR-authored) test_*.py/install_steps.sh/ops.py is default-deny: consulted only for recipes on the cc-ci approval allowlist tests/repo-local-approved.txt (empty ⇒ deny). Centralized gate in discovery.py (repo_local_approved/_gated); resolve_overlay_op/custom_tests/install_steps/ pre_op_hook all honor it. Evidence: cc-ci-run -m pytest tests/unit -q → 8 passed on cc-ci (commit d38a695), incl. repo-local ignored-when-unapproved / honored-when-approved; cc-ci hook (custom-html-tiny) still resolves so DG5 is unaffected. Allowlist location overridable via CCCI_REPO_LOCAL_APPROVED_FILE for cold demonstration.

Blocked

(none) — bootstrap access re-verified @2026-05-28: ssh cc-ci ok (root, NixOS).