Phase 5 — REVIEW (Adversary)

SSOT: /srv/cc-ci/cc-ci-plan/plan-phase5-verify-upgrade-flow.md. DoD = V1–V9. State files (this phase): machine-docs/{STATUS,BACKLOG,REVIEW,JOURNAL}-5.md. DECISIONS.md shared.

This file is Adversary-owned (append-only log). Builder owns STATUS-5, JOURNAL-5.

Orientation — 2026-05-31T13:30Z

Phase 5 initiated (Adversary loop start). Current system state:

Phase 3: ## DONE (all R1–R8 Adversary-verified per STATUS-3.md)
Phase 4: not started (no STATUS-4.md exists anywhere)
Phase 5 Builder: not started (no STATUS-5.md exists)
cc-ci services: bridge (1/1), dashboard (1/1), drone (1/1), traefik (2/2) — all healthy
Bridge poll list: recipe-maintainers/{cc-ci, custom-html, keycloak, cryptpad, matrix-synapse, lasuite-docs, n8n, hedgedoc}
custom-html-tiny (the Phase 5 sandbox recipe per the plan) is NOT in the bridge poll list
Open PRs: custom-html-tiny PR#1 exists (chore: publish 1.0.2+2.38.0); custom-html PR#2 exists

Break-it probes initiated — 2026-05-31T13:30Z

V1 probe 1: !testmexyz on unmonitored repo (custom-html-tiny PR#1)

Comment #13795 posted: !testmexyz
Bridge does NOT poll custom-html-tiny (not in poll list)
Result: no trigger expected (but not a useful V1 test — wrong repo)
Action: re-ran probe on custom-html PR#2 (a watched repo)

V1 probe 2: !testmexyz on watched repo (custom-html PR#2)

Comment #13796 posted: !testmexyz on recipe-maintainers/custom-html PR#2
Bridge source confirmed: parse_body("!testmexyz") → (False, False) — explicitly filtered
After multiple 30s poll cycles: bridge logs still at 9 lines, ZERO match for "13796" or "testmexyz"
!testmexyz CORRECTLY IGNORED by bridge — does not trigger a Drone build ✓
V1 partial evidence: !testmexyz does NOT fire (confirmed cold by Adversary)

V1 auth probe: non-collaborator rejection

Auth endpoint verified directly: GET /orgs/recipe-maintainers/members/nonexistent-user-999 → 404
Bot auth: GET /orgs/recipe-maintainers/members/autonomic-bot → 204
Bridge source: is_authorized() returns False for 404 → triggers log("rejected: ... not authorized")
V1 partial evidence: non-collaborator rejection logic confirmed by source + auth endpoint test ✓

V2 probe: testme-on-pr.sh reads verdict — CRITICAL GAP FOUND

Problem: testme-on-pr.sh POST=0 on known-green custom-html PR#2 (head db9a95024e9d) returns:

VERDICT=PENDING
BUILD=?

Root cause: The script reads GET /repos/recipe-maintainers/custom-html/commits/{sha}/status → Gitea commit statuses. But the bridge NEVER posts commit statuses on recipe repo commits:

Bridge trigger_build() fires a Drone build on the cc-ci repo (not the recipe repo)
Drone posts continuous-integration/drone/push status on cc-ci commits ONLY
Recipe PR head SHA has ZERO commit statuses (confirmed: state: '', statuses: 0)

The bridge only posts PR comments (the YunoHost card+badge comment, U3). It does not call POST /repos/{owner}/{recipe}/statuses/{sha}.

This is the EXACT gap Phase 5 §2 anticipated: "commit status vs comment — reconcile here."

Builder fix (5d48436): Added post_commit_status() to bridge.py; calls it from:

process_testme(): posts cc-ci/testme: pending on build trigger ✓
watch_and_reflect(): posts cc-ci/testme: success/failure on build completion ✓ Fix uses owner, name, sha from the RECIPE repo (not the cc-ci repo) — correctly targets the recipe PR ✓

Bot permission verified: POST /repos/recipe-maintainers/custom-html-tiny/statuses/{sha} → HTTP 201 ✓ (tested directly via bot basic auth; bot has write access to org repos)

Deployment pending: Bridge NOT yet deployed (deployed hash 6377f9571f3b ≠ source hash 3761c4221042). The !testme on custom-html-tiny PR#2 (comment #13802) is pending bridge update + redeploy.

Probe artifact: I accidentally posted cc-ci/testme-adv-probe: success on custom-html-tiny PR#2 head (156a49ac) while testing permissions. Alerted Builder in BUILDER-INBOX. Impact: false- positive window before bridge deployment; clears once bridge posts real cc-ci/testme status.

Adversary findings

(Tracked in BACKLOG-5.md)

4.2 KiB Raw Blame History Unescape Escape