cc-ci/machine-docs/STATUS-2.md

STATUS — Phase 2 (per-recipe test authoring)

Phase plan (SSOT): /srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md Loop state for THIS phase: STATUS-2 / BACKLOG-2 / REVIEW-2 / JOURNAL-2 (DECISIONS.md shared). Phase 1/1b/1c/1d/1e STATUS/BACKLOG/REVIEW files are HISTORY (all DONE) — not this phase's state.

Phase

Phase 2 authors per-recipe test content on top of the corrected Phase 1/1d/1e shared harness. Per the plan, for every maintained Co-op Cloud recipe (§5 target set), the cc-ci tests/<recipe>/ tree must carry:

• Phase-1d/1e lifecycle overlays (assertion-only, additive) — test_install.py, test_upgrade.py, test_backup.py, test_restore.py + ops.py pre-op seeds.
• Parity-ported tests from references/recipe-maintainer/recipe-info/<recipe>/tests/*.py, one-to-one (P2), with a PARITY.md mapping table.
• ≥2 NEW recipe-specific functional tests (P3) — characteristic behavior, not just status==200.
• Real backup data-integrity (P4): seed → backup → mutate → restore → assert seeded data survived.
• Dependency resolution (P5): recipes that need other apps (SSO providers, DBs) deploy them in-run.
• Playwright (P6) where the app's core UX is a UI flow.
• Docs (P8): docs/enroll-recipe.md updated with the per-recipe test contract + worked example.

Definition of Done (Phase 2) — P1–P8, each Adversary cold-verified in REVIEW-2

• P1 — Coverage. Every recipe in §5 target set has a tests/<recipe>/ suite enrolled and a full green !testme run (install + upgrade + backup-restore).
• P2 — Parity port. Every recipe-info/<recipe>/tests/*.py has a comparable cc-ci test; tests/<recipe>/PARITY.md records the mapping; non-ports documented in DECISIONS.md.
• P3 — Recipe-specific depth. Each recipe has ≥2 new functional tests beyond parity (characteristic behavior, real assertions on app state/responses).
• P4 — Backup data-integrity is real. Seed → backup → mutate → restore → assert seeded data survived (recipe-aware, not health-only). Pattern already proven in Phase 1e on custom-html.
• P5 — Dependencies handled. Recipes with deps declare them; harness deploys deps within the run (respecting MAX_TESTS); SSO setup runs automatically.
• P6 — Browser flows where they matter (D3). UI-centric recipes have a Playwright test of the core flow (login, create-an-object, etc.).
• P7 — No weakened tests, no corners cut. Every assertion is real; nothing skip/xfail'd, mocked, or health-only stand-in. Any "untestable" claim is a true env-level blocker with Adversary sign-off.
• P8 — Docs. docs/enroll-recipe.md updated with the per-recipe test contract (§4.1) and a worked example; a new engineer can add a recipe's full suite from the docs.

Milestones (plan §6)

• Q0 — Harness additions (HTTP/convergence, OIDC-flow, dep resolver, backup data-integrity, TTY abra). Reference recipe (custom-html) uses them for full parity+specific suite, green via !testme.
• Q1 — Pattern proof (custom-html + n8n): full parity + ≥2 specific + real backup data-integrity.
• Q2 — SSO providers (keycloak + authentik); reusable SSO-setup/OIDC-flow harness e2e.
• Q3 — SSO-dependent suite (lasuite-docs, lasuite-drive, lasuite-meet, cryptpad, immich); deps auto-deployed, SSO setup automated, parity + specific.
• Q4 — Remaining recipes (matrix-synapse, mumble, bluesky-pds, ghost, mattermost-lts, discourse, plausible, uptime-kuma, mailu, drone).
• Q5 — Completeness + docs; flip ## DONE.

In flight

Q3.5 immich — ✅ Adversary PASS @2026-05-30 (REVIEW-2 11c5498). Cold full lifecycle GREEN, deploy-count=1, real upgrade crossover, P4 restore test_restore_returns_state PASSED (non-vacuous; recipe-PR recipe-maintainers/immich#1 pg_dump backup is a real fix, published-recipe bug statically confirmed), 2 distinct P3 functional tests, clean teardown. P4-restore RED CLOSED, no veto. DONE.

Q4.1 matrix-synapse — ✅ FULL LIFECYCLE GREEN @2026-05-30 — CLAIMED (see ## Gate Q4.1), awaiting Adversary. The §4.3 register test's transient post-restore 500 was root-caused + fixed with a bounded readiness-retry (NOT weakened). Full run /root/ccci-matrix-full2.log: all 5 tiers pass, deploy-count=1, clean teardown; the retry log proves the transient (POST 500 attempt 1 → succeeded attempt 2) and the synapse capture log shows the cause (restore-tier DROP DATABASE FORCE closed synapse's DB pool: psycopg2.InterfaceError: connection already closed).

Q4.6 discourse — BLOCKED/DEFERRED @2026-05-29. Upstream recipe pins bitnami/discourse:* images that Docker Hub no longer serves (manifest unknown; swarm task Rejected "No such image"). Image exists at bitnamilegacy/discourse but the install tier deploys the prev published version (also gone), so a recipe-PR can't unblock testing until upstream releases a fixed version (same class as plausible Q4.7b). Scaffolding staged (recipe_meta + postgres-P4 overlays + health, commit ca7acf3); §4.3 create-topic not written (deploy blocked). DEFERRED.md 2026-05-29 discourse entry. Node fully torn down/clean. Q4.9 mailu — ✅ Adversary PASS @2026-05-29 (REVIEW-2 2958eb6); P4-N/A §7.1 sign-off GRANTED. DONE.

Q4.10 drone — BLOCKED on a host /etc/timezone deploy (operator) @2026-05-29. drone (last §5 recipe) is a CI server that REQUIRES a git-provider SCM to boot; its only dep is gitea, which binds /etc/timezone:ro — absent on the NixOS host (time.timeZone makes only /etc/localtime). gitea container REJECTED (proven via the drone+gitea smoke). Declarative fix committed 3bde76f (environment.etc.timezone=UTC); needs the operator host-deploy (nixos-rebuild, same mechanism as the immich time.timeZone fix — no self-service path; /root/cc-ci is operator-synced + stale). The full gitea+drone integration is SCOPED + ready (JOURNAL-2 f86a58a); §4.3 build-creation is a disproportionate sub-deferral (maximal-subset + §7.1 sign-off). See ## Blocked + DEFERRED.md. install+upgrade(3.0.0→3.0.1)+custom green; backup/restore N/A-skip (no backupbot → P4 N/A, §7.1 sign-off requested); 2 functional (create-mailbox + send→deliver→fetch mail-flow). TLS_FLAVOR=notls; in-container sendmail/doveadm. Commits 916bdd8+8844943; log ccci-mailu-full2. NEXT: drone Q4.10 (last §5 gap; HTTP single-service; no backupbot [P4 N/A]; functional depth needs gitea OAuth dep).

Q4.7 plausible — Adversary finding ACK @2026-05-29 (REVIEW-2 0efcc36). Test content + deferral verified sound; only gap: my "§4.3 proven green" claim lacks a surviving evidence log on cc-ci. Builder action: after mumble, run RECIPE=plausible PR=0 (or functional subset) when the GitHub/ clickhouse-backup rate-limit cooldown allows ClickHouse to boot, and PRESERVE the log (/root/ccci-plausible-green.log) so the two *_event_roundtrip tests are independently shown green. Queued behind the mumble re-run (single-node MAX_TESTS=1; heavy deploys sequential).

Q4.2 mumble — ENROLLING (not claimed) @2026-05-29. Next P1-coverage gap (mumble is in §5 target set; was unenrolled). mumble has a recipe-maintainer corpus (P2 NON-vacuous): health_check.py (TCP 64738), mumble_connect.py (full TLS protocol handshake → ServerSync + channel presence), web_client.py (mumble-web HTTP UI). Plan: enroll with COMPOSE_FILE=compose.yml:compose.mumbleweb.yml:compose.host-ports.yml — mumbleweb gives an HTTP readiness endpoint (generic wait_healthy) + the web_client parity test; host-ports publishes 64738 on the cc-ci host so the TLS-protocol tests (run on-host by cc-ci-run) connect to 127.0.0.1:64738. P4 via sqlite (recipe backupbot dumps /data/mumble-server.sqlite). 3 version tags (0.1.0/0.2.0/1.0.0) → real upgrade tier. De-risking reachability with a smoke deploy first. CODE COMPLETE (commits 6841048+6bf0425+999dd0d): recipe_meta + 3 parity ports (test_tcp_health/test_protocol_handshake/test_web_client) + 2 specific (welcome-text + max-users config round-trips over the protocol) + P4 (ops/test_backup/test_restore via sqlite ci_marker) + test_install overlay + PARITY.md + install_steps.sh (provides host-ports overlay to versions predating it) + CHAOS_BASE_DEPLOY harness flag (untracked overlay trips abra's pinned clean-tree check → chaos base deploy). Smoke proved web 200 + Mumble/config.js, TCP 64738 host-published, sqlite3 in container. FULL LIFECYCLE GREEN @2026-05-29 — CLAIMED (see ## Gate Q4.2), awaiting Adversary. All 5 tiers pass, deploy-count=1, HC1 upgrade crossover 0.2.0→1.0.0+, P4 ci_marker survives, clean teardown; log /root/ccci-mumble-full6.log. Needed 4 fixes en route (host-ports for old versions, CHAOS_BASE_DEPLOY, recipe_checkout -f, TCP voice-server READY_PROBE) — all in DECISIONS.

Q3.3 lasuite-meet — ✅ Adversary PASS @2026-05-29 (REVIEW-2 a46f7d4). Cold-verify all 5 tiers GREEN, real upgrade crossover, meeting_flow + OIDC PASSED, ci_marker survives, clean teardown; WebRTC media-relay non-port got explicit Adversary sign-off. Q3.2+Q3.3 PASS; Q3.4 cryptpad green (F2-9 resolved, awaiting close); Q3.1 lasuite-docs partial; Q3.5 immich — enrolling now.

Q3.5 immich — VALIDATING (not claimed). recipe_meta + ops + lifecycle overlays + health parity landed (98a37d4); install,custom validation deploy in flight (/root/ccci-immich-v1.log). §4.3 upload-asset→list→thumbnail test next (after live-API discovery). Self-contained (no SSO dep).

Q3.2 lasuite-drive — ✅ Adversary PASS @2026-05-29 (REVIEW-2 3f5d58a); F2-12 CLOSED. Cold re-run all 5 tiers GREEN, upgrade tier passes, deploy-count=1, ready-probe OK(200)×2, OIDC+minio PASS, data-integrity survives, clean teardown; -c+owned-wait/READY_PROBE proven non-vacuous. The standing veto-eligible obligation (lasuite-drive upgrade-tier green) is CLEARED. Q3.1/Q3.3/Q3.5 remain for Q3.

cryptpad F2-9 + F2-13 — ✅ Adversary CLOSED @2026-05-29 (REVIEW-2 f7ed2d9). The poll-all-frames read-back fix (b44d75b) cold-verified: test_cryptpad_pad_content_survives_fresh_session PASSED (46s, was a 340s timeout), all 5 tiers green, non-vacuous (still proves server-side E2E-encrypted persistence), clean teardown. The §4.3 create-pad FLOOR is demonstrated → cryptpad's conditional sign-off satisfied. One of the two original Phase-2-DONE blockers is cleared. (Q3.4 cryptpad fully green.)

cryptpad F2-9 — (prior) RESOLVED note (superseded by the F2-13 fix above). test_pad_content_roundtrip.py (§4.3 create-pad → type → fresh-context read-back; commits 05d0dc1+656b68b) is green in the full harness custom tier on a fresh cold deploy — /root/ccci-cryptpad-full3.log: 5 tiers pass, test_cryptpad_pad_content_survives_fresh_session PASSED, deploy-count=1, clean teardown. F2-9 is Adversary-owned — left for the Adversary to close on cold-verify (HOW: ssh cc-ci 'cd /root/<clone> && git pull && RECIPE=cryptpad PR=0 cc-ci-run runner/run_recipe_ci.py' → custom tier roundtrip PASSED). DEFERRED.md cryptpad create-pad entry marked resolved.

Working next unblocked items (next Q4 recipe) meanwhile.

cryptpad F2-9 — RESOLVED (test landed 05d0dc1, 3/3 green; Adversary to close). New tests/cryptpad/playwright/test_pad_content_roundtrip.py does the §4.3 create-pad → type → FRESH browser context → read-back (proves E2E-encrypted server persistence). Full harness suite run pending.

Working next unblocked items meanwhile.

---

Q3 + Q4 — recipe enrollment sprint. After capacity unblock + Adversary checkpoint, landed:

• Q3.1 lasuite-docs partial (parity + 2 specific + Q2.4 test_oidc_with_keycloak); deeper OIDC ports deferred in DEFERRED.md.
• Q3.4 cryptpad partial (parity + 2 specific); create-pad deferred F2-9 conditional (must lift before Phase-2 DONE).
• Q4.1 matrix-synapse FULL (parity-aligned + 3 specific incl. §4.3 register-and-message).
• Q4.3 bluesky-pds FULL (4 functional incl. §4.3 account+post round-trip via goat CLI; F2-8 closed).
• Q4.4 ghost FULL (parity + 3 specific; create-post deferred in DEFERRED.md).
• Q4.8 uptime-kuma FULL (parity + 2 specific; create-monitor deferred in DEFERRED.md).

Harness change: lifecycle.deploy_app + run_recipe_ci.py + deps.py now thread recipe_meta.DEPLOY_TIMEOUT into abra.deploy(timeout=...) so heavy-recipe Python subprocess timeout matches the recipe's internal TIMEOUT.

DEFERRED.md (machine-docs/) — new orchestrator-canonical deferral registry; 9 entries open.

Remaining substantial: Q3.2 lasuite-drive (needs mirror), Q3.3 lasuite-meet (mirrored), Q3.5 immich (needs mirror), Q4.2/Q4.5-7/Q4.9-10 (mostly need mirror). The mirror-and-enroll path is established (recipe-create-pr skill); pausing this sprint for Adversary cold-verify.

Adversary findings — Builder response

F2-11 — FIXED, awaiting Adversary re-verify (commit: git log --oneline | grep 'F2-11'). SSO-dep "deps-not-ready" SKIP no longer yields a GREEN !testme.

• WHAT: when a recipe declares DEPS and setup_custom_tests fails (deps not ready) so its @requires_deps (SSO/OIDC) tests SKIP, the run now reports FAIL (overall=1), not green — while generic-tier failure-isolation is preserved (install/upgrade/backup/restore results stand).
• WHERE (code):
  • tests/conftest.py::pytest_collection_modifyitems — now counts the requires_deps tests it skips and appends the count to $CCCI_DEPS_SKIP_REPORT.
  • runner/run_recipe_ci.py — sets CCCI_DEPS_SKIP_REPORT (run-scoped temp, near depsfile); after teardown sums the count into requires_deps_skipped; RUN SUMMARY annotates the custom tier (custom: pass (N requires_deps SKIPPED ... SSO UNVERIFIED)); new pure predicate sso_dep_unverified(declared, deps_ready, requires_deps_skipped) flips overall=1.
  • tests/unit/test_f211_sso_skip.py — 7 new unit tests.
• HOW to verify (both deploy-free, rate-limit-independent):
  1. ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -q' → EXPECTED: 35 passed (28 prior + 7 F2-11).
  2. Cold real-test signal proof: ssh cc-ci 'cd /root/cc-ci && rm -f /tmp/f211-skip.txt && CCCI_DEPS_READY=0 \ CCCI_DEPS_NOT_READY_REASON=boom CCCI_DEPS_SKIP_REPORT=/tmp/f211-skip.txt \ cc-ci-run -m pytest tests/lasuite-docs/functional/test_oidc_with_keycloak.py -rs; \ cat /tmp/f211-skip.txt' → EXPECTED: 1 skipped, pytest exit 0 (the hazard), and /tmp/f211-skip.txt == 1. Since lasuite-docs declares DEPS=["keycloak"], the orchestrator computes sso_dep_unverified(["keycloak"], False, 1)=True → overall=1.
• NOT verified by a live run yet: full e2e (real deploy with forced setup_custom_tests failure → observe overall=1) is deferred until the Docker Hub rate limit (## Blocked) lifts. The two proofs above cover the predicate, the conftest signal on real files, and the count flow; only the straight-line read→sum→predicate→overall wiring is unexercised by a live deploy.

Gate

Gate: Q4.1 matrix-synapse — CLAIMED @2026-05-30, awaiting Adversary.

WHAT. matrix-synapse (DB + media-store category; synapse app + postgres db + nginx web) runs its full lifecycle GREEN — install + upgrade (real prev→latest crossover) + backup + restore

• custom. One real defect was found + fixed honestly (not weakened): the §4.3 register test hit a transient post-restore HTTP 500 because the restore tier's DROP DATABASE … WITH (FORCE) (pg_backup.sh restore) force-closes synapse's postgres connection pool, and a registration (a DB write) issued during synapse's pool-recovery window 500s even while HTTP health (a read) is green. Fixed by a bounded readiness-retry in _admin_register (re-fetch nonce + re-POST on 5xx/transport error, ≤90s, then RAISE; 4xx = fail-fast). The assertion is unchanged (two users must register + send/receive a message). Root cause is proven: the synapse capture log shows server closed the connection unexpectedly / psycopg2.InterfaceError: connection already closed at the restore moment, and the retry diagnostic shows POST transient 500 (attempt 1) → succeeded (attempt 2).

• P2 parity: health_check.py → functional/test_health_check.py::test_synapse_client_versions_returns_json. (Heavy operational parity ports — compress_state/complexity/purge — deferred to the --extra flag, DEFERRED.md, operator-confirmed.)
• P3 (≥2 separate non-vacuous functional tests): test_register_and_message.py (§4.3: register two users via shared-secret admin → login → create room → invite → join → send → read-back a unique marker) + test_federation_version.py (/_matrix/federation/v1/version reachable — the distinctive federation surface).
• P4 (data-integrity): ops.py seeds a postgres ci_marker in synapse's DB; survives upgrade (chaos crossover) + backup→wipe→restore via the recipe's real pg_backup.sh DB-dump hook (test_backup_captures_state + test_restore_returns_state PASS; non-vacuous — pre_restore DROPs the table and asserts the drop took).
• P5/P6 N/A: self-contained (postgres is in-recipe, no external dep); core function is the client/federation API, fully exercised — no browser-only UX owed.

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=matrix-synapse PR=0 \
  cc-ci-run runner/run_recipe_ci.py'

EXPECTED:

• RUN SUMMARY: deploy-count = 1 (expect 1); install/upgrade/backup/restore/custom all pass.
• Upgrade: upgrade→PR-head: head_ref=5b21a6b4 chaos-version=5b21a6b4 version=7.1.0+v1.149.1→ 7.1.1+v1.149.1 (HC1, head_ref==chaos-version, real prev→latest crossover).
• Restore: tests/matrix-synapse/test_restore.py::test_restore_returns_state PASSED (postgres ci_marker survives the recipe's pg_backup.sh backup→restore).
• Custom — 3 PASS: test_federation_version_endpoint, test_synapse_client_versions_returns_json, test_register_two_users_send_receive_message. The register test MAY log [register] …: POST transient 500 (attempt N, synapse recovering) — retrying then succeeded — that is the EXPECTED post-restore recovery, not a failure (it still PASSES; a persistent 500 would RAISE after 90s).
• Clean teardown: post-run no matr-* stack/volumes/secrets.

WHERE. Fix commit db124d5 (tests/matrix-synapse/functional/test_register_and_message.py readiness-retry). matrix tests: tests/matrix-synapse/{recipe_meta.py,PARITY.md,ops.py,test_install.py, test_upgrade.py,test_backup.py,test_restore.py,functional/{test_health_check.py,test_federation_version.py, test_register_and_message.py}}. Authoritative log /root/ccci-matrix-full2.log (5 tiers green, deploy-count=1, retry diagnostic, clean teardown). Root-cause evidence: synapse capture /root/matrix-synapse-debug.log (psycopg2 connection-closed at restore).

---

Gate: Q3.5 immich — ✅ Adversary PASS @2026-05-30 (REVIEW-2 11c5498). Cold full lifecycle GREEN, deploy-count=1, P4 restore non-vacuous PASS (recipe-PR pg_dump fix real; published-recipe bug statically confirmed), 2 distinct P3 tests, clean teardown. P4-restore RED CLOSED, no veto. (Claim detail retained below.)

WHAT. immich (D10 object-storage / large-volume photo+video manager; self-contained: app + machine-learning + redis + postgres) runs its full lifecycle GREEN — install + upgrade (real prev→PR-head crossover) + backup + restore + custom — with the P4 data-integrity gap fixed via recipe-PR recipe-maintainers/immich#1.

• P4 (headline): the published immich recipe backs up NO database (backupbot.backup only on the app service, all its volumes excluded; the database/postgres service unlabeled, no pg_dump hook) → a restore yielded an empty DB (silent total-metadata-loss bug). recipe-PR #1 adds a database-service postgres backup (matrix-synapse /pg_backup.sh config-mount + backupbot pre/restore hooks). With it the postgres ci_marker survives the recipe's real backup→restore: tests/immich/test_restore.py::test_restore_returns_state PASS (was RED). The VectorChord (vchord+vector) extensions + all tables round-trip; immich-server reconnects after the FORCE-drop.
• P2 parity: health_check.py → functional/test_health_check.py. oidc_login.py is authentik-specific → documented non-port (PARITY.md; operator SSO policy: keycloak default, immich OIDC optional, immich + the §4.3 asset flow work with a local admin and no SSO).
• P3 (≥2 SEPARATE recipe-specific functional tests): functional/test_asset_upload.py (§4.3 create-an-object: upload asset POST /api/assets → read back GET /api/assets/{id} IMAGE → thumbnail derivative GET .../thumbnail) + functional/test_asset_processing.py (a DISTINCT microservice path: poll until metadata-extraction populates exifInfo 1x1 dims, then GET /api/assets/statistics shows the asset catalogued — images/total≥1).
• P5/P6 N/A: immich self-contained (no deps); characteristic behaviour covered functionally via the API (upload/derivative/metadata/catalog), no browser-only UX owed.

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=immich PR=1 \
  REF=a846cf38dc14430d0d1b95553ce9c3c42e3b348a SRC=recipe-maintainers/immich \
  cc-ci-run runner/run_recipe_ci.py'

(the private mirror clone authenticates via the bridge gitea token fallback /run/secrets/bridge_gitea_token — no GITEA_TOKEN env needed.)

EXPECTED:

• RUN SUMMARY: deploy-count = 1 (expect 1); install/upgrade/backup/restore/custom all pass.
• Upgrade: upgrade→PR-head: head_ref=a846cf38 chaos-version=a846cf38 version=1.5.1+v2.6.3→ 1.6.0+v2.7.5 (HC1, real crossover; head_ref==chaos-version).
• Restore: tests/immich/test_restore.py::test_restore_returns_state PASSED (P4 — ci_marker survives the recipe's DB backup→restore; without the recipe-PR this is RED).
• Custom — 3 PASS: test_immich_processes_uploaded_asset_metadata_and_statistics, test_immich_upload_asset_readback_and_thumbnail, test_immich_returns_200.
• Clean teardown: post-run no immi-* stack/volumes/secrets.
• The fix is the recipe-PR diff: recipe-maintainers/immich#1 (head a846cf38) adds pg_backup.sh, abra.sh (PG_BACKUP_VERSION=v1), compose.yml database-service backupbot hooks + config-mount. (Negative control: RECIPE=immich PR=0 — published recipe, no fix — restore tier FAILs relation "ci_marker" does not exist, the bug this PR repairs.)

WHERE. recipe-PR recipe-maintainers/immich#1, branch ci/pg-backup, head a846cf38dc14430d0d1b95553ce9c3c42e3b348a (mirror synced from upstream coop-cloud/immich main@7eb3937a + 14 tags). cc-ci tests: tests/immich/{recipe_meta.py,PARITY.md,ops.py,test_install.py, test_backup.py,test_restore.py,functional/{test_health_check.py,test_asset_upload.py, test_asset_processing.py}}. cc-ci commit ecd770b (P3 2nd test + PARITY + DECISIONS). DECISIONS.md "immich postgres backup recipe-PR". Authoritative log /root/ccci-immich-prfull.log (all 5 tiers + 3 custom green, deploy-count=1, clean teardown). Mechanism-validation detail in JOURNAL-2.

---

Gate: Q4.9 mailu — ✅ Adversary PASS @2026-05-29 (REVIEW-2 2958eb6). Cold first-hand full lifecycle GREEN ×2: deploy-count=1, real upgrade crossover 3.0.0→3.0.1 (head_ref==chaos-version), 2 non-vacuous P3 (unique-mailbox create→read-back + unique-marker postfix→dovecot delivery), clean teardown; P4-N/A §7.1 sign-off GRANTED (no backupbot label, independently confirmed); P5/P6 N/A justified. No VETO. mailu enrolled (P1 coverage advanced). (Claim detail retained below.)

WHAT. mailu (full email stack: nginx front app + admin + postfix smtp + dovecot imap + rspamd antispam + webmail + redis db + certdumper) runs install + upgrade + custom GREEN; deploy-count=1; clean teardown. backup/restore SKIP (N/A) — the upstream recipe ships no backupbot.backup label on any service (backup_capable=False), so there is no recipe backup mechanism to exercise → P4 is genuinely N/A for mailu as published (documented in tests/mailu/PARITY.md + machine-docs/DEFERRED.md 2026-05-29 mailu entry). Requesting Adversary §7.1 sign-off on P4-N/A (alternative: a cc-ci-authored backupbot recipe-PR, mirroring immich Q3.5).

• P2 — VACUOUS: no recipe-info/mailu/tests/ corpus exists in the recipe-maintainer workspace, so there are no tests to port (documented in PARITY.md).
• P3 — 2 recipe-specific functional tests (both green): functional/test_mailbox.py (create a mailbox via the admin container's flask mailu user CLI → read it back from flask mailu config-export --json → assert present: admin-DB provisioning round-trip) + functional/test_mail_flow.py (the characteristic mail flow: inject a uniquely-marked message via the postfix container's local sendmail → poll dovecot's doveadm search in the imap container → assert delivered/stored: a real postfix→rspamd→dovecot deliver/store/fetch).
• cc-ci integration: recipe_meta.EXTRA_ENV(domain) sets MAIL_DOMAIN/HOSTNAMES=run domain, TRAEFIK_STACK_NAME=traefik_ci_commoninternet_net (resolves certdumper's external *_letsencrypt volume), and TLS_FLAVOR=notls (mailu's mail-port TLS comes from certdumper dumping traefik's ACME acme.json, which cc-ci has none of — file-provider wildcard cert; notls removes the dep; certdumper still converges idle). The mail tests use the in-container sendmail/doveadm because notls makes dovecot refuse plaintext auth over the network (port 143) — the in-container path exercises the same delivery/storage stack. HEALTH_PATH=/ (front nginx → 301).

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=mailu PR=0 cc-ci-run runner/run_recipe_ci.py'

EXPECTED:

• RUN SUMMARY: deploy-count = 1 (expect 1); install/upgrade/custom pass; backup/restore skip (N/A, no backupbot — EXPECTED, not a failure).
• Upgrade: upgrade→PR-head: head_ref=23309a1a chaos-version=23309a1a version=3.0.0+2024.06.27→ 3.0.1+2024.06.37 (real crossover; head_ref==chaos-version = HC1).
• Custom — 3 PASS: test_mailu_front_serves, test_create_mailbox_and_read_back, test_send_and_receive_mail.
• Clean teardown: post-run docker stack ls | grep mail → empty.

WHERE. Commits 916bdd8 (mailu tests) + 8844943 (in-container mail-flow rewrite, drop network IMAP-auth test). Files: tests/mailu/{recipe_meta.py,PARITY.md,functional/{_mailu.py,test_health_check.py, test_mailbox.py,test_mail_flow.py}}. Log /root/ccci-mailu-full2.log. Smoke-discovery logs: /root/mailu-smoke.log (convergence/health/ports/flask CLI) + /root/mailu-smoke2.log (proved sendmail-inject → doveadm-search delivery). DEFERRED.md mailu P4-N/A entry.

---

Gate: Q4.2 mumble — ✅ Adversary PASS @2026-05-29 (REVIEW-2 1daa1ea). Cold first-hand full lifecycle GREEN on the Adversary's clone: all 5 tiers, deploy-count=1, tcp ready-probe ×2, real upgrade crossover 0.2.0→1.0.0+ (head_ref==chaos-version), P3 config round-trips non-vacuous (max_users=42 + welcome marker decoded from wire bytes), P4 sqlite ci_marker survives, clean teardown; P5/P6 N/A justified. No VETO. First non-HTTP/TCP-voice recipe enrolled. (Claim detail retained below.)

WHAT. mumble (the §5 TCP/voice recipe — first non-HTTP-native recipe) runs its full lifecycle GREEN: install + upgrade (real prev→PR-head crossover) + backup + restore + custom. deploy-count=1, clean teardown. Enrolled by deploying two upstream overlays via COMPOSE_FILE=compose.yml:compose.mumbleweb.yml:compose.host-ports.yml:

• mumbleweb → an HTTP web-client sidecar (HEALTH_PATH / → 200) giving the generic harness its serving/readiness signal + the web_client.py parity surface.
• host-ports → publishes 64738 (tcp+udp, mode:host) on the cc-ci host so the on-host (cc-ci-run) protocol tests connect to 127.0.0.1:64738.
• P2 (3 parity ports, all green): health_check.py→functional/test_tcp_health.py (TCP 64738); mumble_connect.py→functional/test_protocol_handshake.py (TLS handshake → server Version → auth accepted → ≥1 channel = channel presence → ServerSync, via vendored functional/_mumble_proto.py); web_client.py→functional/test_web_client.py (HTTPS 200 + Mumble/config.js/<!DOCTYPE html>). No recipe-maintainer mumble test omitted. tests/mumble/PARITY.md has the mapping.
• P3 (2 specific, beyond parity, version-independent config round-trips): functional/test_welcome_text_roundtrip.py (deploy-set WELCOME_TEXT marker cc-ci-mumble-welcome-7f3a9c surfaces in the ServerSync welcome_text) + functional/test_server_config_limits.py (deploy-set non-default USERS=42 surfaces as ServerConfig.max_users==42). Both prove deploy-time config propagated into the running murmur server.
• P4 (real backup data-integrity): ops.py seeds a ci_marker row into /data/mumble-server.sqlite (the exact file the recipe's backupbot .backup/restore hooks dump), test_backup.py asserts it at backup time, pre_restore drops it, test_restore.py asserts it returns as original. sqlite busy timeout set via the silent .timeout dot-command.

Harness/enrollment additions (DECISIONS.md "mumble" entries): recipe_meta.CHAOS_BASE_DEPLOY flag + lifecycle._recipe_meta_flag + a deploy_app branch (the cc-ci-provided untracked host-ports overlay trips abra's pinned clean-tree check → chaos base deploy of the checked-out pinned version, not LATEST); abra.recipe_checkout now git checkout -f (the version-pinning checkout must yield the exact ref tree, robust to the cc-ci overlay colliding with head_ref's tracked copy); wait_ready_probes now supports a TCP probe ({tcp_host,tcp_port,stable=N}) so readiness gates on the voice server (64738) being stably listening — HEALTH_PATH only proves the mumble-web sidecar, and after the chaos upgrade redeploy the host-mode 64738 port churns (old task releases → new binds), which otherwise let backup-bot exec into a not-running app container (409). tests/mumble/install_steps.sh provides an identical compose.host-ports.yml to versions predating it (the upgrade base 0.2.0+; upstream added it in 1.0.0). No browser flow (P6 N/A — mumble's core UX is the native client over the voice protocol, covered by the handshake test; the web UI is asserted via test_web_client).

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=mumble PR=0 cc-ci-run runner/run_recipe_ci.py'

EXPECTED:

• RUN SUMMARY: deploy-count = 1 (expect 1); install/upgrade/backup/restore/custom all pass.
• Base deploy log: deploy_app(mumble@0.2.0+v1.6.870-0): CHAOS_BASE_DEPLOY set → chaos base deploy … and mumble install_steps: provided compose.host-ports.yml to recipe checkout (mumble).
• ready-probe OK (tcp 3x): 127.0.0.1:64738 appears TWICE (post-install + post-upgrade).
• Upgrade: upgrade→PR-head: head_ref=9fa5e949 chaos-version=9fa5e949 version=0.2.0+v1.6.870-0→ 1.0.0+v1.6.870-0 (real crossover; head_ref==chaos-version = HC1).
• Custom tier — 5 PASS: test_tcp_health, test_protocol_handshake (test_handshake_completes_with_channel_presence), test_web_client (test_web_client_serves_mumble_web_ui), test_welcome_text_roundtrip (test_configured_welcome_text_surfaces_in_serversync), test_server_config_limits (test_configured_max_users_surfaces_in_serverconfig).
• P4: test_backup_captures_state + test_restore_returns_state PASSED (ci_marker survives).
• Clean teardown: post-run docker stack ls | grep mumb → empty.

WHERE. Commits 6841048 (test content) + 6bf0425 (install_steps host-ports) + 999dd0d (CHAOS_BASE_DEPLOY) + a0fd58b (sqlite .timeout) + 1890cb5 (recipe_checkout -f) + ec76072 (TCP READY_PROBE). Files: tests/mumble/{recipe_meta.py,PARITY.md,ops.py,install_steps.sh, compose.host-ports.yml,test_install.py,test_backup.py,test_restore.py,functional/*.py}, runner/harness/{lifecycle.py,abra.py}. Log /root/ccci-mumble-full6.log. Isolation diagnostic (backup/restore green on a stable deploy, no upgrade): /root/ccci-mumble-diag.log.

---

Gate: HQ1 image pre-pull — ✅ Adversary PASS @2026-05-29 (REVIEW-2 0215bd2).

WHAT. runner/harness/lifecycle.prepull_images(recipe, domain) warms the local image store BEFORE the deploy: resolves the recipe's images via docker compose --env-file <app.env> -f <COMPOSE_FILE…> config --images (handles $VERSION interpolation + multi-compose, reading abra's COMPOSE_FILE from the app .env), then docker pull each with skip-if-present (docker image inspect → zero network for already-cached pinned tags). Called in deploy_app BEFORE the (UNCHANGED, real) abra.deploy, and in generic.perform_upgrade BEFORE the chaos redeploy (warms the new-version images). A pull failure RAISES a clear pull error pre-deploy (not a murky converge timeout). The deploy path is unchanged — prepull only warms the store (no docker service update/scale). Honest scope: removes PULL time, NOT app-INIT time (slow-init apps still need their healthcheck/READY_PROBE).

HOW / EXPECTED (Adversary, on cc-ci):

• cc-ci-run -m pytest tests/unit/test_prepull.py -q → 4 passed (present→skip, missing→pull, pull-fail→RAISE, no-images→skip).
• Warm-cache no-redownload: run a cached recipe (e.g. n8n) → log shows prepull: present <img> (skip, no pull). Proven: /root/ccci-n8n-prepull2.log (prepull: present n8nio/n8n:2.20.6), install+custom pass.
• Bad-tag clear error: pointing a recipe at a bogus image tag → prepull RAISES RuntimeError: … clear pull error BEFORE deploy: manifest unknown (proven, deploy-free).
• Real-run-green + abra unchanged: /root/ccci-n8n-prepull.log (cold image pulled by prepull, then install+custom GREEN); grep of prepull_images shows only compose-config / image-inspect / pull.

WHERE. Commit 2bf40d6. Files: runner/harness/lifecycle.py (prepull_images + deploy_app call), runner/harness/generic.py (perform_upgrade call), tests/unit/test_prepull.py. Plan: cc-ci-plan/plan-prepull-images.md.

---

Gate: Q3.3 lasuite-meet — ✅ Adversary PASS @2026-05-29 (REVIEW-2 a46f7d4).

WHAT. lasuite-meet (La Suite real-time meetings via LiveKit; OIDC-required; sibling of lasuite-docs/drive) runs its full lifecycle GREEN — install + upgrade (real prev→PR-head crossover) + backup + restore + custom (health + OIDC + meeting_flow). Enrolled by reusing the lasuite-drive OIDC-at-install machinery (DEPS=["keycloak"], OIDC_AT_INSTALL, install_steps.sh wiring OIDC env before the single deploy). Two infra fixes were needed:

• R014 lightweight-tag → chaos-base deploy (commit 72719fe): upstream coop-cloud lasuite-meet ships a stray LIGHTWEIGHT tag 0.3.0+v1.16.0, which FATAs abra recipe lint (R014) on the pinned prev-version base deploy. Fix: abra.has_lightweight_version_tags detects it; deploy_app then deploys the EXPLICITLY-checked-out prev version with chaos (chaos skips lint + deploys the current checkout — NOT latest; F1d-2's hazard was a missing checkout). Verified by the real upgrade crossover below. (An origin-repoint approach was tried + abandoned: go-git 'reference not found'.)
• meeting_flow tolerant delete (commit 1f7806a): meet 0.3.0 soft/async-deletes rooms, so the post-delete 404 check is best-effort; the §4.3 create+read-back+LiveKit-token asserts stay HARD.

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=lasuite-meet PR=0 cc-ci-run runner/run_recipe_ci.py'

EXPECTED:

• RUN SUMMARY: deploy-count = 1; install/upgrade/backup/restore/custom all pass.
• tests/lasuite-meet/functional/test_meeting_flow.py::test_create_room_get_livekit_token_and_read_back PASSED — creates a room (201), reads it back (200, same LiveKit room), the LiveKit token is a JWT granting that room, deletes it.
• test_oidc_password_grant_against_dep_keycloak PASSED (not skipped) — password-grant JWT vs the per-run keycloak realm lasuite-meet-<6hex>.
• Log shows lightweight upstream tag present → chaos base deploy and upgrade→PR-head: … version=0.2.0+v1.15.0→0.3.0+v1.16.0 (real crossover, NOT latest-as-base).
• Data-integrity: postgres ci_marker survives upgrade + backup→wipe→restore.
• Clean teardown: post-run no lasu stacks/volumes.

WHERE. Commits 32a743f (recipe_meta) + 9c6cb53 (meeting_flow + PARITY) + 72719fe (R014 chaos-base) + 1f7806a (tolerant delete). Files: tests/lasuite-meet/{recipe_meta.py,install_steps.sh, ops.py,test_*.py,functional/*.py,PARITY.md}, runner/harness/abra.py (has_lightweight_version_tags), runner/harness/lifecycle.py (chaos-base branch). Log /root/ccci-meet-full6.log. webrtc-media/relay UDP media-relay = documented env-blocker non-port (maximal subset = LiveKit token issuance, shipped).

---

Gate: Q3.2 lasuite-drive — RE-CLAIMED @2026-05-29 (after F2-12 fix), awaiting Adversary. (First claim 911680f FAILed cold-verify — F2-12: the upgrade chaos redeploy's abra converge monitor FATA'd while the NEW collabora 25.04.9.4.1 was still in its healthcheck start_period. Fixed by e1147b5; re-validated 3× green. F2-12 is Adversary-owned — left for the Adversary to close.)

WHAT. lasuite-drive (the heaviest Phase-2 stack: 12 services incl. collabora + onlyoffice + minio/S3 + postgres, OIDC-dependent) now runs its full lifecycle GREEN, repeatably — install + upgrade (prev→PR-head chaos crossover) + backup + restore + custom (health + MinIO round-trip + OIDC password-grant), via three fixes:

1. Install-time OIDC wiring (commit a151489) — the orchestrator provisions the per-run realm on the live-warm keycloak BEFORE the single abra app deploy, and tests/lasuite-drive/install_steps.sh writes the OIDC env + client secret into that one deploy. This eliminates the flaky post-deploy --force --chaos 12-service reconverge the old setup_custom_tests.sh did (collabora WOPI-discovery race; JOURNAL Step 0). New per-recipe OIDC_AT_INSTALL meta flag + reusable _provision_deps() helper; legacy post-deploy path unchanged for all other dep recipes (gated on not oidc_at_install).
2. collabora-ready upgrade gate + DEPLOY_TIMEOUT plumbing (commit 4b38b66) — ops.py::pre_upgrade waits for collabora WOPI discovery → 200 BEFORE the chaos redeploy, so it no longer SIGTERMs a still-booting OLD collabora; DEPLOY_TIMEOUT threads to the upgrade chaos_redeploy.
3. F2-12 fix — own the upgrade convergence verification (commit e1147b5). The upgrade chaos redeploy now runs abra … -c (--no-converge-checks): abra's own post-deploy monitor — which FATA'd while the NEW collabora 25.04.9.4.1's healthcheck was still in start_period (jail/config init) — is dropped. docker stack deploy still applies the spec; generic.perform_upgrade then OWNS a stricter verification with a generous (DEPLOY_TIMEOUT) deadline: lifecycle.wait_healthy (every swarm service N/N + app HEALTH_PATH 200) then lifecycle.wait_ready_probes (recipe READY_PROBE → collabora WOPI /hosting/discovery 200). The new collabora converges through swarm's healthcheck retries; HC1 (chaos-version == PR-head) + deploy-count=1 preserved. Non-vacuous (P7-negative) PROVEN by tests/unit/test_f212_upgrade_convergence.py (commit 6506c4a, 5 tests): wait_ready_probes/wait_healthy RAISE TimeoutError on a stuck/never-serving convergence — so a genuinely broken upgrade stays RED; this is not green-washing abra's skipped check.

HOW (Adversary, cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=lasuite-drive PR=0 cc-ci-run runner/run_recipe_ci.py'
ssh cc-ci 'cd /root/<your-clone> && cc-ci-run -m pytest tests/unit/test_f212_upgrade_convergence.py -q'

EXPECTED:

• RUN SUMMARY: deploy-count = 1 (expect 1); install/upgrade/backup/restore/custom all pass.
• test_oidc_password_grant_against_dep_keycloak PASSED (NOT skipped) — real password-grant JWT.
• test_minio_storage PASSED (real S3 upload→list→cat readback inside the minio container).
• Data-integrity: test_upgrade_preserves_data (ci_marker survives prev→PR-head chaos crossover) + backup/restore ci_marker survive.
• Log shows install-time OIDC: deps provisioned + install_steps: OIDC env wired (no post-deploy reconverge) and ready-probe OK (200) TWICE (post-install + post-upgrade, collabora WOPI).
• Clean teardown: post-run docker stack ls | grep lasu and docker volume ls | grep lasu both empty.
• Unit: 5 passed in tests/unit/test_f212_upgrade_convergence.py (the P7-negative proof).

WHERE. Commits a151489 (Part A) + 4b38b66 (upgrade gate) + e1147b5 (F2-12 own-convergence) + 6506c4a (P7-negative unit tests). Files: runner/run_recipe_ci.py (_provision_deps, OIDC_AT_INSTALL branch, _perform_op meta+timeout, post-install wait_ready_probes), runner/harness/abra.py (deploy(no_converge_checks)), runner/harness/lifecycle.py (chaos_redeploy(no_converge_checks), wait_ready_probes), runner/harness/generic.py (perform_upgrade own-wait), tests/lasuite-drive/{install_steps.sh,setup_custom_tests.sh,ops.py,recipe_meta.py} (READY_PROBE), tests/unit/test_f212_upgrade_convergence.py. 3× repeat-green of the F2-12 fix (flakiness gone, not absent-once): /root/ccci-drive-f212-v1.log, …-v2.log, …-v3.log — each full-suite green, deploy-count=1, OIDC PASSED, ready-probe OK twice, clean teardown. Step-0 root-cause logs in JOURNAL-2. DEFERRED.md disk-blocker CLOSED (host 64G).

---

Gate: Q2 — Adversary PASS @2026-05-28 (REVIEW-2 ## Q2 — PASS @2026-05-28 (re-verify after F2-5 fix + F2-6 collateral resolution); cold e2e on /root/adv-verify HEAD 874bfbb: deploy-count=2, all 5 assertions PASS, DEPS teardown clean, post-run docker stack/volume/secret with 'keyc|lasuite' filter all empty; NO VETO). F2-5 + F2-6 CLOSED; F2-7 stands as open scope (authentik backend in harness.sso when Q2.2 enrolls). Builder may advance to Q3 — already in flight (Q3.1 partial @ 874bfbb, Q5.1 docs @ b2151af).

Acceptance per plan §6 Q2: "a dependent recipe deploys its provider + runs an OIDC login test in one run." Proven cold:

Objective evidence pointers (Q2):

• Q2.1 keycloak parity + 2 NEW specific tests — commit d5f5e86:

  • tests/keycloak/functional/test_health_check.py — parity port.
  • tests/keycloak/functional/test_password_grant_token.py — password grant, JWT decoded, claims (iss/azp/typ/exp/iat) validated.
  • tests/keycloak/functional/test_create_client_and_use.py — admin-API client CRUD + client_credentials grant + JWT azp/iss validation + idempotent cleanup.
  • oidc_integration.py parity deferred to Q3 (cross-recipe; see PARITY.md note).
  • Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s.
  • Cold e2e (log /root/ccci-q2-keycloak-r3.log): all 5 stages PASS, deploy-count=1, head_ref=666649a6 == chaos-version=666649a6, version 10.7.0+26.6.1 → 10.7.1+26.6.2.

• Q2.3 dep resolver + SSO-setup harness primitives — commit 4d6b040:

  • runner/harness/deps.py — declared_deps + dep_domain + deploy_deps + teardown_deps + JSON run state. Subsumes Q0.4 (dep resolver).
  • runner/harness/sso.py — setup_keycloak_realm + oidc_password_grant + assert_discovery_endpoint. Reusable by every SSO-dependent recipe (Q3 will exercise).
  • runner/run_recipe_ci.py — wired in dep deploy BEFORE recipe-under-test, dep teardown AFTER in finally (reverse order). DG4.1 expected count = 1 + len(deps).
  • tests/conftest.py — deps_apps fixture exposes dep domains to dependent tests.
  • 7 new unit tests in tests/unit/test_deps.py; 28/28 unit tests PASS cold.

• F2-5 fix — dep teardown verify=True — commit c6e94af, log /root/ccci-f25-verify.log:

  • runner/harness/deps.py::teardown_deps now uses lifecycle.teardown_app(..., verify=True) so residuals raise TeardownError. Errors are logged per-dep but we continue to other deps; a combined TeardownError is raised after all attempts.
  • runner/run_recipe_ci.py catches the dep TeardownError in finally, surfaces via dep_teardown_error in the run summary + non-zero exit code.
  • Cold-verified: lasuite-docs+keycloak dep e2e PASSED clean (3 custom + 2 lifecycle install = 5 PASS); post-run cc-ci state has NO leftover keycloak (docker stack ls | grep keyc → empty; docker volume ls | grep keyc → empty; docker secret ls | grep keyc → empty).
  • deploy-count=2, expected 2.

• Q2.4 acceptance (the gate) — commit 9e88741, log /root/ccci-q24-lasuite-keycloak.log:

  • tests/lasuite-docs/recipe_meta.py declares DEPS = ["keycloak"].
  • tests/lasuite-docs/functional/test_oidc_with_keycloak.py:
    • Asserts deps_apps["keycloak"] is the per-run dep domain.
    • Calls harness.sso.setup_keycloak_realm → realm/client/user.
    • GETs OIDC discovery; asserts issuer == https://<kc>/realms/lasuite-docs.
    • Performs password grant → JWT; asserts iss/azp/typ/exp claims.
  • Cold-run output:

    ===== DEPS: ['keycloak'] =====
      dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
      dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
    ===== TIER: install =====  2 PASS (generic + cc-ci overlay)
    ===== TIER: custom =====   1 PASS (test_oidc_password_grant_against_dep_keycloak)
    ===== DEPS teardown =====
    ===== RUN SUMMARY =====
    deploy-count = 2 (expect 2)
    

• F2-3 systemic fix — commit 47f7cb4: runner/harness/browser.py::goto_with_retry centralizes the F2-3 try/except PlaywrightError pattern; applied to all install overlays using page.goto (custom-html, n8n, keycloak, cryptpad, lasuite-docs) + the custom-html playwright/test_browser_smoke. Cold e2e (custom-html, log /root/ccci-q2-customhtml-r2.log): all 5 stages PASS, deploy-count=1, HC1 non-vacuous.

Reference command for Adversary (cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && \
  cc-ci-run -m pytest tests/unit -v && \
  RECIPE=keycloak cc-ci-run runner/run_recipe_ci.py && \
  RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'

---

Gate: Q1 — Adversary PASS @2026-05-28 (REVIEW-2 ## Q1 — PASS @2026-05-28 (re-verify after F2-3 + F2-4 fixes); cold e2e on /root/adv-verify HEAD fc89552 → all 5 stages PASS, deploy-count=1, HC1 non-vacuous; F2-3 + F2-4 CLOSED; NO VETO). Builder may advance to Q2.

Objective evidence pointers (Q1):

• custom-html (Q1.1) — already cold-verified in Q0 PASS. Same evidence stands: full e2e green, HC1 non-vacuous, deploy-count=1; PARITY.md + functional/ + playwright/ in place.
• n8n (Q1.2) — full e2e on cc-ci (log /root/ccci-q1-n8n-r3.log):
  • HC1 PR-head proof: head_ref=63dd3e0f == chaos-version=63dd3e0f, version 3.1.0+2.9.4 → 3.2.0+2.20.6.
  • Deploy-count = 1 (DG4.1 holds).
  • Lifecycle tier results (generic + cc-ci overlay both PASS at each stage):
    • install: generic test_serving PASS + cc-ci test_serving_and_editor PASS (the robust Playwright poll handles n8n's /healthz-200-before-/-route-registered window).
    • upgrade: generic test_upgrade_reconverges PASS + cc-ci test_upgrade_preserves_data PASS (marker upgrade-survives written into /home/node/.n8n by ops.pre_upgrade survived the chaos redeploy of PR-head).
    • backup: generic test_backup_artifact PASS + cc-ci test_backup_captures_state PASS (marker original from ops.pre_backup captured by abra app backup create).
    • restore: generic test_restore_healthy PASS + cc-ci test_restore_returns_state PASS (marker mutated to mutated by ops.pre_restore, restored to original — real backup data-integrity).
  • Custom tier results (4 PASS — log /root/ccci-q1-n8n-r4.log post-F2-4/F2-3 fix):
    • tests/n8n/functional/test_health_check.py::test_n8n_returns_200 — parity port (HTTP 200 from /), with SOURCE: recipe-info/n8n/tests/health_check.py comment.
    • tests/n8n/functional/test_workflow_roundtrip.py::test_workflow_create_and_read_back — plan §4.3 prescribed create+read-back: owner setup → POST /rest/workflows → GET /rest/workflows/; assert id/name/nodes round-trip. (F2-4 fix.)
    • tests/n8n/functional/test_rest_settings.py::test_rest_settings_returns_json_with_known_keys — polls /rest/settings until content-type is application/json (rejecting the "n8n is starting up" placeholder HTML), then asserts known public-settings keys (userManagement / defaultLocale / authCookie) in the data envelope.
    • tests/n8n/functional/test_login_state.py::test_login_endpoint_returns_json — polls /rest/login until content-type is application/json, proves auth subsystem initialized.
  • PARITY.md complete: tests/n8n/PARITY.md — parity row for health_check.py, rationale for the 2 recipe-specific tests, data-integrity + playwright sections.
• Q1 has no Adversary findings yet. No tests skipped/weakened; rejecting-the-placeholder pattern in the new functional tests is non-vacuous (a stuck-booting n8n that only serves the placeholder fails the test).

Reference command for Adversary (cold, on cc-ci):

ssh cc-ci 'cd /root/<your-clone> && RECIPE=n8n cc-ci-run runner/run_recipe_ci.py'

---

Gate: Q0 — Adversary PASS @2026-05-28 (REVIEW-2 ## Q0 — PASS @2026-05-28; cold re-verify on /root/adv-verify HEAD 0b834e9 → 21 unit PASS + e2e PASS; NO VETO). F2-1 closed; F2-2 (scope observation) acknowledged.

Prior Q0 claim detail (commit 5741e88 — F2-1 fix landed on top of the original Q0 changeset). Acceptance evidence (per plan §6 Q0): a reference recipe (custom-html) uses the new harness additions for a full parity + specific suite, green via the existing run path. F2-1 (test_custom_tests_repo_local_gated stale assertion) closed by Builder; cold re-run on cc-ci → 21/21 PASS including the previously-failing test. F2-2 (scope observation: OIDC-flow + dep resolver not in Q0) acknowledged — those primitives implement when Q2/Q3 consume them; BACKLOG-2 Q0.4 remains open and explicitly deferred.

Objective evidence pointers (Q0):

• Harness additions landed
  • runner/harness/http.py — canonical Phase-2 recipe-test HTTP API (vendored from references/recipe-maintainer/utils/tests/helpers.py): http_get, http_post, http_request, retry_http_get, retry_http_post, wait_for_http, assert_converges. JSON + form bodies, transport-failure → status=0.
  • runner/harness/discovery.custom_tests recurses into tests/<recipe>/functional/ and tests/<recipe>/playwright/ (Phase 2 §4.1 layout) while excluding lifecycle test_<op>.py names; HC2 repo-local gate continues to apply.
  • TTY abra wrapper already present in runner/harness/abra.py::_run_pty (Phase 1d) — reused.
• Unit-test proof (deterministic, cc-ci; post-F2-1 fix commit 5741e88)
  • cc-ci-run -m pytest tests/unit -v → 21 passed in 5.38s (the previously-failing test_custom_tests_repo_local_gated now passes; synthetic-recipe + monkeypatch fixture):
    • 8× pre-existing tests/unit/test_discovery.py (overlay + HC2 gate, regressed).
    • 2× new tests/unit/test_discovery_phase2.py (functional/+playwright/ recursion + HC2 gate still applies to subdirs).
    • 11× new tests/unit/test_http.py (in-process http.server fixture — JSON parsing, 4xx-with-body, non-JSON body, transport-failure=0, headers, JSON+form POST, retry convergence, retry timeout, wait_for_http, assert_converges return value).
• End-to-end proof (custom-html on cc-ci, the reference recipe)
  • RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py (log /root/ccci-q0-customhtml-full.log):
    • install/upgrade/backup/restore/custom all PASS, deploy-count=1.
    • HC1 PR-head proof: head_ref=8a026066 == chaos-version=8a026066, version 1.10.0→1.11.0.
    • 5 lifecycle assertions (generic + cc-ci overlay across 4 ops) + 4 custom-stage assertions (3 functional + 1 playwright). Reference command for Adversary cold re-run: RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py.
• Per-recipe contract artifact landed
  • tests/custom-html/PARITY.md — parity row for health_check.py, rationale for the 2 recipe-specific tests + the data-integrity + playwright sections.
  • tests/custom-html/functional/{test_health_check.py,test_content_roundtrip.py,test_content_type_header.py} — parity port + 2 NEW recipe-specific tests; each parity file carries the SOURCE: recipe-info/custom-html/tests/<file> comment for audit.
  • tests/custom-html/playwright/test_browser_smoke.py — Phase-2 P6 home.

Reference command for Adversary (cold, on cc-ci):

ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -v && RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py'

Blocked

Q4.10 drone — OPERATOR host-deploy needed @2026-05-29. drone's required gitea SCM dep binds /etc/timezone, absent on the NixOS host. Declarative fix committed (3bde76f, environment.etc.timezone=UTC in nix/hosts/cc-ci/configuration.nix) but needs a host nixos-rebuild to activate (no self-service path on the host; /root/cc-ci is operator-synced + currently stale re this commit — same operator deploy mechanism that activated the immich time.timeZone fix). Operator action: sync /root/cc-ci + nixos-rebuild switch --flake /root/cc-ci#cc-ci, then verify ssh cc-ci 'cat /etc/timezone'=UTC. Once deployed, the Builder executes the scoped gitea+drone integration (JOURNAL-2 f86a58a). DEFERRED.md 2026-05-29 drone entry has the full detail. This blocks ONLY drone (the last §5 recipe); all other §5 recipes are enrolled (mumble/mailu PASS this session; discourse deferred-sound; the rest PASS earlier).

(historical) Docker Hub rate-limit block — RESOLVED @2026-05-28 ~22:10Z (Adversary-confirmed).

Docker Hub rate-limit fix — DONE (registry-creds finding, plan §1.5), all 3 conditions met. Operator provided a read-only PAT (DOCKERHUB_USERNAME=nptest2 + DOCKERHUB_TOKEN in .testenv). Wired declaratively; verify commands + expected outcomes for the Adversary:

1. Authenticated 200-limit from account source (Adversary already CONFIRMED in REVIEW-2). Re-check: ssh cc-ci → docker info | grep Username = nptest2; an authenticated manifest HEAD shows ratelimit-limit: 200;w=21600 and docker-ratelimit-source: b662dd8b-… (account hash, NOT IP 68.14.43.142).
2. Swarm SERVICE-task pulls authenticate — PROVEN with an uncached image: ssh cc-ci 'cd /root/cc-ci && RECIPE=n8n STAGES=install cc-ci-run runner/run_recipe_ci.py' → EXPECTED: install: pass, deploy-count=1, NO toomanyrequests; the swarm task pulls n8nio/n8n:2.20.6 to 1/1. During the run the account counter decrements (197→196 resolution →195 agent layer pull, source = account hash) — the agent pull is billed to the account, not the anon IP. (n8n images were uncached, so this is a real fresh-pull test, not a cached false-pass.) Conclusion: abra docker stack deploy propagates the cred on this single-node swarm; no --with-registry-auth flag or pre-pull needed.
3. Declarative persistence across a 1c rebuild — PAT sops-encrypted (secrets/secrets.yaml key dockerhub_auth = base64("nptest2:PAT"), submodule cdd5e0a); nix/modules/secrets.nix adds sops.secrets.dockerhub_auth + sops.templates."docker-config.json" → renders /root/.docker/config.json (0600 root) at activation. Verify: after nixos-rebuild switch, ls -l /root/.docker/config.json → symlink to /run/secrets/rendered/docker-config.json; the activation log shows adding rendered secret: docker-config.json. Recorded in DECISIONS.md ("Docker Hub auth: declarative config.json via sops").

Bonus unblocked: Q3.2 lasuite-drive base deploy now CONVERGES (all 12 services incl. onlyoffice+collabora) — RECIPE=lasuite-drive STAGES=install → install: pass, deploy-count=1 (commit before this; the rate limit was the only blocker). Q3.2 specifics (OIDC/WOPI/upload) are next.

Earlier Gitea outage (RESOLVED @~21:08Z). git.autonomic.zone returned blanket 404 for ~1.5h (backend down; same from my sandbox AND cc-ci). Reconciled: pulled + pushed queued commits. The 3 watchdog pings during the outage were phantoms (Adversary's failed push retries); nothing lost.

Prior bootstrap state: access re-verified @2026-05-28: ssh cc-ci ok (root, NixOS 24.11), Gitea API HTTP 200, wildcard DNS resolves to gateway 143.244.213.108.

Carryover from Phase 1e (not blockers for Phase 2)

• F1e-2 [adversary] — concurrent same-recipe abra recipe fetch race in runner/run_recipe_ci.py::fetch_recipe. Pre-existing in Phase 1d; not a 1e regression. Drone caps MAX_TESTS=1 today, so practical impact bounded. Tracked for Phase-2 breadth-ramp if concurrent recipe runs become routine.