cc-ci/machine-docs/STATUS-5.md

# STATUS — cc-ci Phase 5 Builder

**Phase:** 5 — Verify `/recipe-upgrade` + `testme-on-pr.sh` end-to-end flow
**SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase5-verify-upgrade-flow.md`
**Started:** 2026-05-31

## Current focus

Minimal enrollment fix for `lasuite-meet` is committed (`f28a2a3`). Current work is verifying the live
bridge rollout so Phase-5 V5/V6 can continue on `lasuite-meet` PR #2. Verification is currently paused
on host reachability: after `nixos-rebuild test --flake path:/root/builder-clone#cc-ci`, `cc-ci`
stopped answering Tailscale SSH.

## Fixes applied (A5-1, A5-2, related)

**A5-2 FIX:** `bridge/bridge.py` commit `5d48436`: `post_commit_status()` added. Bridge POSTs
Gitea commit status on recipe PR's head SHA (pending→trigger, success/failure→finish).

**A5-1 FIX:** `nix/modules/bridge.nix` commit `5d48436`: `recipe-maintainers/custom-html-tiny`
added to POLL_REPOS. Bridge rebuilt: `cc-ci-bridge:3761c4221042` (via `nixos-rebuild build
--flake path:/root/builder-clone#cc-ci` on cc-ci + `cc-ci-reconcile-bridge`).

**open-recipe-pr.sh FIX (orchestrator repo):** `0df57c6` — replaced python3 with jq (cc-ci
has jq, not python3).

**testme-on-pr.sh FIX (orchestrator repo):** `6910b19` — reads cc-ci/testme context URL
instead of first-status URL (fixes wrong BUILD URL when multiple statuses exist).

**A5-3 FIX (orchestrator repo, uncommitted):** `testme-on-pr.sh` now ignores a pre-existing
`cc-ci/testme` status on the same PR head after `POST=1` until the status tuple changes, so a
fresh re-`!testme` no longer returns a stale prior GREEN/build URL.

**ci-test-review helper FIX (orchestrator repo, uncommitted):** `verify-pr.sh` and
`run-all-recipes.sh` now resolve the live host checkout dynamically (`/root/builder-clone`
preferred, `/root/cc-ci` fallback) instead of hard-coding `/root/cc-ci`.

## V3 — COMPLETE: /recipe-upgrade custom-html-tiny END-TO-END GREEN

**Upgrade PR:** `https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/2`
- Branch: `upgrade-1.1.0+2.42.0`, head sha `156a49ac`
- Changes: compose.yml sws 2.38.0→2.42.0; compose.git-pull.yml alpine/git v2.36.3→v2.52.0; version 1.0.1+2.38.0→1.1.0+2.42.0
- !testme posted → Drone build #29 triggered → SUCCESS (install PASS, upgrade PASS, backup N/A)
- Commit status: `cc-ci/testme state=success target=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/29`
- `POST=0 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh custom-html-tiny 2` → `VERDICT=GREEN BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/29`
- PR comment updated by bridge with 🌻 result

## V7 — COMPLETE: mirror reconciliation

- PR #1 (`serve-hidden-files`) auto-closed as superseded when PR #2 opened.
- PR #4 (`already-in-upstream-v7`) auto-closed as merged-upstream.
- Mirror `main` force-synced to upstream `main` (`435df8fc`).

**V1/V2 partial evidence:**
- V1: !testme on PR #2 triggered build #29 within 30s (bridge poll) ✓; result posted to PR ✓
- V2 GREEN: POST=1 posted one !testme; POST=0 polled and returned VERDICT=GREEN BUILD=<drone-url> ✓
- V2 RED: poll-only on PR #5 returned VERDICT=RED BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/34 ✓
- V2 rerun edge: `POST=1 MAX_WAIT=80 INTERVAL=5 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh custom-html-tiny 5`
  now returns the fresh rerun build `#43` (not the stale prior `#37`); PR comments `4 -> 5` ✓

## V4 — COMPLETE: 2-run regression loop (within the 3-run budget)

**Regression PR:** `https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/5`
- First head sha `7e1491c6` (`v4-red-verify`): deliberate bad image tag `joseluisq/static-web-server:99.0.0-bad-tag`
- `POST=0 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh custom-html-tiny 5` → `VERDICT=RED BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/34`
- Build #34 result: install PASS, upgrade FAIL, clean_teardown=true, no_secret_leak=true
- Fix pushed on the same PR branch: head sha `4bd8416a`, restoring the known-good upgrade files from `upgrade-1.1.0+2.42.0`
- Re-`!testme` on PR #5 → Drone build #37 → `VERDICT=GREEN BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/37`
- PR remains open and unmerged; both RED and GREEN results are recorded on the PR

## Verification item status

| Item | Status | Evidence |
|---|---|---|
| V1 — !testme trigger + result-back | PARTIAL | build #29 triggered in <30s; commit status + PR comment posted ✓ |
| V2 — testme-on-pr.sh reads verdict | DONE | GREEN ✓ (build #29/#35); RED ✓ (build #34); rerun fix ✓ (build #43) |
| V3 — /recipe-upgrade sandbox GREEN | DONE | custom-html-tiny PR#2; build #29 SUCCESS |
| V4 — 3-iter regression loop | DONE | custom-html-tiny PR#5; build #34 RED, build #37 GREEN |
| V5 — stale-test DEFAULT = comment | TODO | |
| V6 — --with-tests opens+verifies cc-ci test PR | TODO | |
| V7 — mirror reconciliation | DONE | PR#1 superseded, PR#4 merged-upstream, main=upstream ✓ |
| V8 — /upgrade-all DEFAULT run | TODO | |
| V8a — cc-ci-upgrader agent | TODO | |
| V9 — cleanup | TODO | |

## V5/V6 groundwork in progress

- Added orchestration helpers in `/srv/cc-ci-orch/.claude/skills/`:
  - `recipe-upgrade/post-pr-comment.sh` — post explanatory/cross-link PR comments via Gitea API
  - `ci-test-review/open-cc-ci-pr.sh` — open/update `recipe-maintainers/cc-ci` PRs from a dedicated branch
- Live candidate check: `ssh cc-ci "abra recipe upgrade n8n -m -n"` shows a real n8n upgrade path
  (`n8nio/n8n 2.20.6 -> 2.23.1`, `pgautoupgrade 17-alpine -> 18-alpine`).
- Live recipe PR proof: `https://git.autonomic.zone/recipe-maintainers/n8n/pulls/2`
  (`upgrade-3.3.0+2.23.1`, head `c8d27a2`). `!testme` build #47 returned
  `VERDICT=GREEN BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/47`.
- Conclusion: `n8n` is a good sandbox for V5/V6, but this real upgrade did **not** naturally surface the
  stale-test path. Next step is to seed the stale-test case explicitly on a sandbox/scratch branch per
  Phase 5 §2, then exercise DEFAULT comment-only and `--with-tests` flows against that seeded case.
- Second live candidate check: `cryptpad` app image `version-2026.2.0 -> version-2026.5.1` plus
  `nginx 1.29 -> 1.31` on PR `https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/3`
  (`upgrade-0.5.5+v2026.5.1`, head `9db61d3`) also went GREEN on `!testme` build `#50`.
- Additional live finding: `lasuite-meet` has a real upgrade path (`v1.16.0 -> v1.17.0`), but its PR
  `https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/2` stayed `VERDICT=PENDING BUILD=?`
  across repeated `POST=0` polls because `recipe-maintainers/lasuite-meet` is not in the bridge's
  enrolled poll list. That makes it unusable for V5/V6 until explicitly enrolled.
- Enrollment fix authored and pushed: `f28a2a3 fix(bridge): enroll lasuite-meet for !testme` adds
  `recipe-maintainers/lasuite-meet` to `nix/modules/bridge.nix` `POLL_REPOS`.

## Verification next step

- When `ssh cc-ci` returns, verify the live bridge poller logs include `recipe-maintainers/lasuite-meet`,
  then re-run `POST=1/POST=0 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh lasuite-meet 2`.

## Phase 5 gates

(None claimed yet.)

## Blocked

- `cc-ci` host is currently unreachable over Tailscale after `nixos-rebuild test --flake
  path:/root/builder-clone#cc-ci` (used to activate the `lasuite-meet` bridge enrollment without touching
  the bootloader). Current probes from the orchestrator:
  - `ssh cc-ci ...` -> `connect to host 100.95.31.88 port 22: Connection timed out`
  - `tailscale status` shows `100.95.31.88 cc-ci ... active; relay "nue"; offline`
  - `tailscale ping -c 3 cc-ci` -> `no reply`
  The code change is pushed; live verification is blocked until host reachability returns.