cc-ci/machine-docs/REVIEW-nixenv.md

REVIEW — phase nixenv (Adversary)

Phase plan: /srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md SSOT for verification. Verdicts below; cold-runs only.

Status: M1 PASS @ 2026-06-17T17:40Z (claim 8b8fc1f). M2 gated behind, not yet claimed.

---

M1 — PASS @ 2026-06-17T17:40Z — claim 8b8fc1f

Single-source harness runtime env — cold-verified, all 6 DoD items. Verdict formed from the phase plan (SSOT), the code, and my OWN cold builds/evals — JOURNAL-nixenv.md NOT consulted (anti-anchoring preserved).

1. Builds succeed, both hosts (no collision). nix build .?submodules=1#…cc-ci-hetzner…toplevel → EXIT 0; …#…cc-ci…toplevel → EXIT 0. (A transient SQLite eval-cache "busy" from running both in parallel was error (ignored), not a build failure.)
2. Single source (greps). withPackages → 1 hit (packages.nix:17 ccciPyEnv); pytest playwright → 1 hit (same line); ccciRuntimeTools defined once (packages.nix:45), referenced by cc-ci-run (:68) + both host configs. nightly-sweep.nix has NO withPackages, NO python3, NO /run/current-system/sw/bin PATH prepend — runtimeInputs = [ pkgs.cc-ci-run ] and exec cc-ci-run …. The DEFECT-3 host-PATH patch is GONE.
3. Superset-or-equal — inspected the BUILT wrapper PATH. cc-ci-run store zxlx9jnylh7la5m48bsqb1wfm5l9r0bd export PATH carries all 15 store dirs: python3-3.12.8-env, abra-0.13.0-beta, docker-27.5.1, git-2.47.2, git-lfs-3.6.1, bash-5.2p37, coreutils-9.5, util-linux-2.39.4, curl-8.12.1, jq-1.7.1, gnused-4.9, gnugrep-3.11, gnutar-1.35, openssl-3.3.3, procps-4.0.4 — and ends :$PATH (PREPEND, inherited PATH retained → nothing from any path lost). Covers the full union of all 3 prior lists; git-lfs+openssl are the only additions. Nothing dropped.
4. Sweep ≡ Drone entrypoint (parity by construction). Built cc-ci-nightly-sweep references the BYTE-IDENTICAL zxlx9jnylh7la5m48bsqb1wfm5l9r0bd-cc-ci-run; both hosts' pkgs.cc-ci-run resolve that SAME store path; .drone.yml:83 runs cc-ci-run runner/run_recipe_ci.py (host systemPackages wrapper = same path). Same store path ⇒ identical pyEnv + tooling + PLAYWRIGHT_BROWSERS_PATH on Drone path AND timer sweep.
5. Host divergence removed. Both configuration.nix systemPackages lines are textually identical (pkgs.ccciRuntimeTools ++ [ pkgs.openssh ]). The pre-refactor cc-ci-vs-hetzner git-lfs one-off divergence (my prep flag #1) is ELIMINATED: built cc-ci toplevel sw/bin now contains git-lfs, openssl, script (util-linux) — tools it previously lacked. openssh correctly kept host-only (ssh client, not a recipe tool); it remains on both hosts so the Drone path's inherited PATH is unchanged for it.
6. Future-dep propagation (by construction). ccciRuntimeTools is the lone definition; it feeds cc-ci-run.runtimeInputs (→ Drone path via .drone.yml, → sweep via exec cc-ci-run) AND both hosts' systemPackages (→ Drone runner host PATH). One edit to that list reaches every consumer. Proven structurally via the reference graph; no working-tree mutation needed.

No defects, no VETO. Faithful refactor — one shared definition, three references, DEFECT-3 class structurally eliminated. M2 (deploy via nixos-rebuild switch + live parity witness: gitea LFS roundtrip green under BOTH Drone path and a real timer fire) remains to be claimed/verified.

---

(prior) Cold-prep notes

---

Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c

The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured from the code (SSOT), independent of any Builder narrative:

(A) nix/modules/harness.nix — cc-ci-run (Drone entrypoint) runtimeInputs: pyEnv abra docker git coreutils util-linux

• pyEnv = python3.withPackages [ pytest playwright ]
• env: PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}, PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1

(B) nix/modules/nightly-sweep.nix — sweep runtimeInputs: bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps

• DUPLICATE pyEnv = python3.withPackages [ pytest playwright ]
• same PLAYWRIGHT env
• DEFECT-3 patch: export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH" (host-PATH prepend)

(C) Drone runner path — nix/modules/drone-runner.nix: PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin" → recipe shell-outs resolve from host environment.systemPackages, NOT a runtimeInputs list.

(D) Host systemPackages (feeds C):

• nix/hosts/cc-ci/configuration.nix: curl git jq openssh ← NO git-lfs
• nix/hosts/cc-ci-hetzner/configuration.nix: curl git git-lfs jq openssh

UNION the shared set must cover (≥):

python3+pytest+playwright (pyEnv) · playwright browsers · abra docker git git-lfs coreutils util-linux bash curl jq gnused gnugrep gnutar procps openssh Plan §2 also names openssl as a recipe shell-out → expect it present too.

Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts):

1. Host divergence: cc-ci config lacks git-lfs but hetzner has it. Which config is the LIVE ssh cc-ci server running, and does git-lfs actually resolve there today? If the shared set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical.
2. Nothing dropped: any token in the union missing from the shared set = blast-radius break.
3. Sweep parity by construction: plan wants sweep to invoke cc-ci-run (same entrypoint) — if it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no module declares its own harness dep list.
4. DEFECT-3 patch removal: the host-PATH prepend should be gone/subsumed; if removed, git-lfs etc. must now come from the shared runtimeInputs, else the sweep regresses.
5. Live witness: gitea test_lfs_roundtrip must stay GREEN under BOTH Drone path and a real timer fire from the unified env.