recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
deb4a0fbed863efebbff8b9a40bd73ede6904928
cc-ci/BACKLOG.md
autonomic-bot deb4a0fbed M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED 
Host decrypts /run/secrets/test_secret via its ssh host key (age identity);
off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev
for nixpkgs 24.11 compat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:41:45 +01:00

2.8 KiB
Raw Blame History

BACKLOG — cc-ci

Two single-writer sections (§6.1): Builder edits only ## Build backlog; Adversary edits only ## Adversary findings. Closing an item = checking the box in your own section.

Build backlog

M0 — Foundations

  • Author flake.nix (NixOS host cc-ci) + hosts/cc-ci/{configuration,hardware}.nix from baseline
  • Deploy mechanism decision + first rebuild from repo (DECISIONS.md) — switch --flake on host
  • sops-nix wiring: host age key (from ssh host key) + master recovery key; secrets/secrets.yaml; decrypt a test secret on host → /run/secrets/test_secret (0400 root) verified
  • Gate: M0 — ssh cc-ci 'systemctl is-system-running' healthy after rebuild from repo → CLAIMED 2026-05-26, awaiting Adversary (see STATUS.md)

M1 — Swarm + abra target

  • Docker + single-node swarm via Nix
  • Traefik (file provider → /var/lib/ci-certs/live/) + per-run wildcard router
  • abra installed; deploy + tear down a trivial recipe by hand over HTTPS
  • Gate: M1 — recipe reachable over HTTPS at *.ci.commoninternet.net, torn down clean

M2 — Drone online

  • Drone server + exec runner via Nix; Gitea OAuth app
  • hello-world .drone.yml runs green; logs in Drone UI
  • Gate: M2 — push to cc-ci triggers visible green build

M3 — Comment bridge

  • comment-bridge service: HMAC verify, !testme exact match, collaborator check, Drone API call
  • PR comment posting with run link
  • Gate: M3 — live demo on scratch PR; auth enforced

M4 — Harness + install stage

  • run_recipe_ci.py + conftest; install stage for recipe #1 + Playwright assertion; teardown
  • Gate: M4 — green install run, no orphaned app/volume

M5 — Upgrade + backup/restore stages

  • Add upgrade + backup/restore stages for recipe #1
  • Gate: M5 — upgrade preserves data; backup→mutate→restore returns original

M6 — Recipe-local tests + second recipe

  • Discover/run recipe-repo tests/; enroll DB-backed recipe #2
  • Gate: M6 — both green; recipe-local tests merged

M6.5 — Breadth ramp (recipes 3→6)

  • Enroll recipes 36 covering remaining D10 categories, no harness surgery
  • Gate: M6.5 — recipes 36 three-stage green

M7 — Secrets hardening (D6)

  • Full sops model, rotation doc, log redaction + leak test
  • Gate: M7 — secret-grep finds nothing

M8 — Dashboard (D7)

  • Overview page + badges + PR-comment outcome reflection
  • Gate: M8 — overview matches reality; outcomes mirrored

M9 — Reproducibility + docs (D8/D9)

  • docs/install.md from-scratch rebuild; all docs complete
  • Gate: M9 — Adversary rebuilds from docs on throwaway host

M10 — Proof (D10)

  • All six recipes green via real !testme PRs; flip STATUS to DONE

Adversary findings