cc-ci/JOURNAL-bsky.md

JOURNAL — phase bsky

2026-06-11T11:31Z–11:55Z — bootstrap + root-cause diagnosis (B1, B2)

Phase start. Read plan-phase-bsky-fix.md + plan.md §6.1/§7/§9. Adversary seeded REVIEW-bsky.md (8d5bf30) with cold baseline recon — same suspects I confirmed below.

Diagnosis chain (commands + outputs):

1. Mirror clone (b2d86ef): compose.yml pins image: ghcr.io/bluesky-social/pds:0.4, overrides entrypoint (dumb-init -- + config-mounted /entrypoint.sh); entrypoint.sh.tmpl ends exec node --enable-source-maps index.js — relative path, resolved against image WORKDIR.

2. Live image inspection on cc-ci: docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Id}} created={{.Created}} workdir={{.Config.WorkingDir}} ... cmd={{.Config.Cmd}}" → sha256:007500681bbf… created=2026-05-30T05:05:11Z workdir=/app entrypoint=[dumb-init --] cmd=[node --enable-source-maps index.ts] docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c 'node --version; ls /app' → v24.15.0 / index.ts node_modules package.json pnpm-lock.yaml — no index.js. grep @atproto/pds /app/package.json → "@atproto/pds": "0.5.1"; /usr/local/bin/goat present. So :0.4 is now a main-branch 0.5.1 build → recipe's index.js exec = MODULE_NOT_FOUND. This precisely explains the rcust-era crash-loop evidence (Node v24.15.0 in traceback).

3. Upstream research:

   • ghcr tags/list (paginated): exact tags …0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193, 0.4.204, 0.4.208, 0.4.219, plus anomalous 0.4.5001. :0.4 digest 871194d2… == latest, ≠ 0.4.219 (e0b756701c92…) → :0.4 republished past the release line.
   • Dockerfile@v0.4.219: node:20.20-alpine3.23, WORKDIR /app, CMD index.js, dumb-init.
   • Dockerfile@main: node:24.15-alpine3.23, CMD index.ts, + goat binary — matches what :0.4 now contains. GitHub releases/latest 404s (they only push git tags).
   • service/package.json@v0.4.219: "@atproto/pds": "0.4.219".

4. Candidate-fix image verified on cc-ci: docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c 'node --version; ls /app; grep @atproto/pds /app/package.json; which dumb-init' → v20.20.2 / index.js present / "@atproto/pds": "0.4.219" / /usr/bin/dumb-init. Image CMD [node --enable-source-maps index.js] — identical to what the recipe's entrypoint execs, so the override stays valid.

Why pin 0.4.219 and not chase 0.5.1 (rationale, summarized in DECISIONS.md): 0.5.1 exists only as the moving :0.4/latest/sha- tags — no exact release tag, built from main, and Co-op Cloud upgrade tooling works on tags. Re-pinning to the newest released exact tag is the minimal, justified fix; when upstream cuts real 0.5.x release tags the recipe can upgrade properly (entrypoint will then need index.ts + Node 24 — noted in upstream registry).

Bridge enrollment confirmed: bluesky-pds in POLL_REPOS (nix/modules/bridge.nix:43) → !testme works. Mirror has only closed PR#1 (skill smoke test); my fix → PR#2.

Next: DECISIONS entry (B3), mirror branch + PR (B4), !testme (B5).