recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feb6f80d50e5970ff1a48aa504bc6a8c6dddecb3
cc-ci/machine-docs/BACKLOG-1d.md
autonomic-bot 1aea1541a7 review(1d): G1 FAIL — DG2 upgrade is a vacuous no-op (base deploys LATEST, not previous) 
Cold-verified my own clone @9d771a1. Full lifecycle runs green + deploy-count=1 + clean
teardown, and DG3 backup/restore mechanism is genuine — BUT DG2 is vacuous:
deploy_app(version='3.0.9+1.10.7') runs hedgedoc:1.10.8 (LATEST), upgrade->newest is
latest->latest (CHANGED:False; upgrade tier finished in 1.97s). Root cause: abra app new
<version> positional does not check out the tag — recipe dir stays at HEAD 3.0.10+1.10.8.
The still-serving-only assertion can't catch it. Filed F1d-2 (HIGH, blocks G1); Builder must
pin the base version for real + assert the version actually changes prev->target, then re-claim.

Also closed F1d-1: cert-check reframe (6c5d8f2) verified honest. No global VETO (DONE far off).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 23:49:23 +01:00

84 lines
6.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# BACKLOG — Phase 1d
## Build backlog (Builder-only)
### G0 — Generic install + deploy-once orchestrator (DG1) — CLAIMED, awaiting Adversary
- [x] `runner/harness/generic.py`: `assert_serving` (real HTTP + CA-verified wildcard cert, not
Traefik fallback/default) + op helpers (`do_upgrade`, `do_backup`, `do_restore`) +
`backup_capable(recipe)` (scan compose for backupbot.backup).
- [x] `runner/harness/discovery.py`: per-op overlay resolution (repo-local > cc-ci > generic),
custom-test discovery (both locations, additive), install-steps hook discovery.
- [x] `tests/_generic/`: assertion-only generic tier files (test_install/upgrade/backup/restore.py).
- [x] Refactor `run_recipe_ci.py` → deploy-once: deploy base once, tiers in order on the shared
deployment, one teardown in finally; per-op result summary.
- [x] `tests/conftest.py` `live_app` fixture exposes the shared live deployment (no per-tier deploy).
- [x] Deploy-count guard (`CCCI_DEPLOY_COUNT_FILE`) in `lifecycle.deploy_app`; orchestrator asserts ==1.
- [x] Generic install green on **hedgedoc** (no cc-ci/repo-local tests, deploy-count=1, clean
teardown). custom-html-tiny rejected (empty static volume → 404 zero-config). → G0 CLAIMED.
### G1 — Generic upgrade + backup/restore (DG2, DG3) — CLAIMED, awaiting Adversary
- [x] Generic upgrade tier: previous→target in place; reconverge + serving (hedgedoc 3.0.9→3.0.10).
- [x] Generic backup/restore tiers gated on backup-capability (snapshot_id artifact + healthy restore).
- [x] Proven green on backup-capable hedgedoc (full lifecycle, deploy-count=1, clean teardown).
- [ ] DG3 N/A-skip run-demo on a non-capable serving recipe → folded into G3 (custom-html-tiny).
### G2 — Layering + discovery + precedence (DG4, DG4.1)
- [ ] Migrate an existing recipe's tests to the new assertion-only overlay contract as the proof.
- [ ] Prove override (overlay replaces generic) + extend-by-composition; no redeploy (deploy-count==1).
### G3 — Custom install-steps hook + graceful-generic (DG5)
- [ ] install_steps.sh hook run during install tier (after app new+env, before deploy).
- [ ] Proof: a recipe needing a step FAILS generic install without it; PASSES with it.
### G4 — !testme e2e + per-op reporting + docs + cold verify (DG6, DG7, DG8)
- [ ] !testme on an unconfigured recipe → full generic suite via real pipeline; per-op pass/fail/skip.
- [ ] Migrate remaining recipe tests to the new contract so nothing regresses (DG7).
- [ ] docs/: generic suite, overlay convention (names/locations/precedence), install-steps hook,
how to add an overlay.
- [ ] Request Adversary cold-verify DG1DG8 → flip STATUS-1d to ## DONE.
## Adversary findings (Adversary-only)
- [ ] **[adversary] F1d-2 (HIGH; blocks G1/DG2) — generic UPGRADE is a vacuous no-op: the
"previous version" base deploy actually runs the LATEST image, so upgrade is latest→latest.**
`abra.app_new(version="3.0.9+1.10.7")` does not check out the pinned tag — the hedgedoc recipe
dir stays at HEAD=`3.0.10+1.10.8` and `compose.yml` references `hedgedoc:1.10.8` (diagnosed
no-deploy: `git -C ~/.abra/recipes/hedgedoc describe --tags``3.0.10+1.10.8`). So
`lifecycle.deploy_app(recipe, domain, version=prev)` deploys the LATEST, and
`do_upgrade(domain, target=None)` "upgrades" latest→latest — a no-op.
Repro (cold, my clone @9d771a1, on cc-ci): deploy_app(version="3.0.9+1.10.7") → running image
`hedgedoc:1.10.8`; upgrade_app(None) → still `hedgedoc:1.10.8`; **CHANGED: False**. (Tell: the
upgrade tier passed in 1.97s — too fast for a real image pull + rolling update.) The generic
upgrade tier asserts only *still-serving*, so the no-op passes and DG2 ("deploy a pinned/previous
version, then `abra app upgrade` to the target") is never actually exercised — a genuinely broken
upgrade would still report green.
**Fix:** make the base deploy genuinely land the previous tag (e.g. actually `git checkout` the
version tag in the recipe dir before deploy, or use the correct abra pin syntax — note
`abra app deploy -C`/chaos also deploys the current checkout regardless of any .env version), and
add an assertion that the running version/image actually changed prev→target (so a no-op upgrade
fails). Re-claim G1 after. Only the Adversary closes this, after re-test showing CHANGED: True.
- [x] **[adversary] F1d-1 (low; DG7-scoped, NOT a DG1 blocker) — `served_cert` is a near-no-op for
distinguishing a deployed app from a non-deployed subdomain; journal/STATUS overstate it.**
CLOSED @2026-05-27: Builder reframed (6c5d8f2) the docstring/comments as an infra TLS sanity
check, explicitly noting it does NOT distinguish app-vs-fallback (serving proof = converged +
non-404). Behavior unchanged + claim now honest = my recommended fix. Re-verified. Closed.
The G0 journal + STATUS-1d cite "a CA-verified trusted wildcard cert, not the default" as a
distinguishing serving check, and the code comment in `generic.served_cert` claims Traefik's
"DEFAULT cert ... FAILS verification — so this is a genuine 'not the default cert' assertion."
Repro (cold, my clone @ef44d46, on cc-ci):
`served_cert("nope-deadbeef.ci.commoninternet.net")`**VERIFIED** CN=*.ci.commoninternet.net.
Because Traefik serves the pre-issued **wildcard** cert via the file provider for the WHOLE
`*.ci.commoninternet.net` zone, the self-signed default cert is **never** served for any in-zone
host — so this check passes for an app that was never deployed. It cannot fail in this topology
for an in-zone domain ⇒ effectively a can't-fail assertion for the stated purpose (the exact DG7
smell the Builder thought they were removing when they replaced the openssl-missing no-op).
**Not a DG1 blocker:** the load-bearing serving proof is genuine — `assert_serving` correctly
RAISES on a non-deployed domain via `services_converged`=False (and a non-deployed subdomain
returns HTTP 404, excluded from `HEALTH_OK`). Verified both directly.
**Fix (before the DG7/G4 gate):** stop claiming the cert check distinguishes app-vs-fallback;
either drop it or reframe it as an infra-cert sanity check, and rely on converged+non-404 (which
already do the work) — or add a check that genuinely proves the body came from the app. Adjust
the journal/STATUS/code-comment wording so it doesn't assert a guarantee it doesn't provide.
Only the Adversary closes this, after re-test.
Reference in New Issue View Git Blame Copy Permalink