Skip to content

ci(v2): real-install command harness — run the read-only safe surface live (closes Track V)#59

Merged
actools-pl merged 1 commit into
mainfrom
phaseV/V2-command-harness
Jun 29, 2026
Merged

ci(v2): real-install command harness — run the read-only safe surface live (closes Track V)#59
actools-pl merged 1 commit into
mainfrom
phaseV/V2-command-harness

Conversation

@actools-pl

@actools-pl actools-pl commented Jun 29, 2026

Copy link
Copy Markdown
Owner

What

Turns the V1 matrix's documented command contracts into executed ones. Extends the
real-install e2e (.github/workflows/e2e.yml) — which ran only audit + doctor
(2 of 30) — to run the read-only safe surface against the live VM after install,
asserting each command's matrix signature/exit. Three steps appended after "Run
doctor (smoke)"; the working provision/deploy/audit/doctor steps untouched.

  • Step A — deterministic read-only commands over SSH (status, log-dir,
    dry-run, migrate, help, storage-info, redis-info, slow-log, pdf-test,
    each asserting a stable header/token; worker-status asserting exit 0), plus
    tls-status and oom.
  • Step B — the streaming trio (logs, stats, worker-logs) under a remote
    timeout; exit 124 ≡ clean stream; stats asserts CONTAINER.
  • Step Caudit --ci, asserting CI mode (banner suppressed + PASS= summary),
    additively — the existing audit ci gate and audit.sh are untouched.

CI-coverage rises 2 → 17 of 30. The 13 skipped: 7 mutating (incl. tunnel),
2 interactive, 1 destructive, 3 read-only with an unmet external dependency.

Verified live

Branch e2e green on the read-only surface — including worker-status, which now
bootstraps because the worker image carries phpredis (WR, #60, landed first). This
entry ratifies WR. tls-status/oom exercised green.

Finding recorded (not re-wired)

audit ciaudit --ci: the existing gate invokes audit ci → default mode →
grep PASS≥10 sound; audit --ci is the CI-mode path, now pinned by Step C.

Verification

  • REVIEW: APPROVE — every signature traced to its arm; Step C confirmed against
    output.sh:26/report.sh:14; env facts verified from the deploy step.
  • DOC-CHECK: PASS — six doc-truth axes code-true; doc-claim guard 5/5;
    tunnel skip-class harmonized to mutating (matrix summary + ledger).
  • Scope = 3 files (e2e.yml, live-verification-matrix.md, PHASE0_LEDGER.md);
    product/audit code byte-identical; author actools-pl <feezixmp@gmail.com>.

@actools-pl actools-pl force-pushed the phaseV/V2-command-harness branch from 0192aa5 to 83b964e Compare June 29, 2026 11:25
@actools-pl actools-pl merged commit c17197f into main Jun 29, 2026
10 checks passed
@actools-pl actools-pl deleted the phaseV/V2-command-harness branch June 29, 2026 13:55
actools-pl added a commit that referenced this pull request Jun 30, 2026
…ack E) (#61)

## What
modules/backup/ carries the live daily backup generator (cron.sh) plus a ten-file
PITR/encrypted draft cluster, and across them a backup artifact is named, located,
time-stamped, encrypted, and checksummed three incompatible ways. Wiring the encrypted
backup (E2) and binlog/PITR (E3) would cement those three dialects unless one contract
is fixed first. E1 fixes it — behavior-free: a doc + a guard + the ledger.

New docs/backup-format-contract.md — the canonical source of truth for backup-artifact
shape. It transcribes the live (A) format exactly from cron.sh and the restore arm
(cli/actools:241): ${INSTALL_DIR}/backups/<env>_db_<YYYY-MM-DD>.sql.gz (+ .sha256),
content gzip(mariadb-dump --single-transaction --quick actools_<env>), flat directory,
daily timestamp, 7-day retention, integrity-or-delete, and the umask-077
--defaults-extra-file password shape. It then defines the canonical scheme X (naming
grammar <env>_<kind>_<timestamp>.<ext>[.age][.sha256]; Age encryption with the .sha256
taken over the ciphertext; the PITR nested layout rooted under ${INSTALL_DIR}/backups/;
the secure password shape mandatory for every producer) and a divergence ledger
recording, per dialect, where the encrypted (B) and PITR (C) drafts diverge from X and
what E2/E3 must do to conform. B and C are marked TARGET / NOT YET LIVE throughout.

New tests/guards/backup_format_contract_guard_test.bats — pins ONLY the live (A)
producer<->consumer agreement at this baseline, mirroring the discipline of
cron_security_shape_guard_test.bats. It renders the live cron through the existing
tests/helpers/capture_backup_cron.sh and asserts the producer DB pattern
(<env>_db_<…>.sql.gz under a backups/ root), the .sha256 integrity sidecar + sha256sum
-c, the restore consumer's default glob agreeing on the same root/stem/extension, and
the consumer checksum convention. Two permanent non-vacuity arms doctor the producer
stem (_db_ -> _database_) and the restore glob on OFF-TREE scratch copies and assert the
agreement oracle FAILS ("CONTRACT DRIFT: producer writes '…' but the restore consumer
globs '…'"); the repo is never modified. Discovered by the recursive bats job (lint.yml:
bats -r tests/) — no workflow edit.

## Gate
Behavior-free — no producer, consumer, draft, module, or golden is touched; nothing
executable changes, so no branch e2e is required (like C1/D1b/D2/V1).
Runtime-authority-changes: none (cli/actools, cron.sh, all modules byte-identical).

## Scope / verification
- Scope = 3 files: docs/backup-format-contract.md (new),
  tests/guards/backup_format_contract_guard_test.bats (new), and
  docs/runbooks/PHASE0_LEDGER.md (Entry 031 + ratify Entry 030).
- bats -r tests/: 241 -> 247 (+6 new arms, all green); the 12 pre-existing
  jq-dependent secrets/state failures are environmental and unchanged (no regression).
- cron.sh, cli/actools, the 10 draft files, tests/fixtures/golden/backup-cron/*,
  capture_backup_cron.sh, and modules/host/age.sh are byte-identical to baseline c17197f.
- Author actools-pl <feezixmp@gmail.com>; no Co-authored-by.

Ledger: add Entry 031 (E1, Pending); ratify Entry 030 (V2, c17197f/#59, closes Track V),
original Pending text preserved verbatim. Entries 029..001 byte-identical.

REVIEW (guard non-vacuity + doc-vs-code spot checks) then DOC-CHECK (the contract doc is
the primary deliverable) follow. The coding window does not self-approve.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant