docs(audit): autopg-distribution-cutover per-group status snapshot#82
Merged
Conversation
… PARTIAL, 9 NOT-STARTED Read-only investigation across 11 WIP commits + 9 not-yet-started groups. DONE: G1 (admin SCRAM), G2 (pg_hba B1), G3 (schema rename), G6 (audit + redaction), G9 (CDN publish), G10 (install.sh). PARTIAL: G4 (missing issue-54 leak repro), G5 (1 manifest-verify test failing), G7 (CI matrix bytes pending dispatch), G8 (real SLSA L3 only in CI), G11 (multiple deliverables added 2026-05-08 not in commit). NOT-STARTED: G12-G20 (entire update/consumer/release/docs/validation tail) + G19/G20 (added 2026-05-08). Critical-path-to-ship gaps documented for /dream Layer 3 dispatch: - G11 admin.json supervisor write missing - G11 pm2 process name should be autopg-server (currently autopg) - G19 dual-transport binding + runtime.json discovery file - G20 service install Tier B systemd-user / launchd - G4 issue-54 leak repro fixture - G5 manifest-verify ENOPUBKEY fast-fail Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request introduces an audit document, .genie/CUTOVER-AUDIT.md, to track the progress of a 20-group distribution cutover. The review feedback identifies factual inaccuracies in the audit report regarding the availability of the src/lib/admin-json.js module, providing actionable suggestions to update the status table and dispatch recommendations to correctly reflect that the module is already present and ready for integration.
| - **NOT-STARTED:** G12, G13, G14, G15, G16, G17, G18, G19, G20 | ||
|
|
||
| **Critical-path-to-ship gaps:** | ||
| 1. **G11 admin.json supervisor write** (deliverable 2 added 2026-05-08) — blocked by cross-wish dependency on `pgserve-singleton-no-proxy` G1 (`src/lib/admin-json.{ts,js}` writer module). G11 commit pre-dates this contract. |
There was a problem hiding this comment.
The audit identifies the admin-json.js writer module as a blocking dependency that G11 pre-dates. However, src/lib/admin-json.js is already present in the repository. Please clarify if the block is due to the module's absence (which seems incorrect) or if it simply hasn't been integrated into the G11 logic yet.
| | **G8** cosign sign + SLSA L3 attest | `f3c92a4` | **PARTIAL** | `.github/workflows/sign-attest.yml` (285) + `scripts/aggregate-manifest.sh` (184) + `scripts/verify-published-artifacts.sh` (211) + `keys/cosign.pub` + offline test fixtures + `tests/integration/sign-attest-smoke.sh` (15/15 pass). Tampered + missing-sig paths both fail correctly with non-zero exit. **GAP:** real SLSA L3 only when GH OIDC fires in CI (depends on G7 binaries + tag dispatch). Workflow wired but not yet executed end-to-end. | | ||
| | **G9** CDN publish | `e187c0d` | **DONE** *(local fixture)* / partial against real CDN | `scripts/cdn-publish.sh` + `.github/workflows/cdn-publish.yml` + `tests/integration/cdn-publish.sh` (38/38 pass): immutable contract on `<channel>/<version>/`, atomic `latest.json`, immutable re-publish blocks (exit 3), `--allow-overwrite-versioned` escape hatch, dry-run zero-touch, cosign.pub published. **No gap on shape**; real-CDN acceptance bullets (`curl https://cdn.automagik.dev/autopg/stable/latest.json`) wait on G7+G8 tag dispatch. | | ||
| | **G10** install.sh ≤80 lines | `8e068f1` | **DONE** | `install.sh` is **79 lines**, shellcheck-clean (0 warnings), `tests/integration/install-sh-fresh-host.sh` (309 lines) 9/9 pass: happy-path verify+extract+exec, sha256 tamper abort, Windows-native locked rejection. Reads channel pointer from `AUTOPG_CDN_BASE`. End-to-end-on-real-host acceptance ("`curl … \| bash` <60s") gated on G9 real publish. | | ||
| | **G11** autopg install (Tier A pm2) | `7e04f7b` | **PARTIAL** | `src/cli/install.js` (450 lines) ships 5 of the wish deliverables: config.json write, `~/.local/bin/autopg` symlink, idempotent PATH export to `~/.bashrc`+`~/.zshrc`, bash+zsh completions, pm2 register. Tests 25/25 unit + 6/6 integration pass. **GAPS (multiple — most introduced by 2026-05-08 wish refinement):** <br/>1. **pm2 process name** — `src/cli/install.js:41` defines `PM2_PROCESS_NAME = 'autopg'`; wish §G11 deliverable 1 mandates **`autopg-server`** (paired with `autopg-ui`). Rename the constant + update tests. <br/>2. **Legacy pm2 entry migration** — wish §G11 deliverable 1 requires detecting a pre-existing pm2 entry named `pgserve` *or* `autopg` (early-cutover variant) and `pm2 delete` it before creating `autopg-server`. Current `src/cli/install.js` line 406 short-circuits when an entry called `autopg` exists; no migration. <br/>3. **`~/.autopg/admin.json` cohort supervisor write** — wish §G11 deliverable 2 (added 2026-05-08) requires invoking the writer from `pgserve-singleton-no-proxy` G1 (`src/lib/admin-json.{ts,js}`) after pm2 register, writing `{supervisor:"pm2",socketDir,port:5432,installedAt:<ISO8601>}`. **Module does not exist yet** (`find src -name 'admin-json*'` → 0 hits); cross-wish dependency on the cohort sibling. <br/>4. **Tier-B refusal** — wish §G11 acceptance bullet 8: on a host where `~/.autopg/admin.json.supervisor == "systemd-user"`, `autopg install` must exit non-zero with locked remediation hint. Not implemented. <br/>5. **First-run admin SCRAM bootstrap hook** — wish §G11 deliverable 1 §6 says install.js should "invoke admin SCRAM bootstrap (Group 1)"; commit defers this to `src/postgres.js` daemon-process wiring with a justification ("we tolerate its absence here"). The acceptance criterion *is* met indirectly because pm2 starts the daemon which fires bootstrap, but this is fragile if pm2 is unavailable. Defensive-double-fire per D12 means both call sites should fire — one from install.js immediate-path, one from postgres.js boot-path. | |
There was a problem hiding this comment.
The audit report states that the admin-json module does not exist and that a search returned 0 hits. This contradicts the current state of the repository, which includes src/lib/admin-json.js. This section should be updated to reflect that the module is available, even if integration is still pending.
Suggested change
| | **G11** autopg install (Tier A pm2) | `7e04f7b` | **PARTIAL** | `src/cli/install.js` (450 lines) ships 5 of the wish deliverables: config.json write, `~/.local/bin/autopg` symlink, idempotent PATH export to `~/.bashrc`+`~/.zshrc`, bash+zsh completions, pm2 register. Tests 25/25 unit + 6/6 integration pass. **GAPS (multiple — most introduced by 2026-05-08 wish refinement):** <br/>1. **pm2 process name** — `src/cli/install.js:41` defines `PM2_PROCESS_NAME = 'autopg'`; wish §G11 deliverable 1 mandates **`autopg-server`** (paired with `autopg-ui`). Rename the constant + update tests. <br/>2. **Legacy pm2 entry migration** — wish §G11 deliverable 1 requires detecting a pre-existing pm2 entry named `pgserve` *or* `autopg` (early-cutover variant) and `pm2 delete` it before creating `autopg-server`. Current `src/cli/install.js` line 406 short-circuits when an entry called `autopg` exists; no migration. <br/>3. **`~/.autopg/admin.json` cohort supervisor write** — wish §G11 deliverable 2 (added 2026-05-08) requires invoking the writer from `pgserve-singleton-no-proxy` G1 (`src/lib/admin-json.{ts,js}`) after pm2 register, writing `{supervisor:"pm2",socketDir,port:5432,installedAt:<ISO8601>}`. **Module does not exist yet** (`find src -name 'admin-json*'` → 0 hits); cross-wish dependency on the cohort sibling. <br/>4. **Tier-B refusal** — wish §G11 acceptance bullet 8: on a host where `~/.autopg/admin.json.supervisor == "systemd-user"`, `autopg install` must exit non-zero with locked remediation hint. Not implemented. <br/>5. **First-run admin SCRAM bootstrap hook** — wish §G11 deliverable 1 §6 says install.js should "invoke admin SCRAM bootstrap (Group 1)"; commit defers this to `src/postgres.js` daemon-process wiring with a justification ("we tolerate its absence here"). The acceptance criterion *is* met indirectly because pm2 starts the daemon which fires bootstrap, but this is fragile if pm2 is unavailable. Defensive-double-fire per D12 means both call sites should fire — one from install.js immediate-path, one from postgres.js boot-path. | | |
| | **G11** autopg install (Tier A pm2) | 7e04f7b | **PARTIAL** | src/cli/install.js (450 lines) ships 5 of the wish deliverables: config.json write, ~/.local/bin/autopg symlink, idempotent PATH export to ~/.bashrc+~/.zshrc, bash+zsh completions, pm2 register. Tests 25/25 unit + 6/6 integration pass. **GAPS (multiple — most introduced by 2026-05-08 wish refinement):** <br/>1. **pm2 process name** — src/cli/install.js:41 defines PM2_PROCESS_NAME = 'autopg'; wish §G11 deliverable 1 mandates **autopg-server** (paired with autopg-ui). Rename the constant + update tests. <br/>2. **Legacy pm2 entry migration** — wish §G11 deliverable 1 requires detecting a pre-existing pm2 entry named pgserve or autopg (early-cutover variant) and pm2 delete it before creating autopg-server. Current src/cli/install.js line 406 short-circuits when an entry called autopg exists; no migration. <br/>3. **~/.autopg/admin.json** cohort supervisor write — wish §G11 deliverable 2 (added 2026-05-08) requires invoking the writer from pgserve-singleton-no-proxy G1 (src/lib/admin-json.js) after pm2 register, writing {supervisor:"pm2",socketDir,port:5432,installedAt:<ISO8601>}. **Module exists in src/lib/admin-json.js** but is not yet integrated; cross-wish dependency on the cohort sibling's integration. <br/>4. **Tier-B refusal** — wish §G11 acceptance bullet 8: on a host where ~/.autopg/admin.json.supervisor == "systemd-user", autopg install must exit non-zero with locked remediation hint. Not implemented. <br/>5. **First-run admin SCRAM bootstrap hook** — wish §G11 deliverable 1 §6 says install.js should "invoke admin SCRAM bootstrap (Group 1)"; commit defers this to src/postgres.js daemon-process wiring with a justification ("we tolerate its absence here"). The acceptance criterion *is* met indirectly because pm2 starts the daemon which fires bootstrap, but this is fragile if pm2 is unavailable. Defensive-double-fire per D12 means both call sites should fire — one from install.js immediate-path, one from postgres.js boot-path. | |
| ### Round 2 — new groups (start once Round 1 lands) | ||
|
|
||
| 4. **G19** — `autopg serve` dual-transport. Highest sequencing value because **G12, G13, and G14 all depend on it**. Single-file primary (`src/cli/serve.js`) + 1 test file + 1 integration script. Cross-wish blocker: needs `src/lib/admin-json.{ts,js}` writer module from `pgserve-singleton-no-proxy` G1. Coordinate dispatch so cohort sibling lands first or co-ships. | ||
| 5. **G11-admin.json** — once `pgserve-singleton-no-proxy` G1 ships its `src/lib/admin-json.js` writer, return to G11 and add deliverable 2 (cohort supervisor write + Tier-B refusal). Trivial diff (< 50 LOC) but dependency-ordered. |
There was a problem hiding this comment.
The recommendation to wait for the admin-json.js writer is likely outdated as the module is already present in the repository. Consider updating the dispatch plan to focus on the integration of the existing module rather than waiting for it to be 'shipped'.
Suggested change
| 5. **G11-admin.json** — once `pgserve-singleton-no-proxy` G1 ships its `src/lib/admin-json.js` writer, return to G11 and add deliverable 2 (cohort supervisor write + Tier-B refusal). Trivial diff (< 50 LOC) but dependency-ordered. | |
| 5. **G11-admin.json** — since src/lib/admin-json.js is already present, return to G11 and add deliverable 2 (cohort supervisor write + Tier-B refusal). Trivial diff (< 50 LOC) but requires integration. |
namastex888
added a commit
that referenced
this pull request
May 8, 2026
…er G8 + G9 extraction) Surgical port of cutover wish G8 (cosign keyless OIDC sign + SLSA L3 attest) and G9 (CDN publish to cdn.automagik.dev/autopg/*) from cutover branch onto main. All target paths conflict-free. What ships: - .github/workflows/sign-attest.yml: per-platform cosign sign-blob + attest-build-provenance@v1; aggregates a top-level manifest.json. Runs after build-tarballs (G7) on tag. - .github/workflows/cdn-publish.yml: uploads signed tarballs + manifest + channel pointer to cdn.automagik.dev/autopg/<channel>/<version>/<platform>/. Cache-control headers per wish D7 (immutable for versioned paths, short TTL for latest.json). - tests/integration/sign-attest-smoke.sh: hermetic smoke fixture exercising the cosign + manifest + per-platform attestation pipeline without hitting real Sigstore. Referenced by G7's build-tarballs.yml — without this PR, G7's CI matrix references non-existent files. - tests/integration/cdn-publish.sh: smoke fixture validating CDN publish layout end-to-end against a synthetic local-FS CDN. Validation: - bash -n on both scripts: syntax clean. - bun run lint: clean. - bun run lint:audit: scanned 32 files, 0 issues. Cohort: cutover wish unique extractions onto main. Follows G6 (PR #83 merged) and G7 (PR #84). Closes G8 + G9 gaps from PR #82's audit report. G10 (install.sh ≤80 lines) DEFERRED — main has an existing 123-line install.sh (legacy npm-based pgserve installer). Cutover's 79-line CDN bootstrap installer is a DIFFERENT distribution path (CDN, not npm). Putting both at install.sh collides; needs a separate rename decision (install.sh → install-pgserve.sh, or cutover's at install-autopg.sh). Plus the CDN doesn't actually exist yet (G9 workflow publishes to it but Felipe needs to provision the bucket + DNS first). G5 (autopg create-app + manifest LOCK 1) DEFERRED — structural entanglement with admin-bootstrap.js + autopg_meta schema infrastructure that doesn't exist on main. Needs proper engineering effort, not file copy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extracts the cutover audit report (commit 1270a5a from
wish/autopg-cutover-transport-absorb) onto a fresh branch off main. Docs-only — zero code changes.What this audit captures
Read-only investigation across 11 WIP commits + 9 not-yet-started groups in the cutover wish. Findings:
Why this PR exists
PR #81 (cutover branch tip) cannot merge because the cutover branch's history pre-dates v2.4.0 release on main and the two layouts diverged. The audit report is valuable as documentation of cohort state and is mergeable on its own.
What is coming next
Follow-up PRs will surgically port the cutover branch's UNIQUE work onto main:
Redundant cutover groups (G1, G2, G4, G11) overlap with singleton wish work already on main and will be dropped.
Test plan