t3: gated nightly tracker (replaces pinned enforcer) + drop timer Persistent

Phase 2 of "track t3 nightly, accept the risk, but make sure session auth works and revert if it breaks". Rewrites the daily t3-autoupdate from a pinned-version enforcer into a NIGHTLY TRACKER that gates every bump so a bad build self-heals instead of repeating 2026-06-09: - follows the t3@nightly npm dist-tag (T3_TRACK; T3_PIN still works as a hard freeze; /etc/t3-autoupdate.freeze is the manual revert switch); - downgrade-guard (the nightly tag is mutable — never move backward) + channel sanity (target must be a -nightly. build); - pre-bump per-user state.sqlite backup (online VACUUM INTO) BEFORE install, so rollback is a restore not sqlite surgery; - health-check now SEEDS a throwaway instance with a COPY of a real POPULATED state.sqlite, exercising the forward MIGRATION (the actual 2026-06-09 failure class) + the real mint->exchange->t3_session pairing handshake before trusting a build. Scratch dir is on /var/tmp (disk), not the 2G tmpfs /tmp; - canary rollout: restart idle instances ONE AT A TIME, verify pairing through the real dispatch after each, and on the first failure roll back (binary + that user's DB from the pre-bump backup) AND self-freeze so it can't re-flap onto bad builds. Active-agent instances are deferred, never killed. Rollback target is the recorded LAST-GOOD, not "whatever was installed"; - DRY_RUN mode (T3_DRY_RUN=1) previews the gate against a temp-prefix install — validated: 0.0.28-nightly.20260616.571 PASSES the populated-DB migration gate. timer: drop Persistent=true (a missed 04:00 must not fire a real bump on boot mid-day with users active — a 2026-06-09 contributing factor). setup-devvm.sh: install t3@nightly on fresh boxes (no state to break), in sync. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 10:08:12 +00:00 · 2026-06-16 10:08:12 +00:00 · 36521839fc
commit 36521839fc
parent 994d305d04
3 changed files with 230 additions and 72 deletions
--- a/scripts/workstation/setup-devvm.sh
+++ b/scripts/workstation/setup-devvm.sh
@ -55,14 +55,18 @@ PROFILE_EOF
 chmod 0644 /etc/profile.d/10-local-bin.sh
 log "/etc/profile.d/10-local-bin.sh (~/.local/bin on PATH for login shells)"

-# 2b) t3 (the per-user coding surface) — PINNED, never nightly/latest. t3 is pre-1.0 and
-#     ships breaking auth-schema + bootstrap-API changes our t3-dispatch can't follow blind
-#     (2026-06-09 outage: a nightly auto-update broke pairing for ALL users). The daily
-#     t3-autoupdate ENFORCER re-asserts this same pin; install it here so a fresh box has t3
-#     immediately. Keep T3_PIN in sync with t3-autoupdate.sh.
-T3_PIN="${T3_PIN:-0.0.26}"
-if [[ "$(t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//')" != "$T3_PIN" ]]; then
-  log "npm: installing pinned t3@$T3_PIN"; npm install -g "t3@$T3_PIN" >/dev/null
+# 2b) t3 (the per-user coding surface) — GATED NIGHTLY TRACKER (2026-06-16; was pinned).
+#     t3 is pre-1.0 and ships breaking auth-schema + bootstrap-API changes (2026-06-09
+#     outage: a blind nightly auto-update broke pairing for ALL users). The daily
+#     t3-autoupdate now FOLLOWS t3@nightly but GATES each bump (populated-DB health-check
+#     + canary + auto-rollback + self-freeze) so a bad nightly self-heals. A fresh box has
+#     no user state to migrate or sessions to break, so install the current nightly
+#     directly; the gated tracker owns it thereafter. Keep T3_TRACK in sync with
+#     t3-autoupdate.sh. To freeze/revert: `touch /etc/t3-autoupdate.freeze`.
+T3_TRACK="${T3_TRACK:-nightly}"
+want_t3="$(npm view "t3@$T3_TRACK" version 2>/dev/null | tail -1)"
+if [[ -n "$want_t3" && "$(t3 --version 2>/dev/null | awk '{print $NF}' | sed 's/^v//')" != "$want_t3" ]]; then
+  log "npm: installing t3@$T3_TRACK ($want_t3)"; npm install -g "t3@$want_t3" >/dev/null
 fi

 # 3) kubelogin (kubectl oidc-login) system-wide — NOT the apt 'kubelogin' (= Azure tool).