boma/docs/reviews/2026-05-30-review.md
sjat 703f1716e5 review-repo: harden scanner, apply safe fixes, record first review
First /review-repo run on boma. Hardened repo-scan.py (no TODO.md/prose false
positives). Applied 7 safe fixes (DNS staleness x2, STATUS factual correction,
hosts.yml path generalisation, trunk-based wording x2, scripts/README). Recorded
the run and 17 open findings in docs/reviews/2026-05-30-*.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 19:10:58 +02:00

98 lines
5.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Repo review — 2026-05-30
- **Reviewed commit:** `de38d1c`
- **Mode:** on-demand (interactive); safe fixes applied, rest reported.
- **Method:** `scripts/repo-scan.py` (Phase 0) + 3 fan-out reviewers (consistency,
drift/cruft, conformance) + cross-cutting synthesis.
## Summary
| | high | medium | low | total |
|---|---|---|---|---|
| Auto-fixed | 2 | 3 | 2 | 7 |
| Open (reported) | 4 | 4 | 9 | 17 |
Dominant theme: **drift created by this session's own rapid changes** — residual
`.vault_pass` references after the Vaultwarden/rbw switch, and leftover
PR/merge-request language after going trunk-based.
## Auto-fixes applied (safe + obvious)
| File | Fix |
|---|---|
| `README.md` | `terraform/` tree comment: "infra DNS" → "no DNS" |
| `docs/decisions/003-toolchain.md` | closing line: "and infrastructure DNS" → "only (no DNS)" |
| `STATUS.md` | hosts.yml row: "commented examples" → "structured stubs with empty host maps" |
| `CLAUDE.md` | don't-modify bullet generalised `production``<env>` |
| `docs/runbooks/new-role.md` | "open PR / merge request" → "merge to main once make test passes" |
| `CONTRIBUTING.md` | "Before opening a merge request" → "Before committing or merging to main" |
| `scripts/README.md` | documented the 3 undocumented scripts |
Also hardened `scripts/repo-scan.py` itself: the marker check no longer matches
filenames like `TODO.md`, and path-ref checks only fire inside backticks/links (no
prose false positives).
## Open findings
### Secrets — residual `.vault_pass` references (reported, not auto-fixed: secrets-adjacent)
- **[high] R1** `docs/decisions/005-bootstrapping.md:64-65` — control-node setup still
says `cp /secure/location/.vault_pass …`. Replace with the rbw setup (ADR-002,
rotate-secrets runbook).
- **[high] R2** `docs/runbooks/new-host.md:6` — prerequisite "you have the vault
password (`.vault_pass`)". → "rbw installed and unlocked".
- **[high] R3** `docs/runbooks/new-host.md:129-130` — "place `.vault_pass`" step →
rbw unlock.
- **[medium] R4** `CONTRIBUTING.md:32-33` — secrets section describes `.vault_pass`
secure-channel sharing → point to rbw/Vaultwarden.
- **[medium] R5** `AGENTS.md:16` — "Never read/print/commit `.vault_pass`" names a
file that no longer exists → reword to the rbw flow.
### Workflow model — trunk-based vs PR/approval-gates (judgement)
- **[high] R6** `docs/decisions/003-toolchain.md` (CI/CD) & `docs/decisions/008-testing.md`
(CI pipeline) describe pull-requests-to-main + manual approval gates, contradicting
the trunk-based, no-MR model in CLAUDE.md/CONTRIBUTING. Decide: keep *deploy*
approval gates (reasonable even solo) but drop the PR framing, or fully reconcile.
- **[medium] R7** `CLAUDE.md:151` — "Push to `main` branch" listed as forbidden,
contradicting the trunk-based "commit straight to main" policy a few lines above.
### Roles not in git (judgement)
- **[high] R8** `roles/``base` and `docker_host` are empty dirs on disk and **not
tracked by git** (empty dirs aren't committed). A fresh clone has neither, so
`make deploy PLAYBOOK=site` would **error** (role-not-found), not "apply nothing"
as STATUS.md:29-30 says. Decide: scaffold them (`make new-role`) or correct the docs.
### Terraform correctness
- **[medium] R9** module `vlan_tag` is never passed by either environment → VMs land
on untagged `vmbr0`, contradicting ADR-007's srv VLAN. Wire `vlan_tag` through.
- **[low] R10** `<owner>/<repo>` placeholders unresolved in `backend.tf` (×2),
Makefile `MOLECULE_IMAGE`, `.scaffold/molecule.yml` — non-functional as committed.
### Scaffolding (new-role)
- **[medium] R11** `make new-role` copies `.scaffold/converge.yml` with literal
`ROLE_NAME_PLACEHOLDER`, never substituted → scaffolded molecule references a
non-existent role. Sed-substitute `NAME` or document the manual step.
- **[low] R12** `Makefile:154` writes the role README via `echo "…\n…"`; `\n` isn't
expanded in `sh` → literal `\n`. Use `printf`.
### Other consistency / drift
- **[low] R13** `CLAUDE.md:93` — group_vars tree lists `control/`, which doesn't exist
on disk. Create it or drop the line.
- **[low] R14** `docs/decisions/006-terraform.md:40` — "No Galaxy roles." reused in the
Terraform section (an Ansible-collections concept). Reword.
- **[low] R15** `docs/decisions/001-architecture.md:22` — DNS row reads as present-tense
reality though the `dns` role is unbuilt (per STATUS.md). Add a "planned" pointer.
- **[low] R16** `docs/decisions/001-architecture.md:42` — "monitoring agent" in the
Proxmox baseline isn't reflected in ADR-002's baseline. Align.
- **[low] R17** `playbooks/bootstrap.yml:12-16` — raw python-install task hardcodes
`changed_when: false` → never reports a change. Consider an honest `changed_when`.
## Suggested follow-up prompt
> Remediate the boma 2026-05-30 review (`docs/reviews/2026-05-30-review.md`):
> 1. Purge the residual `.vault_pass` references R1R5 → the rbw/Vaultwarden flow.
> 2. Decide the workflow model R6R7 — I lean "keep deploy approval gates, drop the
> PR/merge-request framing"; reconcile ADR-003/008 and CLAUDE.md to match.
> 3. Resolve R8 — scaffold `base`/`docker_host` via `make new-role`, or correct
> STATUS.md/roles/README.md to say the roles don't exist yet.
> 4. Fix the Terraform `vlan_tag` wiring (R9).
> Report on the rest.