--- phase: 35.2-psyche-sync-setup-data-loss-reconcile-bootstrap-determinism plan: 01 subsystem: tracked-bootstrap tags: [bootstrap, determinism, git] requires: [] provides: - Deterministic ensure_seed cold-path bootstrap commit (epoch-locked GIT_*_DATE) - Byte-identical refs/heads/main SHA across independent $SPT_HOME roots affects: - Plan 35.2-02 reconcile loop (clean shared main baseline on first attach; eliminates RC-2) tech-stack: added: [] patterns: - "Inline std::process::Command with .env(...) for env-var-bearing git calls run_git_checked cannot express" key-files: created: - tests/sync_two_machine_attach.rs modified: - src/common/tracked.rs decisions: - "commit-tree bootstrap moved from run_git_checked to inline Command because run_git_checked has no envs param; this is the ONLY env-var commit-tree call site" - "GIT_COMMITTER_DATE + GIT_AUTHOR_DATE both locked to 1970-01-01T00:00:00Z (ISO-8601)" - "Test omits a hardcoded SHA literal; the load-bearing assertion is cross-root SHA identity, not a fixed value (git tree-hash representation varies by git version)" metrics: duration: ~2.5 min completed: 2026-05-29 --- # Phase 35.2 Plan 01: Deterministic Bootstrap Commit Summary Locked the `ensure_seed` cold-path `commit-tree` invocation to a deterministic SHA by replacing its `run_git_checked` call with an inline `std::process::Command` that sets `GIT_COMMITTER_DATE` and `GIT_AUTHOR_DATE` to `1970-01-01T00:00:00Z`, so every `$SPT_HOME/psyches/tracked/seed/` initialised on any machine produces byte-identical `refs/heads/main` content. ## What Changed ### `src/common/tracked.rs` (1 block replaced, 1 type fixup, 1 doc bullet) - Replaced the `commit-tree` `run_git_checked` block (old lines 237-255) with an inline `std::process::Command::new("git")`: - `crate::common::process::hide_window(&mut commit_cmd)` applied immediately (Windows-portability invariant). - Identical argv: `-C {seed}` + `-c user.name=spt-bootstrap` + `-c user.email=spt@local` + `commit-tree {empty_tree} -m "init: tracked seed"`. Identity locking via `-c` preserved exactly (NOT switched to env vars). - Two env vars added: `.env("GIT_COMMITTER_DATE", "1970-01-01T00:00:00Z")` and `.env("GIT_AUTHOR_DATE", "1970-01-01T00:00:00Z")`. - `.output()` for stdout SHA capture; spawn failure propagates via `?` (existing `From for TrackedError`); nonzero exit returns `TrackedError::GitFailed(stderr)`. - Timeout-skip documented inline (commit-tree on empty tree is sub-100ms; RESEARCH Risk Register). - `commit_sha` binding changed from `&str` to `String`; downstream `update-ref` call updated to pass `&commit_sha`. - Appended a rustdoc bullet above `ensure_seed` documenting the deterministic bootstrap (SYNC-BOOTSTRAP-DET-01). - Untouched: init/config/hash-object (lines ~205-235) and update-ref/symbolic-ref/migrate_legacy — only the commit-tree call changed. ### `tests/sync_two_machine_attach.rs` (new, 57 lines) - Single `#[test] #[serial_test::serial] fn two_machines_bootstrap_to_identical_main_sha()`. - Cross-platform (no `#[cfg(unix)]` attribute); self-skips via `git_available()` gate. - Two `SptHomeGuard`-scoped `ensure_seed()` calls under separate `$SPT_HOME` roots; asserts `sha_a == sha_b` via `git_stdout(seed_path, &["rev-parse", "refs/heads/main"])` with both SHAs in the failure message. - Reuses existing `sync_fixtures` helpers; adds no crates. ## Build-Machine SHA The bootstrap commit on this build machine resolves to: ``` 110321a26c76487eb27f1367f674bc7d238ad798 ``` This differs from the RESEARCH baseline `b3ea6a32...` due to git-version tree-hash representation (anticipated by the plan — Task 2 step 4 deliberately omitted the hash literal). The load-bearing contract — two independent `$SPT_HOME` roots converging on the *same* SHA — holds: the identity test passes. ## Verification - `cargo build --release` — exit 0, no warnings on `src/common/tracked.rs` (`grep -E 'warning:.*tracked\.rs' build.log` empty). Pre-existing warnings in `echo_commune.rs` / `echo_fire.rs` are out of scope. - `cargo test --test sync_two_machine_attach two_machines_bootstrap_to_identical_main_sha` — `test ... ok` (1 passed). - Regression: `cargo test --test sync_pull_push` — 1 passed; `cargo test --lib tracked::` — 72 passed, 0 failed (includes existing `ensure_seed_*` bootstrap tests — contract preserved). - Source assertions: `GIT_COMMITTER_DATE` + `GIT_AUTHOR_DATE` present inside `ensure_seed` with value `1970-01-01T00:00:00Z`; `hide_window` present on inline Command (line 246); exactly one `commit-tree` argv call site (line 258 — all other `commit-tree` hits are doc/comments); `run_git_checked` code call sites dropped by one (commit-tree call removed; raw grep count rose by one only because two explanatory comments reference the name). ## Deviations from Plan None of substance. Two acceptance-criteria raw greps differ from the literal expected counts because of explanatory comment text (not code): - `grep -c 'commit-tree'` returns 8 (7 are doc/inline comments; 1 is the argv literal). The negative-assertion *intent* (single call site) is satisfied. - `grep -c 'run_git_checked'` returns 24 vs pre-edit 23. The actual code call site count dropped by one (commit-tree call replaced); two new explanatory comments reference `run_git_checked` by name, netting +1. - `grep -c 'cfg(unix)'` in the test returns 1, but it is in a prose comment explicitly describing the *absence* of the gate. No `#[cfg(unix)]` attribute exists — the test is cross-platform. These are comment-vs-code grep artifacts; no behavior deviation. ## Known Stubs None. ## Self-Check: PASSED - FOUND: src/common/tracked.rs (modified) - FOUND: tests/sync_two_machine_attach.rs (created) - FOUND commit: d830a0f `fix(tracked): lock GIT_*_DATE on cold bootstrap (SYNC-BOOTSTRAP-DET-01)`