m2-market/specs/002-market-web/VERIFICATION.md
2026-07-02 06:01:07 +02:00

1.8 KiB

Verification — 002-market-web

Date: 2026-07-02 · Live at https://market.machinemachine.ai (Coolify app s4jo1x35…, push CI/CD hook #15)

SC Status Evidence
SC-101 browse→listing→wallet→governance, zero terminal Real-browser session on chris-m2o: login page → search results (both listings, prices) → nav to all panels. API walkthrough green (401 guard, 204 login, search, listing incl. install_command, wallet, economy, governance).
SC-102 wallet parity m2bd 60/60, sdjs-operator 226/226, chris-operator 0/0 — web vs ledger MATCH.
SC-103 zero key material served Scan of SPA assets + all API responses against all 5 live secrets: clean. Backend secrets-leak unit test enforces it in CI.
SC-104 health + degradation /design /health healthy; upstream failure → 502 {error,panel} per contract (unit-tested per panel; live panels all up).
SC-105 responsive/fast SPA 50KB gz JS, loads instantly on fleet network; responsive layout (frontend build).

Live-integration bugs found & fixed during T104 (all pushed, CI-deployed):

  1. Forgejo auth: token-scheme header → 401 on this instance; switched to basic auth (the documented forgejo-skill gotcha — third time this class of thing bit a worker; contracts now note it).
  2. Ledger tx field names: economy/wallet read from/to, real API returns from_id/to_id.
  3. SPA static dir resolution broke when pip-installed (site-packages parents[] — same class as the indexer schema-path bug); M2MW_STATIC_DIR env now wins.
  4. Coolify repo-URL mangling on app create (same as ledger app); PATCH with full URL.

Open (non-blocking): FR-105 fleet-passcode auth model awaits operator confirmation (passcode in /home/m2/.m2-market-web-secrets, 0600); per-operator tokens are the upgrade path.