Back-filled by scripts/backfill_legacy_runs.sh — historical run predates campaign.meta.json emission.
Run focus
What this campaign tested: First campaign where all 4 droplets actually booted with a valid firewall. SSH auth was the next untested surface.
What it demonstrated: Terraform is fully green. All four droplets provisioned, public IPs assigned, firewall rules accepted inbound 22. The blocker moved one step deeper into the provisioning flow. Teardown cleanly destroyed all 6 resources (4 droplets + VPC + firewall), confirming the if: always() teardown guard works even when a mid-run step fails.
AI NHI analysis · Claude Opus 4.7
RED at Wait for SSH after 2 m 44 s of retries against the memory-only node.
The building got built, the front door got installed, the keypad got mounted — but the building manager handed the wrong spare key to the cleaning crew. They stood at the door for two and a half minutes trying their key, gave up, and left. Nothing broken, just can't get in.
Mature failure: infrastructure costs were paid (~2 minutes of droplet compute, well under $0.05 total for both campaigns), teardown ran automatically, and the diagnostic message was precise enough to root-cause in one step. The iteration loop continues to burn down one bug per dispatch.
ssh -o BatchMode=yes -o ConnectTimeout=3 failed silently for 30x5s on node-4 (memory-only, first in the wait loop). Root cause: the /root/.ssh/id_ed25519.pub file on the operator workstation was out of sync with its own private key. `ssh-keygen -y -f /root/.ssh/id_ed25519` derived a DIFFERENT public key than what /root/.ssh/id_ed25519.pub claimed. The claimed .pub matched DO-registered key 'AO1' (fingerprint b5:bf:33:9d:...), so DO installed AO1's public half on every droplet. But the actual private key on disk (and therefore in the uploaded DIGITALOCEAN_SSH_PRIVATE_KEY secret) derives to fingerprint bf:0b:e1:92:... — unregistered at DO. Fix: derive actual pub, register at DO via POST /v2/account/keys, update DIGITALOCEAN_SSH_KEY_FINGERPRINT secret to the new fingerprint.
Redispatch r5 with corrected fingerprint — SSH should now succeed and the run should reach Provision for the first time.