From a1b4943da19d7fb11ee28cf75c13685b03b5d5f3 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Wed, 10 Jun 2026 03:54:31 +0000
Subject: [PATCH] plan: adapt concurrency restructure to builder/adversary loop
 protocol (gates M1/M2, phase-namespaced state)

---
 .../concurrency-restructure-full-plan.md      | 53 ++++++++++++-------
 1 file changed, 35 insertions(+), 18 deletions(-)

diff --git a/cc-ci-plan/concurrency-restructure-full-plan.md b/cc-ci-plan/concurrency-restructure-full-plan.md
index c08ef76..8804c00 100644
--- a/cc-ci-plan/concurrency-restructure-full-plan.md
+++ b/cc-ci-plan/concurrency-restructure-full-plan.md
@@ -151,29 +151,46 @@ ABRA_DIR isolation:
 
 Each test must clean up helper processes in `finally`/fixtures (no leaked children in the test VM).
 
-## Roles & flow
+## Roles, gates & Definition of Done (loop protocol — plan.md §6.1 applies)
 
-1. **Builder** (fable — main-loop model, no override): implements P1→P5 + test suite on branch
-   `restructure/concurrency` in a fresh clone; one commit per phase; runs
-   `pytest tests/unit -q`, `pytest tests/concurrency -q`, `scripts/lint.sh` before each commit;
-   pushes the branch (never main). Commit author `autonomic-bot <autonomic-bot@noreply.git.autonomic.zone>`.
-2. **Adversary** (opus): adversarial review of the full branch diff — hunts races (probe vs
-   acquire ordering, signal-handler reentrancy, teardown-during-teardown), deleted-code fallout
-   (grep for dangling references to registry symbols), gate integrity (recipe tests/`RUN_APP_RE`/
-   warm apps untouched), and test-suite blind spots. Produces findings list; default-skeptical.
-3. Builder addresses findings; adversary re-checks. Orchestrator merges to main only when:
-   adversary pass + both test suites green + lint green + branch push build green.
-4. **Live verification** (orchestrator, post-merge):
-   a. trigger an immich !testme, cancel mid-run via drone API → assert harness pid dies (no leak),
-      lock released, next janitor reaps the app;
-   b. two parallel !testme runs (immich + plausible) → both green, zero leakage;
-   c. double-!testme same PR → second blocks on app lock, then runs;
-   d. confirm a full green run end-to-end (the standing regression canary).
+This phase runs as Builder/Adversary loops with phase-namespaced state files
+(STATUS-conc.md, REVIEW-conc.md, BACKLOG-conc.md, JOURNAL-conc.md).
+
+**Builder**: implements P1→P5 + the tests/concurrency suite on branch `restructure/concurrency`
+in YOUR clone; one commit per phase; before each commit ALL of:
+`pytest tests/unit -q`, `pytest tests/concurrency -q` (once it exists), `scripts/lint.sh` —
+green. Push the branch (NOT main — main merge is gated below). Claim gates via `claim(conc): ...`
+commits + STATUS-conc.md per protocol.
+
+**Adversary**: cold-verify from your own clone. For M1: check out the branch, run both suites +
+lint yourself, then adversarially review the full diff — hunt races (probe vs acquire ordering,
+signal-handler reentrancy, teardown-during-teardown), deleted-code fallout (grep for dangling
+references to registry symbols: register_run_app, unregister_run_app, _run_owner_state,
+ACTIVE_RUN_DIR, CCCI_JANITOR_MAX_AGE, acquire_recipe_lock), gate integrity (recipe tests /
+RUN_APP_RE / warm apps untouched), and test-suite blind spots vs the 19 cases above.
+Default-skeptical; findings to REVIEW-conc.md.
+
+**Gates:**
+- **M1 — implementation verified.** Branch complete (P1–P5 + tests), both suites + lint green
+  on the Adversary's cold clone, adversarial diff review PASS in REVIEW-conc.md.
+- **M2 — merged + live-verified.** After M1 PASS only, Builder merges the branch to main
+  (merge commit, never force) and confirms the push build green. Then live verification on the
+  real CI host (evidence in STATUS-conc.md, Adversary re-checks):
+  a. trigger an immich !testme, cancel mid-run via drone API → harness pid dies (no leaked
+     python), lock released, next janitor reaps the app — zero leakage;
+  b. two parallel !testme runs (immich PR#2 + plausible PR#3) → both green, zero leakage;
+  c. double-!testme same PR → second blocks on the app lock (visible in its drone log), then runs;
+  d. one full green run end-to-end.
+
+**## DONE in STATUS-conc.md** only when M1 and M2 both show a fresh Adversary PASS in
+REVIEW-conc.md. NOTE for both loops: recipe-mirror PRs (immich#2, plausible#3) are used as
+!testme targets only — NEVER merge or push to recipe mirror repos.
 
 ## Guardrails (builder + adversary MUST honor)
 
 - NEVER weaken recipe-test gates or touch `tests/<recipe>/` content.
-- NEVER push cc-ci main; branch only. Never force-push.
+- cc-ci main is touched ONLY by the M2 merge after M1 PASS; all other work stays on the branch.
+  Never force-push. NEVER merge/push recipe mirror repos.
 - No secrets in commits; reference `.testenv` / `/run/secrets` locations only.
 - Don't touch `services_converged()` / paused-is-settled logic except where the plan says.
 - Match repo commit style (`feat(...)`/`fix(harness)`/`test(...)`/`docs:`).