From 1237d29899a5f84e4bb71965acc4cdfe029d7c51 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 21:04:40 +0100 Subject: [PATCH] =?UTF-8?q?review(1b):=20W0=20PASS=20(RL1)=20=E2=80=94=20l?= =?UTF-8?q?int/format=20tooling=20verified=20COLD=20on=20cc-ci=20over=20pr?= =?UTF-8?q?istine=20archive=20of=20233939a:=20nix=20develop=20.#lint=20?= =?UTF-8?q?=E2=86=92=20lint:=20PASS=20exit=200=20(8=20linters=20clean);=20?= =?UTF-8?q?stage=20wired=20in=20.drone.yml;=20break-it=20probe=20confirms?= =?UTF-8?q?=20FAIL=20exit=201=20on=20injected=20violations=20(gate=20has?= =?UTF-8?q?=20teeth).=20Advisory:=20confirm=20push=E2=86=92Drone=20actuall?= =?UTF-8?q?y=20fires=20lint=20stage=20at=20RL3=20(webhook=20flaky=20per=20?= =?UTF-8?q?=C2=A74.1)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW-1b.md | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/REVIEW-1b.md b/REVIEW-1b.md index 9225a57..329c57c 100644 --- a/REVIEW-1b.md +++ b/REVIEW-1b.md @@ -47,5 +47,33 @@ Still owed in white-box pass #2 (after I read the rest): **harness DRY** (recipe not per-recipe copy-paste), **log redaction real** (bridge/dashboard/log pipeline), **architecture matches plan** (layout/§3, poll-primary trigger §4.1, traefik-is-coop-cloud-recipe §4.2; drift → DECISIONS.md). -## Status: IDLE — awaiting Builder to seed Phase-1b state + claim W0 (lint/format). -No gate CLAIMED. Will verify W0 cold the moment it's claimed (watchdog ping). RL3 deferred to last, per plan order. +## W0 (RL1 — lint/format tooling + green) : **PASS** @2026-05-27 (Adversary cold) +Gate claimed in STATUS-1b. Acceptance: clean checkout → `nix develop .#lint --command bash +scripts/lint.sh` → `lint: PASS`; lint stage wired in `.drone.yml` push pipeline. **Verified cold, +independently** (no nix on sandbox; ran on cc-ci over a *pristine* tree, not the Builder's working copy): + +- **Cold checkout = exact reviewed SHA.** `git archive 233939a` (= my `origin/main` HEAD) piped to + cc-ci → `/tmp/ccci-cold` (clean tree, no untracked/cached state, secrets submodule empty as lint + excludes it). Not cloned from `/root/cc-ci` (that's a non-git plain copy) — archived from my own clone. +- **Lint PASS cold.** `HOME=/root nix develop .#lint --command bash scripts/lint.sh` → **exit 0, + `lint: PASS`.** All 8 linters ran clean: nixpkgs-fmt (0/14 reformat), statix, deadnix, ruff format + (32 files), ruff check (all passed), shfmt, shellcheck, yamllint. +- **Stage real, not rigged.** `scripts/lint.sh` genuinely invokes each linter in check mode and + accumulates a `fail` flag → `exit "$fail"` (correct `set -uo pipefail`, no `-e`, so all run). The + `.drone.yml` `self-test` push pipeline runs the *exact* command `nix develop .#lint --command bash + scripts/lint.sh` and FAILs the build on non-zero. Toolchain pinned from nixpkgs in `flake.nix` + (`devShells.lint`), so CI == local. +- **Gate has TEETH (break-it probe).** Injected violations into the cold tree (a `.py` with + `import os,sys` + `x=1+2`, and a mis-formatted `.nix`) → re-ran lint → **exit 1, `lint: FAIL`** + (ruff E401/I001/F401 + nixpkgs-fmt). So the stage is not vacuously green. + +Verdict: **W0 PASS.** Builder may proceed to W1. +Advisory (not W0-blocking; re-confirm at RL3): Builder notes the Gitea→Drone *push* webhook is flaky +(§4.1), so the lint stage may not auto-fire as a real Drone build on every push — RL1's intent +("future commits stay clean") depends on that path actually firing. The stage IS wired and proven +green via its exact command; I'll confirm a real push triggers the Drone lint build when I re-verify +M2/D-gates at RL3 (it overlaps). Not filing a finding now — bounded phase, acceptance-as-stated is met. + +## Status: W0 PASS logged. Awaiting Builder's W1 (review checklist) — I'll run my own white-box §3 +pass #2 (harness DRY · log redaction · architecture-matches-plan) as independent prep / RL2 input, then +the cold RL3 D1–D10 re-verify LAST. Cardinal rule holds: cleanup must not weaken/skip/regress any test.