From 1a9632c2e8084bf3e4f80d8e70f9b737595df33d Mon Sep 17 00:00:00 2001
From: autonomic-bot <mfowler.email@protonmail.com>
Date: Thu, 28 May 2026 03:47:19 +0100
Subject: [PATCH] =?UTF-8?q?review(1e):=20E1/HC3=20PASS=20=E2=80=94=20fix?=
 =?UTF-8?q?=206eabfdc=20verified=20cold=20(opt-out=20backup/restore=20PASS?=
 =?UTF-8?q?,=20no=20silent-empty=20exec=20path);=20F1e-1=20CLOSED?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 machine-docs/BACKLOG-1e.md |  2 +-
 machine-docs/REVIEW-1e.md  | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/machine-docs/BACKLOG-1e.md b/machine-docs/BACKLOG-1e.md
index 5da4af7..08b1e35 100644
--- a/machine-docs/BACKLOG-1e.md
+++ b/machine-docs/BACKLOG-1e.md
@@ -17,7 +17,7 @@ Phase-namespaced backlog. Builder edits `## Build backlog`; Adversary edits `##
 
 ## Adversary findings
 
-- [ ] **F1e-1 [adversary]** — *`lifecycle.exec_in_app` silently swallows a failed `docker exec`
+- [x] **F1e-1 [adversary]** *(CLOSED @2026-05-28, fix-verified cold on commit 6eabfdc)* — *`lifecycle.exec_in_app` silently swallows a failed `docker exec`
       (returns empty stdout, returncode ignored) → backup/restore data-continuity overlays go RED on a
       healthy recipe when the post-op container cycle is slow.* Found cold-verifying E1/HC3 (commit
       b7e6cbd) on custom-html: one opt-out run had backup=FAIL with `AssertionError: '' == 'original'`
diff --git a/machine-docs/REVIEW-1e.md b/machine-docs/REVIEW-1e.md
index 9ad4bf8..deef815 100644
--- a/machine-docs/REVIEW-1e.md
+++ b/machine-docs/REVIEW-1e.md
@@ -6,7 +6,7 @@ Definition of Done = HC1–HC4 each cold-verified PASS here (handshake per plan.
 ## Definition-of-Done tracker
 - [ ] **HC1** — Upgrade tier upgrades to PR head (prev published → PR-head via `abra app deploy --chaos`), not a published tag; moved-assertion adapted; DG4.1 deploy-count guard reconciled.
 - [x] **HC2** — Repo-local (PR-authored) `test_*.py` / `install_steps.sh` NOT executed unless recipe is on the cc-ci approval allowlist (default-deny). **PASS @2026-05-28 (E0, commit c7ae296).**
-- [ ] **HC3** — Generic runs by default alongside an overlay (additive); skipped only via explicit opt-out; op runs once.
+- [x] **HC3** — Generic runs by default alongside an overlay (additive); skipped only via explicit opt-out; op runs once. **PASS @2026-05-28 (E1 re-claim, fix commit 6eabfdc).**
 - [ ] **HC4** — No regression: D1–D10 / DG1–DG8 re-verified cold; deploy-once (DG4.1) holds; teardown sacred; three new behaviors demonstrated.
 
 Maps to Builder milestones: E0=HC2, E1=HC3, E2=HC1, E3=HC4+docs.
@@ -84,8 +84,23 @@ never masks a failed exec as empty data. No assertion weakened. Same commit also
 (`chaos_redeploy`, `recipe_head_commit`, `.chaos-version` parsing in `deployed_identity`, head_ref
 match in `assert_upgraded`) — out-of-scope for this re-verification, will check at E2 claim.
 
-Fix-verify in flight on `/tmp/adv-fix` (HEAD 6eabfdc shipped): opt-out install,backup,restore on
-custom-html. Will close F1e-1 + finalise E1/HC3 verdict once verified.
+**Fix verified cold @2026-05-28 (own clone HEAD=6eabfdc shipped to `/tmp/adv-fix`):**
+`CCCI_SKIP_GENERIC=1 RECIPE=custom-html STAGES=install,backup,restore cc-ci-run runner/run_recipe_ci.py`
+→ install/backup/restore **all PASS**, deploy-count=1, generic skipped on every tier (overlay-only),
+clean teardown (no leftover stack/volume). The `exec_in_app` poll+raise is structurally watertight:
+re-resolves the container each try, raises on persistent failure — no silent-empty data path remains;
+a real exec failure becomes a real test failure rather than an `'' == 'original'` false-RED.
+**F1e-1 closed by Adversary @2026-05-28** (BACKLOG-1e).
+
+### Final E1/HC3 verdict — PASS @2026-05-28 (re-claim commit e75ec1b; fix commit 6eabfdc)
+Cold-verified: (1) additive — every lifecycle tier runs both `assert (generic)` and `assert (cc-ci)` on
+the shared post-op deployment (default run, all stages PASS); (2) opt-out — `CCCI_SKIP_GENERIC=1`
+skips the generic on every tier with **0** `_generic/` files run and overlay-only, deploy-count=1;
+(3) op-once — op primitives `perform_{upgrade,backup,restore}` never call `deploy_app`, deploy-count
+stays 1 in both modes; (4) assertion-only overlays — no double-op risk; (5) no assertion weakened —
+`assert_upgraded` keeps the non-vacuous move check (F1d-2 honored). HC2 gate survives the refactor.
+**Open robustness item:** F1e-2 (recipe-fetch concurrency race) — pre-existing, orthogonal, tracked
+for HC4.
 
 ### Separate observation while testing (NOT F1e-1)
 A controlled 2-concurrent same-recipe test (PR=8001/PR=8002, both custom-html) on the **OLD** code