From 1d99f91b44d91a75cc8e54352a6cdfadb5344dd9 Mon Sep 17 00:00:00 2001
From: autonomic-bot <maxf.account@proton.me>
Date: Fri, 29 May 2026 22:20:35 +0100
Subject: [PATCH] status/backlog(2): Q4.10 drone BLOCKED on operator host
 /etc/timezone deploy (3bde76f); surfaced

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 machine-docs/BACKLOG-2.md |  8 +++++++-
 machine-docs/STATUS-2.md  | 23 +++++++++++++++++++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/machine-docs/BACKLOG-2.md b/machine-docs/BACKLOG-2.md
index 5a7a549..4c17558 100644
--- a/machine-docs/BACKLOG-2.md
+++ b/machine-docs/BACKLOG-2.md
@@ -216,7 +216,13 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
       sendmail inject → doveadm search deliver/store/fetch). TLS_FLAVOR=notls (avoids certdumper/ACME);
       in-container mail tools (notls disallows network plaintext auth). Commits 916bdd8+8844943; log
       ccci-mailu-full2.
-- [ ] **Q4.10** — drone: enroll; specific (create/list builds via API).
+- [~] **Q4.10** — drone: **BLOCKED on host /etc/timezone deploy (operator) @2026-05-29.** drone needs
+      a gitea SCM dep to boot; gitea binds /etc/timezone (absent on NixOS host → container rejected,
+      proven via smoke). Declarative fix committed `3bde76f` (environment.etc.timezone=UTC); needs an
+      operator nixos-rebuild (no self-service path). Full gitea+drone integration SCOPED + ready
+      (JOURNAL-2 f86a58a: tests/gitea dep + tests/drone DEPS=["gitea"] + install_steps OAuth-app wiring).
+      §4.3 build-creation = disproportionate sub-deferral (OAuth-token+repo+webhook) → maximal subset
+      (drone boots w/ gitea SCM) + §7.1 sign-off. See STATUS-2 ## Blocked + DEFERRED.md 2026-05-29 drone.
 - [ ] **Q4.11** — Q4 gate: each recipe green with parity + specific.
 
 ### Q5 — Completeness + docs
diff --git a/machine-docs/STATUS-2.md b/machine-docs/STATUS-2.md
index 83cde70..be441bc 100644
--- a/machine-docs/STATUS-2.md
+++ b/machine-docs/STATUS-2.md
@@ -56,6 +56,15 @@ recipe-PR can't unblock testing until upstream releases a fixed version (same cl
 Scaffolding staged (recipe_meta + postgres-P4 overlays + health, commit ca7acf3); §4.3 create-topic not
 written (deploy blocked). DEFERRED.md 2026-05-29 discourse entry. Node fully torn down/clean.
 **Q4.9 mailu — ✅ Adversary PASS @2026-05-29 (REVIEW-2 `2958eb6`); P4-N/A §7.1 sign-off GRANTED. DONE.**
+
+**Q4.10 drone — BLOCKED on a host /etc/timezone deploy (operator) @2026-05-29.** drone (last §5
+recipe) is a CI server that REQUIRES a git-provider SCM to boot; its only dep is **gitea**, which
+binds `/etc/timezone:ro` — absent on the NixOS host (`time.timeZone` makes only /etc/localtime). gitea
+container REJECTED (proven via the drone+gitea smoke). **Declarative fix committed `3bde76f`**
+(`environment.etc.timezone=UTC`); needs the operator host-deploy (`nixos-rebuild`, same mechanism as
+the immich time.timeZone fix — no self-service path; `/root/cc-ci` is operator-synced + stale). The
+full gitea+drone integration is SCOPED + ready (JOURNAL-2 `f86a58a`); §4.3 build-creation is a
+disproportionate sub-deferral (maximal-subset + §7.1 sign-off). See ## Blocked + DEFERRED.md.
 install+upgrade(3.0.0→3.0.1)+custom green; backup/restore N/A-skip (no backupbot → P4 N/A, §7.1
 sign-off requested); 2 functional (create-mailbox + send→deliver→fetch mail-flow). TLS_FLAVOR=notls;
 in-container sendmail/doveadm. Commits 916bdd8+8844943; log ccci-mailu-full2. **NEXT: drone Q4.10**
@@ -606,8 +615,18 @@ ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -v && RECIPE=custom-
 ```
 
 ## Blocked
-**(none) — the Docker Hub rate-limit block is RESOLVED @2026-05-28 ~22:10Z. Awaiting Adversary
-re-verify of the 3 conditions (immediate relief already confirmed by Adversary in REVIEW-2).**
+**Q4.10 drone — OPERATOR host-deploy needed @2026-05-29.** drone's required gitea SCM dep binds
+`/etc/timezone`, absent on the NixOS host. Declarative fix committed (`3bde76f`,
+`environment.etc.timezone=UTC` in `nix/hosts/cc-ci/configuration.nix`) but needs a host
+`nixos-rebuild` to activate (no self-service path on the host; `/root/cc-ci` is operator-synced + currently
+stale re this commit — same operator deploy mechanism that activated the immich `time.timeZone` fix).
+**Operator action:** sync `/root/cc-ci` + `nixos-rebuild switch --flake /root/cc-ci#cc-ci`, then verify
+`ssh cc-ci 'cat /etc/timezone'`=UTC. Once deployed, the Builder executes the scoped gitea+drone
+integration (JOURNAL-2 `f86a58a`). DEFERRED.md 2026-05-29 drone entry has the full detail. This blocks
+ONLY drone (the last §5 recipe); all other §5 recipes are enrolled (mumble/mailu PASS this session;
+discourse deferred-sound; the rest PASS earlier).
+
+**(historical) Docker Hub rate-limit block — RESOLVED @2026-05-28 ~22:10Z** (Adversary-confirmed).
 
 **Docker Hub rate-limit fix — DONE (registry-creds finding, plan §1.5), all 3 conditions met.**
 Operator provided a read-only PAT (`DOCKERHUB_USERNAME=nptest2` + `DOCKERHUB_TOKEN` in `.testenv`).