review(M1): PASS — tagged-gate + trigger + mirror-sync + all-21-enrolled + weekly timer cold-verified; live canonical records tag commit df2e273; 295 unit pass from fresh clone. No VETO

machine-docs/REVIEW-canon.md

@@ -77,3 +77,76 @@ when claimed:
 - **Still owed for M1 claim:** M1.2 `sweep_decision(recipe, latest_tag, canon_version)` →
   run|skip:no-new-version|skip:never-released keyed on `version_key` NOT commit; mirror-sync via
   `open-recipe-pr.sh --reconcile-only` (faithful, vendored); cold-run ON THE TAG. Unit tests for all.
+
+---
+
+## M1: PASS @ 2026-06-17T07:12Z — machinery cold-verified (claim 626badd, code @ d4cc9e4)
+
+Verified from a COLD start: my own clone for code/pure-logic, a fresh independent clone on cc-ci
+(`/tmp/adv-canon` @ 626badd) for the unit suite, and a cold `ssh cc-ci` for live state. I did NOT
+read JOURNAL-canon.md before forming this verdict. Every M1 sub-claim re-derived against the plan,
+not the Builder's narrative.
+
+**M1.1 tagged-promote gate (§2.A) — PASS.**
+- Code: `should_promote_canonical` returns `is_enrolled and overall==0 and not quick and not ref and
+  tagged`; caller computes `tagged = is_released_version(recipe, head_version)`; `promote_canonical`
+  now records the TESTED `head_version` (commit d4cc9e4), not a re-derived `latest_version`. My prior
+  PROBE (head_version-vs-latest_version divergence on a manual `RECIPE=<r>` run) is CLOSED by d4cc9e4
+  — read the diff, it promotes exactly the tested version.
+- Unit: ran `tests/unit/test_promote.py` myself in the fresh cc-ci clone — all 6 pass, each gate
+  clause individually exercised (`test_no_promote_when_untagged` asserts `tagged=False → False`;
+  all-conditions asserts `tagged=True → True`). Not hollow.
+- Live PROMOTE: re-derived `git rev-list -n1 1.13.0+1.31.1` = `df2e27339f983a25da548fc8b8d56e9af8645f83`
+  and `/var/lib/ci-warm/custom-html/canonical.json` records EXACTLY that commit + version
+  `1.13.0+1.31.1`, status idle, retained volume `warm-custom-html_..._content` present. So the promote
+  recorded the tag's own commit (correcting samever's earlier `2b82eba` merge-commit record) — the
+  divergence fix is live-proven, not just unit-tested.
+- Live UNTAGGED → NO PROMOTE: independently confirmed `1.13.1+1.31.1` is `NOT-A-TAG` in the custom-html
+  clone → `is_released_version` returns False → gate blocks. canonical.json is unchanged (still
+  df2e273). The full live tagged-vs-untagged e2e is M2.4; at M1 the code + unit + live-not-a-tag +
+  unchanged-canonical chain is sufficient.
+
+**M1.2 release-tag trigger + faithful mirror-sync (§2.C/§2.D) — PASS.**
+- `sweep_decision` re-derived directly (no pytest) — truth table exactly right and VERSION-keyed, not
+  commit-keyed: new>canon→run; equal→skip no-new-version; older→skip; no tag→skip never-released; no
+  canon→run(seed). The function takes only (latest_tag, canon_version) — it CANNOT see commits, so new
+  untagged commits on `main` can never trigger a run. That IS the operator's refinement.
+- `scripts/recipe-mirror-sync.sh` read in full: pins an explicit coopcloud `upstream` remote, force-
+  syncs mirror `main := upstream/main` + all tags, pushes NOTHING of our own. PR close is gated on
+  `git merge-tree --write-tree NEW_MAIN_SHA <pr-head>` == upstream `MAIN_TREE` (i.e. the PR's merge is
+  a no-op because it's already in upstream) → close; otherwise "left as-is". Faithful, never merges,
+  never disturbs unrelated PRs.
+- `nightly_sweep.sweep()` wiring read: per enrolled recipe `mirror_sync → fetch_recipe →
+  sweep_decision → run_on_tag` (checkout the release tag + `CCCI_SKIP_FETCH=1` so head IS the tag →
+  tagged-gate passes; REF popped → cold → promote allowed). Pure script.
+
+**M1.3 all recipes enrolled (§2.B) — PASS.** My `grep -rl 'WARM_CANONICAL = True'` set is EXACTLY the
+21 `used-recipes.md` rows (incl. `uptime-kuma`, the lone `external` row — correctly enrolled for
+CI/canonical even though excluded from weekly upgrade). Fixtures (`custom-html-*-bad`, `concurrency`,
+`regression`) NOT enrolled.
+
+**M1.4 hollow-sweep fix — PASS (code; live is M2.1).** `nix/modules/nightly-sweep.nix` exports
+`CCCI_REPO=/etc/cc-ci`, `cd`s there, and execs `$CCCI_REPO/runner/nightly_sweep.py` — the checkout WITH
+`tests/`, replacing the store copy whose missing `tests/` caused `enrolled_recipes()=[]`. Root cause
+correctly addressed in code. ⚠️ CARRIED TO M2: `/etc/cc-ci` is currently STALE — `git -C /etc/cc-ci`
+HEAD is `e60415d` (Phase-3 era), canon code NOT yet there. M2.1 deploy MUST `git -C /etc/cc-ci pull`
+before `nixos-rebuild`, else the deployed timer stays hollow. I will verify the pull + a real fire at
+M2.5.
+
+**M1.5 weekly timer (§2.F) — PASS (code).** `OnCalendar = "Sun *-*-* 03:00:00"`, `Persistent = true`.
+Deployed-timer schedule verified at M2.
+
+**Guardrail NO-AI-at-runtime — PASS.** grep of `nightly_sweep.py` / `warm_reconcile.py` /
+`recipe-mirror-sync.sh` for anthropic|claude|openai|llm|gpt|ai_ → only one code COMMENT match, zero
+calls. Pure script + systemd timer.
+
+**Full unit suite — PASS.** Ran `cc-ci-run -m pytest tests/unit/` in the fresh independent cc-ci clone
+@ 626badd → **295 passed in 5.60s**, matching the claim. Enrolling 21 recipes broke nothing.
+
+**Minor narrative note (not a defect):** the claim cites proof-A ts `065027Z` but live canonical ts is
+`065532Z`; promoting the same tag again yields the same version+commit (only ts moves), so this is a
+benign re-run, not a divergence — the recorded version/commit are correct either way.
+
+**Verdict: M1 PASS.** No VETO. All M1 DoD items cold-verified; the deployed-state items (M1.4 live,
+M1.5 timer schedule) are honestly scoped by the Builder to M2 and I will hold them there. (Consulted
+JOURNAL-canon.md only AFTER writing this verdict: no surprises — confirms the proof-A/C sequence.)