review(1e): E3/HC4 PASS + FINAL — own !testme build #155 production cold (head_ref==chaos-version full sha, additive, deploy-count=1, no secret leak, clean teardown); NO VETO — Builder may write ## DONE

machine-docs/REVIEW-1e.md

@@ -7,7 +7,7 @@ Definition of Done = HC1–HC4 each cold-verified PASS here (handshake per plan.
 - [x] **HC1** — Upgrade tier upgrades to PR head (prev published → PR-head via `abra app deploy --chaos`), not a published tag; moved-assertion adapted; DG4.1 deploy-count guard reconciled. **PASS @2026-05-28 (E2, commit 7472561).**
 - [x] **HC2** — Repo-local (PR-authored) `test_*.py` / `install_steps.sh` NOT executed unless recipe is on the cc-ci approval allowlist (default-deny). **PASS @2026-05-28 (E0, commit c7ae296).**
 - [x] **HC3** — Generic runs by default alongside an overlay (additive); skipped only via explicit opt-out; op runs once. **PASS @2026-05-28 (E1 re-claim, fix commit 6eabfdc).**
-- [ ] **HC4** — No regression: D1–D10 / DG1–DG8 re-verified cold; deploy-once (DG4.1) holds; teardown sacred; three new behaviors demonstrated.
+- [x] **HC4** — No regression: D1–D10 / DG1–DG8 re-verified cold; deploy-once (DG4.1) holds; teardown sacred; three new behaviors demonstrated. **PASS @2026-05-28 (E3, build 155 own `!testme` on custom-html PR#2).**
 
 Maps to Builder milestones: E0=HC2, E1=HC3, E2=HC1, E3=HC4+docs.
 
@@ -136,6 +136,59 @@ no-head_ref path is unchanged; production `!testme` always sets `$REF`). HC3 add
 **Phase-1e D-o-D tracker:** HC1 ✓ HC2 ✓ HC3 ✓ — three corrections all Adversary-verified cold.
 **Pending:** HC4 (no-regression D1–D10/DG1–DG8) — re-verify when Builder claims E3.
 
+### E3 / HC4 — no regression, three new behaviors live — PASS @2026-05-28 (Builder claim 6397cd5)
+**Gold-standard cold verification = my own `!testme` end-to-end.** Posted three comments by the bot on
+`recipe-maintainers/custom-html` PR#2 (head `db9a9502`, "upgrade to 1.13.0+1.31.1"):
+- id 13755: `!testmexyz adversary-1e-HC4 ...` — **negative control** (D1 reject) → no trigger ✓
+- id 13756: `!testme adversary-1e-HC4 ...` — **negative control** (extra text after !testme; exact-match
+  filter) → no trigger ✓
+- id 13757: `!testme` (exact) at `03:19:25` — **positive trigger**.
+
+**Bridge → Drone → runner production chain (Drone build #155):**
+- **D1 latency:** triggered build 155 at `03:19:34` — **9 s** after comment (well under 60 s).
+- **D1 dedup/auth:** only id 13757 triggered; 13755+13756 cleanly ignored; PR-comment reflection (id
+  13758): `cc-ci: run for custom-html @ db9a9502 ✅ passed → …/cc-ci/155`.
+- **HC1 live:** build log shows `upgrade→PR-head: head_ref=db9a9502 chaos-version=db9a9502
+  version=1.10.0+1.28.0→1.13.0+1.31.1`. **Full-sha match `db9a9502 == db9a9502`** — `$REF` flowed
+  bridge→Drone→runner→re-checkout→chaos deploy correctly. PR-head code under test demonstrably
+  deployed in production.
+- **HC3 additive in production:** every lifecycle tier ran BOTH `assert (generic): tests/_generic/
+  test_<op>.py` AND `assert (cc-ci): tests/custom-html/test_<op>.py`, all **PASSED** (8 assertions
+  across install/upgrade/backup/restore).
+- **HC2 in production:** custom-html not on the allowlist → no repo-local consulted; cc-ci + generic
+  only (matches HC2 default-deny behavior under load).
+- **DG4.1:** `deploy-count = 1 (expect 1)` ✓
+- **F1e-1 fix under real load:** `test_backup_captures_state PASSED` (the previously failing
+  assertion). The poll+raise hardening of `exec_in_app` survives a production-pipeline run.
+- **D6 secret-leak grep:** 58 infra-secret values (tokens, HMAC, RPC, OAuth, cert/key) checked
+  against the full published build #155 log — **zero matches**; sensitive-pattern sweep clean.
+- **Teardown sacred:** post-build, `docker stack ls | grep cust` → none; `docker volume ls | grep
+  cust` → none. ✓
+
+**No regression on the D-gate / DG-gate surface I can attribute to 1e changes:**
+- DG1 serving (assert_serving in every tier), DG2 upgrade non-vacuous (head_ref match
+  + monkey-patched mismatch raise), DG3 backup-capable detect (custom-html backup-cap = true; flowed
+  through), DG4 overlay precedence (gated by HC2), DG4.1 deploy-once, DG5 install-steps hook
+  resolution (HC2 verified hook still resolves; not e2e-re-exercised here because custom-html ships no
+  hook), DG6 full integration (build #155 above), DG7 DRY/teardown-always, DG8 docs (`docs/testing.md`
+  + `docs/enroll-recipe.md` both updated for HC1/HC2/HC3 and accurately describe the new behavior).
+- D1 trigger / dedup / outcome reflection all live in build #155.
+- D6 secrets verified clean as above.
+
+**F1e-2** (pre-existing concurrent `abra recipe fetch` race) — confirmed not a 1e regression by the
+Builder's status; tracked in BACKLOG-1e for HC4 visibility, not blocking DONE (Drone caps `MAX_TESTS=1`
+in current config, so practical impact bounded; surface again at breadth-ramp).
+
+**Verdict: PASS. NO VETO.** All four HC items Adversary cold-verified within the last 24 h
+(HC1/HC2/HC3/HC4 ✓). Builder may write `## DONE` to `STATUS-1e.md`.
+
+## Final summary — Phase 1e cold verification
+HC1 ✓ (E2, commit 7472561 + build #155 head_ref==chaos-version)
+HC2 ✓ (E0, commit c7ae296 + hostile-code probe)
+HC3 ✓ (E1, commit e75ec1b + F1e-1 fix 6eabfdc verified cold)
+HC4 ✓ (E3, commit 6397cd5 + own !testme build #155 production-chain cold)
+Findings: F1e-1 CLOSED (fixed + re-verified). F1e-2 OPEN (pre-existing, not a 1e regression).
+
 ### Separate observation while testing (NOT F1e-1)
 A controlled 2-concurrent same-recipe test (PR=8001/PR=8002, both custom-html) on the **OLD** code
 showed run-a die in `abra recipe fetch custom-html -n` (rc=1) — concurrent rm-rf + abra-fetch on the