review(drone): ADV-drone-03 CRITICAL — DG4.1 always fires with cold dep (run exits 1)

deps.py module docstring says "Dep deploys DO count toward DG4.1; expected = 1 + n_cold_deps"
but deploy_deps passes _count_deploy=False, so deps never increment the counter. With gitea
as cold dep: actual=1, expected=2 → DG4.1 fires → overall=1 → CI FAIL even when all tiers
pass and level=5.

Confirmed in Builder's run 4 (/tmp/drone-m1-run4.log): install+upgrade+custom green, L5,
but deploy-count 1 != 2 (DG4.1 violation). Run exits 1.

Fix: remove _count_deploy=False from deps.py:deploy_deps (one line). Deps SHOULD count.
ADV-drone-02 also filed (dep orphan on SSO-enrichment failure). Both must be fixed before
M1 can be claimed. BUILDER-INBOX updated with priority order.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

machine-docs/BACKLOG-drone.md

@@ -180,3 +180,60 @@ if not deps_state:
 claimed. Without it, an SSO-enrichment failure silently orphans the gitea dep in violation of §9.
 
 **Status:** OPEN
+
+---
+
+### ADV-drone-03 [adversary] DG4.1 counter mismatch — run always exits 1 when cold dep deployed (CRITICAL)
+
+**Filed:** 2026-06-11T22:15Z  
+**Severity:** CRITICAL — every harness run with a cold gitea dep exits code 1 due to DG4.1
+violation, even when all tiers pass and level=5 is achieved.
+
+**Observed in Builder's run 4 (PID 2105952, /tmp/drone-m1-run4.log):**
+```
+!! deploy-count 1 != 2 (DG4.1 violation)
+deploy-count = 1 (expect 2)
+  deps deployed: ['gitea']
+results.json written: /var/lib/cc-ci-runs/manual/results.json (level=5 of 5)
+```
+All tiers passed (install, upgrade, custom green; L5), but DG4.1 sets `overall = 1` → exit code 1 → CI FAIL.
+
+**Root cause:** Internal contradiction between two parts of `deps.py`:
+
+1. **Module docstring (line 19-20):** `"Dep deploys DO count toward the DG4.1 deploy-count
+   invariant. The formula in run_recipe_ci.py is expected_deploy_count = 1 + deps_deployed_count,
+   so each dep deploy increments the counter."`
+
+2. **`deploy_deps` function (line 94):** `_count_deploy=False` → dep deploys do NOT increment
+   the counter.
+
+The formula in `run_recipe_ci.py` (line 1252) uses `expected = 1 + deps_deployed_count = 2`.
+But `_count_deploy=False` means the counter stays at 1 (only the recipe increments it).
+Result: `actual=1 != expected=2` → DG4.1 fires.
+
+**History:** `_count_deploy=False` was added in commit `1adfbd7` as a quick fix when the expected
+formula was `expected = 1`. Later the formula was generalized to `1 + deps_deployed_count` (to
+count all apps in a run), but `_count_deploy=False` was NOT reverted. The module docstring reflects
+the generalized intent; the function code reflects the stale quick-fix.
+
+**Required fix:** In `deps.py:deploy_deps` (line 94), remove or revert `_count_deploy=False`:
+```python
+# Before (wrong):
+lifecycle.deploy_app(dep, domain, ..., _count_deploy=False)
+
+# After (correct — deps DO count per module docstring + expected formula):
+lifecycle.deploy_app(dep, domain, ...)  # _count_deploy defaults to True
+```
+Also remove/update the stale comment at line 83-86 ("Dep deploys do NOT count toward DG4.1...").
+
+**Also fix:** The comment in `deploy_deps` at lines 83-86:
+```python
+# Dep deploys do NOT count toward the DG4.1 "one deploy per run" invariant — that
+# contract covers the recipe-under-test only; each dep is a supporting service, not the
+# subject of the test. Pass _count_deploy=False so the main recipe's single-deploy
+# assertion isn't distorted by the number of deps declared.
+```
+This is now wrong. Replace with: "Dep deploys DO count toward DG4.1 (see module docstring);
+`expected_deploy_count = 1 + n_cold_deps`."
+
+**Status:** OPEN — CRITICAL blocker for M1 claim. Builder's run 4 already hit this.

machine-docs/BUILDER-INBOX-drone.md

@@ -34,3 +34,29 @@ if not deps_state:
 ```
 
 Adversary veto: if M1 is claimed without this fix, I will VETO.
+
+---
+
+## ADV-drone-03 — DG4.1 always fires with cold dep [CRITICAL — IMMEDIATE BLOCKER]
+
+**Filed:** 2026-06-11T22:15Z
+
+Seen in your run 4 (`/tmp/drone-m1-run4.log`): all tiers green (L5), but:
+```
+!! deploy-count 1 != 2 (DG4.1 violation)
+```
+
+**Root cause:** `deps.py:deploy_deps` passes `_count_deploy=False` but the `deps.py` module
+docstring says "Dep deploys DO count toward DG4.1... `expected = 1 + deps_deployed_count`".
+The formula expects 2 (recipe + gitea), the counter only sees 1 (recipe). Contradiction.
+
+**One-line fix in `deps.py:deploy_deps` (line 94):**
+```python
+# Remove _count_deploy=False:
+lifecycle.deploy_app(dep, domain, secrets=True, deploy_timeout=..., meta=dm)
+# (default _count_deploy=True — deps now count per module docstring + expected formula)
+```
+Also remove the comment at lines 83-86 ("Dep deploys do NOT count...") — it contradicts
+the module docstring and is now wrong.
+
+This is the highest priority fix — nothing else matters until the run exits 0.

machine-docs/REVIEW-drone.md

@@ -142,6 +142,23 @@ when `deps_state` is empty) or option B (separate deploy from enrichment trackin
 
 **Status:** OPEN — must be fixed before M1 can be claimed.
 
+### ADV-drone-03 — DG4.1 counter mismatch; run always exits 1 with cold dep (CRITICAL)
+
+**Filed:** 2026-06-11T22:15Z — see BACKLOG-drone.md for full details.
+
+`deps.py` module docstring (line 19-20) says "Dep deploys DO count toward DG4.1;
+`expected = 1 + deps_deployed_count`." But `deploy_deps` passes `_count_deploy=False` →
+dep deploys never increment the counter. With gitea as a cold dep: `actual=1, expected=2`
+→ DG4.1 fires → `overall = 1` → CI FAIL, even when all tiers pass and level=5 is reached.
+
+**Confirmed in Builder's run 4 log** (`/tmp/drone-m1-run4.log`):
+all tiers green, L5, but `deploy-count 1 != 2 (DG4.1 violation)`.
+
+Fix: remove `_count_deploy=False` from `deploy_deps` (deps SHOULD count per the docstring
+and the expected formula). Update the stale comment that contradicts the module docstring.
+
+**Adversary position:** Veto on M1 if not fixed. Run always fails with this bug present.
+
 ---
 
 ## Standing break-it probes