diff --git a/BACKLOG-1b.md b/BACKLOG-1b.md new file mode 100644 index 0000000..4e66409 --- /dev/null +++ b/BACKLOG-1b.md @@ -0,0 +1,28 @@ +# BACKLOG — Phase 1b (review & lint pass) + +Phase-namespaced backlog. Builder owns `## Build backlog`; Adversary owns `## Adversary findings`. + +## Build backlog + +### W0 — Tooling + format (RL1) +- [ ] Add lint tooling to the flake: a `lint` devshell (nixpkgs-fmt, statix, deadnix, ruff, + shellcheck, shfmt, yamllint) built from the pinned nixpkgs. +- [ ] Add a `lint` entrypoint script (`scripts/lint.sh`) with check + `--fix` modes; tool configs + (ruff, yamllint, etc.). +- [ ] Auto-format the codebase (nix + python + shell); commit the mechanical reformat separately. +- [ ] Fix remaining lint findings (statix/deadnix/ruff-lint/shellcheck) without weakening any test. +- [ ] Wire a `lint` stage into `.drone.yml` (push event) so future commits stay clean; verify green + in CI from a clean checkout. + +### W1 — Review checklist + fixes (RL2) +- [ ] Run the §3 white-box checklist over the codebase; classify each finding blocking vs advisory. +- [ ] Fix every blocking finding; triage advisory ones to BACKLOG/IDEAS with a one-line rationale. + +### W2 — Re-verify + document (RL3/RL4) +- [ ] After W0+W1 land, request Adversary cold re-verification of all D1–D10 (RL3). +- [ ] docs/: how to run lint/format locally + that CI enforces it (RL4); record deviations in + DECISIONS.md. +- [ ] On full PASS handshake, write `## DONE` to STATUS-1b.md. + +## Adversary findings +(empty — Adversary owns this section) diff --git a/JOURNAL-1b.md b/JOURNAL-1b.md new file mode 100644 index 0000000..d644852 --- /dev/null +++ b/JOURNAL-1b.md @@ -0,0 +1,24 @@ +# JOURNAL — Phase 1b (review & lint pass) + +Append-only Builder log: what I did + verifying command/output + next. (Adversary logs to REVIEW-1b.) + +--- + +## 2026-05-27 — Phase 1b kickoff (first wake) + +Read the phase plan (`plan-phase1b-review-lint.md`) + plan.md §6.1/§7/§9. Confirmed Phase 1c is +genuinely DONE (STATUS-1c `## DONE`, REVIEW-1c all C1–C7 + E2E PASS, no VETO, ADV-1c-1 closed). Phase +1b state files did not exist — seeded STATUS-1b / BACKLOG-1b / JOURNAL-1b / REVIEW-1b (stub). + +Access + environment probes: +- `ssh cc-ci 'hostname && systemctl is-system-running'` → `nixos` / `running`. +- Lint tools are NOT in the sandbox and `nix` is not installed locally, so linting must run on cc-ci + (NixOS, nix 2.24.14, flakes enabled). `nix build github:NixOS/nixpkgs/#ruff` resolves from + cache.nixos.org (ruff 0.7.3) → building a `lint` devshell from the already-pinned nixpkgs is viable + with no registry/network surprises. shellcheck-0.10.0 already realized in the host store. + +Lint-target inventory: 14 `.nix`, 32 `.py`, 1 `.sh` (`scripts/bootstrap-drone-oauth.sh`), plus +`.drone.yml` / `.sops.yaml` YAML. No prior lint/format decisions in DECISIONS.md (clean slate). + +Next: W0 — add the `lint` devshell + entrypoint + tool configs to the flake; auto-format; fix +findings; wire the `.drone.yml` lint stage. diff --git a/REVIEW-1b.md b/REVIEW-1b.md new file mode 100644 index 0000000..ca97441 --- /dev/null +++ b/REVIEW-1b.md @@ -0,0 +1,7 @@ +# REVIEW — Phase 1b (review & lint pass) + +**Adversary-owned.** Append PASS/FAIL verdicts + evidence (commands, output, timestamps) for the +Phase-1b Definition of Done (RL1–RL4) and the cold D1–D10 re-verification (RL3). The Builder does not +write here. + + diff --git a/STATUS-1b.md b/STATUS-1b.md new file mode 100644 index 0000000..978576b --- /dev/null +++ b/STATUS-1b.md @@ -0,0 +1,31 @@ +# STATUS — Phase 1b (review & lint pass) + +**Phase plan (SSOT):** `/srv/cc-ci/cc-ci-plan/plan-phase1b-review-lint.md` +**Loop state for THIS phase:** STATUS-1b / BACKLOG-1b / REVIEW-1b / JOURNAL-1b (DECISIONS.md shared). +The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY; STATUS-1c etc. are Phase-1c +HISTORY (DONE @2026-05-27). Neither is this phase's state. + +## Phase +Phase 1b runs **after** Phase 1 + Phase 1c (both DONE) and **before** Phase 2. It is a **bounded** +review + lint pass over the final post-1c codebase. Exit = RL1–RL4 all Adversary-confirmed in +REVIEW-1b, then `## DONE`. + +## Definition of Done (Phase 1b) +- [ ] **RL1** — Lint/format tooling added (`lint` entrypoint + Nix devshell) + wired as a `.drone.yml` + stage; whole Phase-1 codebase passes. +- [ ] **RL2** — White-box review checklist (§3) run; blocking findings fixed; advisory triaged to + BACKLOG/IDEAS. Findings + resolutions in REVIEW-1b. +- [ ] **RL3** — Full Phase-1 D1–D10 re-verification from cold start (the final gate), nothing + weakened. Adversary logs fresh PASS + evidence in REVIEW-1b within 24h. +- [ ] **RL4** — Documented: docs/ note how to run lint/format locally + that CI enforces it; accepted + deviations in DECISIONS.md. + +## In flight +**W0 — tooling + format.** Starting: add formatters/linters + `lint` entrypoint + devshell; format +codebase; wire `.drone.yml` lint stage. + +## Gate +(none yet) + +## Blocked +(none)