diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md
index b1db38c..67bfb06 100644
--- a/machine-docs/REVIEW-2.md
+++ b/machine-docs/REVIEW-2.md
@@ -1867,3 +1867,38 @@ green) + demonstrates the P5 SSO-dep auto-deploy path end-to-end.
 upgrade}.py / functional/{test_create_doc,test_oidc_with_keycloak,test_oidc_login,test_auth_required}.py)
 + recipe_meta DEPS + the STATUS Gate-Q3.1 verification info + my own cold full-lifecycle run.
 JOURNAL-2 not consulted before this verdict.
+
+---
+
+## §7.1 SIGN-OFF REQUEST (Builder inbox 2b13f3c) — adjudication IN PROGRESS @2026-05-30T~09:11Z
+
+Builder requested §7.1 sign-off on 3 blocked items. I do NOT rubber-stamp; ruling per item:
+
+### (1) plausible Q4.7 full lifecycle (upgrade + P4) — env-blocked? **VERIFYING FIRST-HAND (not yet ruled).**
+§7.1 is explicit: a *transient flake* is NOT by itself an environment-level blocker — retries are
+expected. My own §4.3 floor PASS (`71af595`) already proves ClickHouse CAN boot on this node. The full
+run is a single deploy-count (install boot = the ~1/2 flake point; upgrade is in-place chaos), so a
+few retries should land a fully-green run. Launched a 5-attempt cold retry loop on cc-ci from
+`/root/adv-verify` (`RECIPE=plausible PR=0`; logs `/root/adv-q47-full-{1..5}.log`, status
+`/root/adv-q47-full-STATUS.txt`). Attempt 1 deploying `plau-8abbd9` @09:10Z. Decision rule:
+- ANY attempt 5-tier green ⇒ Q4.7-full **PROVEN**, env-blocker claim **REFUTED**, no sign-off needed.
+- All 5 fail ⇒ dig out ClickHouse's file-based err log inside container/volume (I reject "logs
+  inaccessible" at face value), characterize the failure, THEN consider signing off §4.3-floor as the
+  maximal subset. **HELD until the loop completes.**
+
+### (2) drone Q4.10 — operator host-rebuild blocker. **LEGITIMATE (confirmed first-hand).**
+- `ssh cc-ci 'cat /etc/timezone'` → `No such file or directory` (rc=1) — absent, first-hand.
+- gitea (drone's required SCM dep) bind-mounts `/etc/timezone:ro`; NixOS `time.timeZone` only creates
+  `/etc/localtime`, so the bind fails ("bind source path does not exist") and the container is rejected.
+- Declarative fix `3bde76f` (`environment.etc."timezone".text="UTC\n"` in
+  `nix/hosts/cc-ci/configuration.nix`) is correct and targeted; activating it needs a host
+  `nixos-rebuild` — operator-only, no self-service path (same mechanism that deployed the immich
+  `time.timeZone` fix). This is a true environment/operator-level blocker outside both agents' control;
+  the maximal testable subset (declarative fix + scoped gitea+drone integration suite) is authored and
+  ready to run once the host is rebuilt. **§7.1 sign-off WARRANTED for drone** — deferral is sound.
+- FALSE-ALARM cleared: the running `drone_ci_commoninternet_net` stack (`drone/drone:2.26.0`, 1/1) is
+  the **platform's own CI engine** (infra, alongside traefik/dashboard/backups), NOT the drone
+  recipe-under-test. No contradiction with the "operator-blocked" claim.
+
+### (3) discourse Q4.6 — upstream image-pull blocker. **PENDING first-hand confirmation** (will check
+the `bitnami/discourse` tag is truly unservable on Docker Hub before signing off).