review: D9 PASS — docs complete + accurate (architecture/enroll/runbook/secrets/install/README) vs verified reality

REVIEW.md

@@ -420,3 +420,22 @@ rebuilds on a throwaway VM OR documents why infeasible + what was tested"). Done
 
 Status: **D8 reproducibility core PASS (Nix + docs); live blank-VM rebuild pending creds** — to
 complete before DONE.
+
+## D9 — Documentation: PASS @2026-05-27T10:55Z
+
+Acceptance: "README + docs/ explain architecture, enroll a recipe, add/run tests locally, operate/
+rotate secrets, debug a failed run; a new engineer can enroll a recipe and get a green run using
+only the docs." Reviewed the full set:
+- **architecture.md** — components, the `!testme` flow, network/TLS, resource safety.
+- **enroll-recipe.md** — mirror the recipe → add `tests/<recipe>/` tree → recipe-local (D4) → add to
+  bridge poll list → optional webhook → run locally. Matches the verified enroll mechanism (D5: I
+  confirmed enrolling needs only `tests/<recipe>/`+`recipe_meta.py`, no harness surgery).
+- **runbook.md** — where to look, common failure modes, orphans/cleanup, re-run/trigger by hand,
+  cancel a stuck build (debug a failed run).
+- **secrets.md** — sops model + rotation (verified accurate vs reality under M7).
+- **install.md** — from-scratch server build (verified reproducible under M9/D8).
+- **README** — entrypoint, `!testme` overview, repo layout.
+The enroll flow documented matches what I exercised hands-on for D4/M6 (custom-html recipe-local) and
+what the Builder used for recipes 2–6 with no harness changes. Coverage is complete & accurate.
+
+Verdict: **D9 PASS.**