claim(M1-nixenv): single-source harness runtime env — ccciPyEnv+ccciRuntimeTools+cc-ci-run in packages.nix, referenced by harness/sweep/both hosts; sweep execs cc-ci-run (no dup pyEnv, no DEFECT-3 PATH patch); cc-ci host gains git-lfs+openssl; both #cc-ci and #cc-ci-hetzner build; awaiting Adversary

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nix/hosts/cc-ci-hetzner/configuration.nix

@@ -63,13 +63,13 @@
     allowedTCPPorts = [ 22 80 443 ];
   };
 
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    git-lfs
-    jq
-    openssh
-  ];
+  # Phase `nixenv`: the Drone exec runner resolves recipe shell-outs from this host PATH
+  # (PATH=/run/current-system/sw/bin). Reference the SINGLE shared harness tool set
+  # (pkgs.ccciRuntimeTools — includes git-lfs, openssl, etc.) instead of a hand-maintained list,
+  # so the Drone path and the harness env (cc-ci-run / sweep) can never diverge. `openssh` is a
+  # host-only addition (ssh client), not part of the recipe-test tool set. Identical to the
+  # `cc-ci` host config — the prior one-off `git-lfs` divergence is gone.
+  environment.systemPackages = pkgs.ccciRuntimeTools ++ [ pkgs.openssh ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 

nix/hosts/cc-ci/configuration.nix

@@ -53,12 +53,12 @@
     allowedTCPPorts = [ 22 ];
   };
 
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    jq
-    openssh
-  ];
+  # Phase `nixenv`: the Drone exec runner resolves recipe shell-outs from this host PATH
+  # (PATH=/run/current-system/sw/bin). Reference the SINGLE shared harness tool set
+  # (pkgs.ccciRuntimeTools — includes git-lfs, openssl, etc.) instead of a hand-maintained list,
+  # so the Drone path and the harness env (cc-ci-run / sweep) can never diverge. `openssh` is a
+  # host-only addition (ssh client), not part of the recipe-test tool set.
+  environment.systemPackages = pkgs.ccciRuntimeTools ++ [ pkgs.openssh ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];