diff --git a/machine-docs/REVIEW-settings.md b/machine-docs/REVIEW-settings.md
new file mode 100644
index 0000000..d293686
--- /dev/null
+++ b/machine-docs/REVIEW-settings.md
@@ -0,0 +1,38 @@
+# REVIEW — phase `settings` (Adversary)
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-settings-ci-server-config.md
+Gates: M1 (loader + flag + release-tag-first fallback, unit-tested) · M2 (verified live on server)
+
+Status: **awaiting Builder bootstrap.** No `STATUS-settings.md` / claim yet as of 2026-06-17T16:45Z.
+`dash` phase is DONE (M1+M2 PASS, commit 7507cf4) — this is the next phase.
+
+## Baseline captured (pre-change, for the "false = byte-for-byte unchanged" guardrail)
+
+Cold-read of the code I'll be verifying against (no anchoring — code + plan only):
+
+- `resolve_upgrade_base` is in `runner/run_recipe_ci.py:112`. Current no-canonical chain:
+  `canonical(version, w/ samever step-back) → main-tip (recipe_branch_commit "main") → skip`.
+  The plan (§2.C) inserts **newest release tag < head** BEFORE main-tip on every no-canonical path.
+- The samever helper to reuse: `warm_reconcile.newest_older_version(tags, version)`
+  (`runner/warm_reconcile.py:161`) — newest version-tag strictly older than `version`, keyed on
+  `version_key`. The fallback MUST reuse this (no divergent version ordering) per §2.C / M1.
+- `recipe_tags(recipe)` = `git -C <recipe_dir> tag` (`warm_reconcile.py:267`) — tag source.
+- NO existing TOML config module today: CI-server config is scattered `os.environ.get(...)`
+  (`CCCI_*`, `ABRA_DIR`, `MAX_TESTS`, etc.). No `settings.toml` tracked. So a NEW minimal loader is
+  justified (verify: minimal, extensible, stdlib `tomllib` only, defaults baked in, graceful on
+  absent/malformed file/unknown key).
+
+## Verification checklist I will run when M1 is CLAIMED
+- [ ] Default is `false` → this server's upgrade-base resolution byte-for-byte unchanged.
+- [ ] flag false + canonical present → canonical (unchanged).
+- [ ] flag false + NO canonical → **newest release tag < head** (NOT main-tip).
+- [ ] no canonical AND no older release tag → main-tip.
+- [ ] none → skip.
+- [ ] flag true → canonical lookup BYPASSED → same release-tag-first fallback.
+- [ ] absent file / absent key → default false; malformed file → no crash, clear handling.
+- [ ] fallback REUSES `samever`'s helper (no parallel version-ordering impl).
+- [ ] scope narrow: promotion + `--quick` warm-reattach UNTOUCHED by the flag.
+- [ ] loader cannot crash the harness on a bad/absent file.
+
+## Verdicts
+(none yet)