From 9e73ebda3db186d85fe3aaba6266600fe1cd4f35 Mon Sep 17 00:00:00 2001
From: autonomic-bot <maxf.account@proton.me>
Date: Fri, 29 May 2026 09:50:39 +0100
Subject: [PATCH] =?UTF-8?q?claim(2pc):=20re-claim=20=E2=80=94=20F2pc-1=20r?=
 =?UTF-8?q?esolved=20(git=3D=3Dhost=3D=3Dci-docker-prune=20via=20b9bbd25)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adversary FAILed claim de6103d because that commit still named the units docker-prune while the
host runs ci-docker-prune; the rename was committed in b9bbd25 (its endorsed fix) which is in the
current pushed HEAD. git now defines the same ci-docker-prune units STATUS documents and the host
runs. Behavior was already cold-verified GREEN. Inert NixOS-builtin docker-prune.service
(inactive/linked, no timer) is unchanged by this and reproduces identically from git.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 machine-docs/JOURNAL-2pc.md | 18 ++++++++++++++++++
 machine-docs/STATUS-2pc.md  | 26 +++++++++++++++++++++++---
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/machine-docs/JOURNAL-2pc.md b/machine-docs/JOURNAL-2pc.md
index 9b719d0..9da0c5e 100644
--- a/machine-docs/JOURNAL-2pc.md
+++ b/machine-docs/JOURNAL-2pc.md
@@ -96,3 +96,21 @@ reaches this under ≥80% disk, but the command's effect is the same):
   no `--all`, so nothing tagged or container-referenced was touched.
 Confirms: disk stays bounded WITHOUT `-af`; the policy reclaims real space from old orphaned layers
 while keeping the warm cache intact.
+
+## 2026-05-29 — F2pc-1 (committed≠host) resolution + claim discipline
+
+Adversary FAILed gate 2pc on F2pc-1: at claim commit `de6103d` the committed `docker-prune.nix` still
+named units `docker-prune` while the verified host runs `ci-docker-prune` → git wouldn't reproduce
+the verified system (D8). Root cause: I renamed the units locally (sed) + synced to host + verified,
+but the rename rode in a SEPARATE commit (`b9bbd25`) pushed AFTER the `claim(` commit — and the
+Adversary cold-verified the claim commit's tree. Behavior was GREEN; only the artifact lagged.
+
+`b9bbd25` already committed the rename (git == host == ci-docker-prune), which is the Adversary's own
+endorsed fix. Confirmed current HEAD: `grep systemd.(services|timers)` → ci-docker-prune; host module
+matches; host runs ci-docker-prune.timer enabled+active; builtin docker-prune.service inactive/linked
+(inert NixOS default, never triggered with autoPrune off). Re-claimed.
+
+**Lesson (now a standing rule, orchestrator):** before ANY gate claim, `git status` must be clean —
+everything committed AND pushed — because the Adversary cold-verifies from a fresh clone. A fix built
+locally but uncommitted (or trailing the claim commit) is a guaranteed cold-build mismatch. The claim
+commit must be the LAST thing, with the verified artifact already in it.
diff --git a/machine-docs/STATUS-2pc.md b/machine-docs/STATUS-2pc.md
index ea436dd..c07880c 100644
--- a/machine-docs/STATUS-2pc.md
+++ b/machine-docs/STATUS-2pc.md
@@ -5,10 +5,30 @@
 local-store retention/auth. **Registry pull-through cache DROPPED** (deferred → `cc-ci-plan/IDEAS.md`
 + DECISIONS Phase-2pc; no registry code was written).
 
-## Gate: 2pc — CLAIMED, awaiting Adversary
+## Gate: 2pc — RE-CLAIMED (F2pc-1 resolved), awaiting Adversary
 
-All of PC1/PC2/PC3 implemented, deployed to cc-ci, and Builder-verified on the real host. Commit
-sha for this claim: see `claim(2pc)` HEAD. WHAT / HOW / EXPECTED / WHERE below.
+All of PC1/PC2/PC3 implemented, deployed to cc-ci, and Builder-verified on the real host. WHAT / HOW
+/ EXPECTED / WHERE below.
+
+**F2pc-1 (committed code ≠ deployed host) — RESOLVED.** The Adversary cold-verified the *behavior*
+GREEN but FAILed the gate because it verified the **stale claim commit `de6103d`**, whose
+`docker-prune.nix` still named the units `docker-prune` while the host runs `ci-docker-prune`. That
+rename was already committed in **`b9bbd25`** (landed before the verdict) — which is exactly the
+Adversary's endorsed fix ("commit the deployed ci-docker-prune naming"). **Current pushed HEAD now
+has git == host == `ci-docker-prune`:**
+```sh
+# committed git defines the SAME units STATUS documents + the host runs:
+grep -nE 'systemd\.(services|timers)\.' nix/modules/docker-prune.nix   # EXPECT: ci-docker-prune (services+timers), introduced by b9bbd25
+git log --oneline -1 -- nix/modules/docker-prune.nix                   # EXPECT: b9bbd25 rename commit
+ssh cc-ci 'systemctl is-active ci-docker-prune.timer'                  # EXPECT: active (matches a from-git rebuild)
+```
+The NixOS-builtin `docker-prune.service` is `inactive`/`linked` (and `docker-prune.timer` is
+`not-found`): that unit is defined by the NixOS docker module whenever Docker is enabled, has **no
+timer and no `wantedBy`** with autoPrune off, so it **never runs** — it is not a leftover of this
+change and a fresh from-git rebuild produces the identical inert unit. The unit name is determined
+literally by the attribute in `docker-prune.nix`, so a from-git build yields `ci-docker-prune.*`.
+
+(Claim discipline now followed: working tree committed + pushed + `git status` clean before this claim.)
 
 ---