journal(1b): push-webhook diagnostic — inbound gateway delivery not reaching Drone (operator/gateway, §9); recipe-CI polling unaffected

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL-1b.md

@@ -133,3 +133,19 @@ Net: RL1 PASS, RL2 clean, RL4 docs landed (README lint section + architecture.md
 RL5 done + healthy, running==build==`8i3jcad9`. Remaining for DONE: **RL3** (Adversary cold D1–D10
 re-verify, now also covering the RL5 byte-identical rebuild) and **RL6** (coordinated machine-docs/
 move — LAST, with orchestrator lockstep). Claiming the RL3 gate.
+
+## 2026-05-27 — push-webhook diagnostic (the RL1 "future commits stay clean" advisory)
+
+Timeboxed root-cause on why pushes don't auto-create a Drone lint build. Fired Gitea's webhook test
+for the Drone hook (211) while tailing the Drone server logs:
+- `POST /repos/recipe-maintainers/cc-ci/hooks/211/tests` → Gitea returns **204** (accepted).
+- `docker service logs --since 20s drone_…_app` → **NOTHING** — no inbound request logged at all.
+
+So the delivery `git.autonomic.zone (Gitea) → drone.ci.commoninternet.net (public gateway) → cc-ci`
+isn't reaching Drone. This is a **gateway/network reachability** condition, NOT a Drone-side config
+I can fix — and per §9 the gateway is operator-managed (not ours to reconfigure). Leaving it as the
+documented pre-existing advisory (hook `last_status: None`, §4.1). Impact is limited to cc-ci's OWN
+self-test/lint pipeline auto-firing; **recipe-CI triggering is unaffected** — the comment-bridge
+polls Gitea *outbound* (cc-ci → git.autonomic.zone, the reliable direction), which is the plan's
+primary trigger (§4.1). The lint stage is wired + proven green via its exact command; manual/API
+Drone builds work. Not expanding scope to re-engineer the inbound path (bounded pass).