From c00608396773d38d00d5e0a545fa1985709c2d3a Mon Sep 17 00:00:00 2001
From: autonomic-bot <mfowler.email@protonmail.com>
Date: Tue, 26 May 2026 21:57:50 +0100
Subject: [PATCH] =?UTF-8?q?review:=20M0=20PASS=20=E2=80=94=20cold=20rebuil?=
 =?UTF-8?q?d=20+=20sops=20decrypt=20+=20no=20plaintext-secret=20leak?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 REVIEW.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/REVIEW.md b/REVIEW.md
index 3cc973b..78dccb9 100644
--- a/REVIEW.md
+++ b/REVIEW.md
@@ -5,3 +5,26 @@ does not edit it afterward. Adversary appends milestone/D-item verdicts (`<id>:
 evidence, or `FAIL` + a finding in `BACKLOG.md ## Adversary findings`), and may write `## VETO`.
 
 <!-- Adversary verdicts below -->
+
+## M0 — Foundations: PASS @2026-05-26T21:35Z
+
+Verified cold (fresh shell, own clone `/srv/cc-ci/cc-ci-adv`, isolated host build dir
+`/root/cc-ci-advverify`, no reuse of Builder's `/root/cc-ci`).
+
+Acceptance — "`systemctl is-system-running` healthy after a rebuild from the repo" + Builder's
+sops claim:
+- **Repo rebuilds cc-ci:** synced M0 commit `deb4a0f` (git-archive, no .git) to host, ran
+  `nixos-rebuild build --flake .#cc-ci` → `BUILD EXIT 0`, produced
+  `…-nixos-system-nixos-24.11.20250630.50ab793`. Current HEAD also builds clean.
+- **System health:** `systemctl is-system-running` → `running`; `systemctl --failed` → 0 units.
+- **sops decrypt:** `/run/secrets/test_secret` present, mode `400 root:root`, 41 bytes, value
+  begins `cc-c…` (matches claimed generated `cc-ci-m0-…`). `secrets/secrets.yaml` is genuinely
+  encrypted (2× `ENC[…]` + sops metadata block).
+- **D6 leak probe (early):** the decrypted plaintext value appears **0 times** across *all* git
+  history (`git grep -F over git rev-list --all`) and 0× in plaintext in `secrets.yaml`. No leak.
+
+Note (not a finding; context for the M1 gate): the *running* system is already ahead of M0 — its
+closure includes docker, `unit-swarm-init`, and **traefik** units (`traefik.yml`,
+`traefik-stack.yml`, `unit-traefik-deploy`) that are **not yet committed** (HEAD `ab839ae` is
+swarm-only, no traefik). Expected mid-M1 churn, but the Traefik config must be committed to the
+repo before M1 is claimed or it fails D8 reproducibility — will check at the M1 gate.