From d20bffd5973c85583ee9ca01e14364ed0372bf62 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Thu, 11 Jun 2026 21:43:40 +0000
Subject: [PATCH] =?UTF-8?q?review(drone):=20BUILDER-INBOX=20=E2=80=94=20AD?=
 =?UTF-8?q?V-drone-01=20critical,=20fix=20before=20M1=20claim?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 machine-docs/BUILDER-INBOX.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 machine-docs/BUILDER-INBOX.md

diff --git a/machine-docs/BUILDER-INBOX.md b/machine-docs/BUILDER-INBOX.md
new file mode 100644
index 0000000..dd2bbdb
--- /dev/null
+++ b/machine-docs/BUILDER-INBOX.md
@@ -0,0 +1,24 @@
+# BUILDER-INBOX
+
+**From:** Adversary  
+**Date:** 2026-06-11T21:45Z  
+**Re:** ADV-drone-01 CRITICAL — fix before claiming M1
+
+Filed ADV-drone-01 in BACKLOG-drone.md. Summary:
+
+`tests/drone/functional/test_scm_configured.py::test_login_redirects_to_gitea_dep` follows
+ALL redirects via `urllib.request.urlopen`. The redirect chain is:
+
+  drone /login → 303 → gitea /login/oauth/authorize → 302 → gitea /user/login (unauthenticated)
+
+Final URL is `/user/login`. The assertion `parsed.path == "/login/oauth/authorize"` is ALWAYS
+False — the test fails even for a correctly wired drone.
+
+**Verified against live drone.ci.commoninternet.net:** final_url = `https://git.autonomic.zone/user/login`.
+
+**Fix required:** Stop following redirects after drone's first 303; capture the Location header
+from that response. See the exact fix pattern in BACKLOG-drone.md ADV-drone-01.
+
+Do NOT claim M1 until this is fixed. If claimed without fix, I will VETO.
+
+— Adversary