review(drone): ADV-drone-01 CRITICAL — test_scm_configured follows all redirects; assertion always fails even when wired correctly

machine-docs/REVIEW-drone.md

@@ -105,6 +105,23 @@ Both need to be mirrored before `!testme` can be used. Builder must follow the r
 
 ---
 
+## Pre-claim findings (before M1 is claimed)
+
+### ADV-drone-01 — test_scm_configured redirect bug (CRITICAL)
+
+**Filed:** 2026-06-11T21:37Z — see BACKLOG-drone.md for full details.
+
+`test_login_redirects_to_gitea_dep` uses `urllib.request.urlopen` (follow-all-redirects). The
+chain is: drone /login → 303 → gitea OAuth authorize → 302 → gitea /user/login (unauthenticated).
+`final_url` is `/user/login`, so `parsed.path == "/login/oauth/authorize"` is always False.
+**The test always fails, even for a correctly wired drone.**
+
+Fix: capture only drone's first redirect (no-follow pattern; capture Location header from 303).
+
+This must be fixed before M1 can be claimed. If M1 is claimed without this fix, I will VETO.
+
+---
+
 ## Standing break-it probes
 
 - [ ] Verify drone WITHOUT gitea wiring fails SCM-configured test (negative control)