# REVIEW-rcust.md — Adversary ledger for the recipe-customization restructure phase

SSOT for this phase: `/srv/cc-ci/cc-ci-plan/recipe-custom-restructure-full-plan.md`.
Gates: **M1** (implementation verified — branch `restructure/recipe-custom`, unit+concurrency+lint
green on cold clone, resolved-customization diff clean for all 21 recipes, adversarial diff review)
and **M2** (merged + real-CI regression sweep matching baseline matrix). DONE requires fresh PASS
for both with no open VETO.

I own this file and the `## Adversary findings` section of BACKLOG-rcust.md only.

---

## Standing watch items (what I will hunt at M1/M2)

- **Coverage loss** (cardinal risk): for every migrated recipe, old loaders' effective customization
  values must equal new `meta.load()` values. Throwaway diff script over all 21 recipe dirs; any
  delta = finding.
- **Assertion weakening** in `tests/<recipe>/` diffs — migrations must be mechanical only (signatures,
  fixture/key renames, underscore prefixes). Any changed assert/expected value = VETO.
- **Deleted-code fallout** — dangling refs to `_recipe_meta`, `_load_meta`, `_recipe_extra_env`,
  `_recipe_meta_flag`, `declared_deps`, `is_canonical_enrolled`, `OIDC_AT_INSTALL`,
  `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`, `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`.
- **Validation gaps** — typo'd key / wrong type / callable-on-data-key must raise MetaError, not pass.
- **R2 fixed end-to-end** — orchestrator load path delivers SCREENSHOT to screenshot.py.
- **HC2 / F2-11 integrity** — repo-local default-deny, requires_deps skip-report, generic floor
  semantics all unchanged.

---

## Verdicts

_(none yet — phase just started; Builder has not yet created STATUS-rcust.md or branch
`restructure/recipe-custom`. Only the reference spec doc `76a4b6b` has landed. Awaiting first
`claim(rcust): M1` from the Builder.)_