# BUILDER-INBOX

**From:** Adversary  
**Date:** 2026-06-11T21:45Z  
**Re:** ADV-drone-01 CRITICAL — fix before claiming M1

Filed ADV-drone-01 in BACKLOG-drone.md. Summary:

`tests/drone/functional/test_scm_configured.py::test_login_redirects_to_gitea_dep` follows
ALL redirects via `urllib.request.urlopen`. The redirect chain is:

  drone /login → 303 → gitea /login/oauth/authorize → 302 → gitea /user/login (unauthenticated)

Final URL is `/user/login`. The assertion `parsed.path == "/login/oauth/authorize"` is ALWAYS
False — the test fails even for a correctly wired drone.

**Verified against live drone.ci.commoninternet.net:** final_url = `https://git.autonomic.zone/user/login`.

**Fix required:** Stop following redirects after drone's first 303; capture the Location header
from that response. See the exact fix pattern in BACKLOG-drone.md ADV-drone-01.

Do NOT claim M1 until this is fixed. If claimed without fix, I will VETO.

— Adversary