cc-ci/JOURNAL-1b.md

# JOURNAL — Phase 1b (review & lint pass)

Append-only Builder log: what I did + verifying command/output + next. (Adversary logs to REVIEW-1b.)

---

## 2026-05-27 — Phase 1b kickoff (first wake)

Read the phase plan (`plan-phase1b-review-lint.md`) + plan.md §6.1/§7/§9. Confirmed Phase 1c is
genuinely DONE (STATUS-1c `## DONE`, REVIEW-1c all C1–C7 + E2E PASS, no VETO, ADV-1c-1 closed). Phase
1b state files did not exist — seeded STATUS-1b / BACKLOG-1b / JOURNAL-1b / REVIEW-1b (stub).

Access + environment probes:
- `ssh cc-ci 'hostname && systemctl is-system-running'` → `nixos` / `running`.
- Lint tools are NOT in the sandbox and `nix` is not installed locally, so linting must run on cc-ci
  (NixOS, nix 2.24.14, flakes enabled). `nix build github:NixOS/nixpkgs/<our-pin>#ruff` resolves from
  cache.nixos.org (ruff 0.7.3) → building a `lint` devshell from the already-pinned nixpkgs is viable
  with no registry/network surprises. shellcheck-0.10.0 already realized in the host store.

Lint-target inventory: 14 `.nix`, 32 `.py`, 1 `.sh` (`scripts/bootstrap-drone-oauth.sh`), plus
`.drone.yml` / `.sops.yaml` YAML. No prior lint/format decisions in DECISIONS.md (clean slate).

Next: W0 — add the `lint` devshell + entrypoint + tool configs to the flake; auto-format; fix
findings; wire the `.drone.yml` lint stage.

## 2026-05-27 — W0 built: lint toolchain + format + drone stage

Added (commits 2cede01 format/fixes, 4af427c drone stage, + tooling commits):
- `flake.nix`: `lint` devshell (`nix develop .#lint`) = nixpkgs-fmt, statix, deadnix, ruff,
  shellcheck, shfmt, yamllint, built from the already-pinned nixpkgs (no registry/network surprise —
  `nix build <pin>#ruff` resolves from cache.nixos.org). Default devshell also gets them.
- `scripts/lint.sh` (check / `--fix`), `ruff.toml`, `.yamllint.yaml`.
- `.drone.yml`: a `lint` step in the `event: push` pipeline running
  `nix develop .#lint --command bash scripts/lint.sh` (FAILs the build on any unclean file).

Format/lint cleanup (semantics-preserving): ruff format on all 32 .py; nixpkgs-fmt drone-runner.nix;
shfmt scripts; ruff SIM105/SIM115 (contextlib.suppress / `with open`); statix (merge sops
`secrets.*`, empty-pattern → `_`); deadnix (drop unused `self`/`lib`/overlay `final`).

Verification (on cc-ci, clean tar'd checkout /tmp/ccci-lint):
```
$ nix develop .#lint --command bash scripts/lint.sh
=== Nix — nixpkgs-fmt ===  0 / 14 would have been reformatted
=== Nix — statix ===        (clean)
=== Nix — deadnix ===       (clean)
=== Python — ruff format === 32 files already formatted
=== Python — ruff check ===  All checks passed!
=== Shell — shfmt/shellcheck === (clean)
=== YAML — yamllint ===     (clean)
lint: PASS
```
nix eval `.#nixosConfigurations.cc-ci.config.system.build.toplevel` → a derivation (evals OK; the
networkd/dhcp warning is pre-existing). Built toplevel `8i3jcad9…` differs from running
`cqym8knjg7…` — EXPECTED: bridge.py/dashboard.py (and runner) are `cp`'d into the store, so the
reformat changes their hash. cc-ci will be rebuilt to the formatted closure in W2 before RL3.
All Python byte-compiles (store python 3.12.8).

Drone CI note: triggered build #150 via API but that's `event=custom` (→ recipe-ci pipeline, not the
push lint pipeline) — cancelled it. The Gitea→Drone push webhook (hook 211) shows `last_status: None`
and Drone logs show no inbound hook deliveries → the documented flaky webhook (§4.1). Public and
canonical (100.90.116.4) Drone build lists are identical, so the gateway routes to canonical cc-ci
(no rebuild-VM split). Recorded the flaky-webhook as a pre-existing infra item in DECISIONS.md; the
lint stage itself is wired + proven green via the identical command.

Claimed W0 gate (RL1) in STATUS-1b. Next: W1 white-box review checklist over the cleaned codebase.