Files

autonomic-bot 8e0f0cbc7d review(1b): ✅ RL6 PASS + Adversary FINAL SIGN-OFF — git mv my REVIEW*.md → machine-docs/ (lockstep; Builder moved theirs in 992d87c, README stays root). Watchdog survived (resolve_state prefers machine-docs/; it pinged me from machine-docs/STATUS-1b.md). Refs re-verified (README+install.md updated; no .drone/flake/scripts refs; closure byte-identical 8i3jcad9 unaffected). ALL RL1-RL6 Adversary-PASS, no VETO — Builder cleared to write ## DONE

2026-05-27 22:56:25 +01:00

24 KiB

Raw Blame History

REVIEW — Phase 1b (review & lint pass) — Adversary ledger

Phase plan (SSOT): /srv/cc-ci/cc-ci-plan/plan-phase1b-review-lint.md Loop state for THIS phase: STATUS-1b / BACKLOG-1b / JOURNAL-1b (Builder) · REVIEW-1b (Adversary, this file) · DECISIONS.md shared. Phase-1 STATUS.md/BACKLOG.md/REVIEW.md and the Phase-1c *-1c.md files are HISTORY — not this phase's state.

This phase the Adversary is also the white-box reviewer (§3 checklist), so this ledger holds both white-box review findings and the eventual cold RL3 re-verification of D1–D10.

DoD I must independently confirm (RL1 lint-in-CI-green · RL2 §3 checklist run, blocking fixed · RL3 full cold D1–D10 re-verify — the final gate · RL4 docs). Order per §2: tooling → review fixes → then RL3. Cardinal rule: never weaken a test to satisfy a lint/review nit; RL3 must confirm cleanup softened/skipped/regressed nothing.

Phase-1b orientation @2026-05-27 (Adversary cold start)

Pulled clean; Phase 1c is signed-off DONE (commit 6d2bc3d). Phase 1b kicked off by operator (manual transition).
Builder has not yet seeded STATUS-1b/BACKLOG-1b/JOURNAL-1b and has not claimed W0. No gate pending.
I began the independent white-box §3 review immediately (it's my role this phase and needs no Builder gate).

White-box §3 prep pass #1 @2026-05-27 — over post-1c codebase (PRE-cleanup baseline; advisory until RL3)

Recording the baseline state before any W0/W1 cleanup, so I can later confirm the cleanup regressed nothing.

Tests are real — PASS (provisional). Swept all 6 recipe suites (custom-html, lasuite-docs, keycloak, matrix-synapse, n8n, cryptpad) × install/upgrade/backup + conftest + runner/harness. No @pytest.mark.skip/xfail/skipif, no commented-out asserts, no tautologies. Install tests assert real app content (matrix: parses versions JSON non-empty; keycloak: admin DOM; others: Playwright body). Upgrade tests deploy v(n-1) → write marker → upgrade → assert exact marker survives. Backup tests establish+verify state → backup → mutate+verify → restore → assert exact pre-mutation state (keycloak deletes a realm). Watch-item (to re-check black-box at RL3): every upgrade test has a conditional pytest.skip() when no previous published version exists (e.g. custom-html test_upgrade.py:17-18). Valid by design, but if it ALWAYS skips, the upgrade stage would be silently fake — RL3 must confirm the upgrade stage actually RUNS (prev version found) for ≥1 recipe, not just skips. (1c E2E exercised this.)
Server state Nix-declared & idempotent — PASS (provisional). No .bootstrapped/run-once sentinels in modules/ or scripts/ (grep clean). Convergence/oneshot pattern per §9 to be re-read fully in pass #2.
No footguns / sleep — PASS (provisional). All time.sleep() in runner/harness/lifecycle.py (147,157, 212,238) + bridge.py (280) are poll-loop intervals inside while time.time() < deadline: loops, not bare readiness waits. wait_healthy polls converge-then-HTTP with timeouts. Teardown (lifecycle.py:215) is correctly ordered (undeploy → docker stack rm fallback → volumes/secrets while .env exists → drop .env last), retries volume removal, and verifies residual is empty (raises TeardownError otherwise).
No secrets in code/committed files — PASS (provisional). Grep for inline passwords/tokens/private-key blocks across .py/.nix/.sh/.yml clean (only env/file references + generators). Full leak re-verify (incl. published logs + dashboard, and generated app passwords) belongs to RL3 D6.

Still owed in white-box pass #2 (after I read the rest): harness DRY (recipe quirks in shared harness, not per-recipe copy-paste), log redaction real (bridge/dashboard/log pipeline), architecture matches plan (layout/§3, poll-primary trigger §4.1, traefik-is-coop-cloud-recipe §4.2; drift → DECISIONS.md).

W0 (RL1 — lint/format tooling + green) : PASS @2026-05-27 (Adversary cold)

Gate claimed in STATUS-1b. Acceptance: clean checkout → nix develop .#lint --command bash scripts/lint.sh → lint: PASS; lint stage wired in .drone.yml push pipeline. Verified cold, independently (no nix on sandbox; ran on cc-ci over a pristine tree, not the Builder's working copy):

Cold checkout = exact reviewed SHA. git archive 233939a (= my origin/main HEAD) piped to cc-ci → /tmp/ccci-cold (clean tree, no untracked/cached state, secrets submodule empty as lint excludes it). Not cloned from /root/cc-ci (that's a non-git plain copy) — archived from my own clone.
Lint PASS cold. HOME=/root nix develop .#lint --command bash scripts/lint.sh → exit 0, lint: PASS. All 8 linters ran clean: nixpkgs-fmt (0/14 reformat), statix, deadnix, ruff format (32 files), ruff check (all passed), shfmt, shellcheck, yamllint.
Stage real, not rigged. scripts/lint.sh genuinely invokes each linter in check mode and accumulates a fail flag → exit "$fail" (correct set -uo pipefail, no -e, so all run). The .drone.yml self-test push pipeline runs the exact command nix develop .#lint --command bash scripts/lint.sh and FAILs the build on non-zero. Toolchain pinned from nixpkgs in flake.nix (devShells.lint), so CI == local.
Gate has TEETH (break-it probe). Injected violations into the cold tree (a .py with import os,sys + x=1+2, and a mis-formatted .nix) → re-ran lint → exit 1, lint: FAIL (ruff E401/I001/F401 + nixpkgs-fmt). So the stage is not vacuously green.

Verdict: W0 PASS. Builder may proceed to W1. Advisory (not W0-blocking; re-confirm at RL3): Builder notes the Gitea→Drone push webhook is flaky (§4.1), so the lint stage may not auto-fire as a real Drone build on every push — RL1's intent ("future commits stay clean") depends on that path actually firing. The stage IS wired and proven green via its exact command; I'll confirm a real push triggers the Drone lint build when I re-verify M2/D-gates at RL3 (it overlaps). Not filing a finding now — bounded phase, acceptance-as-stated is met.

White-box §3 pass #2 @2026-05-27 (Adversary, post-W0 formatted code) — RL2 input

Remaining §3 checklist items. No blocking findings.

Harness is DRY — PASS. Recipe quirks live in shared harness + per-recipe declarative metadata (tests/<recipe>/recipe_meta.py: HEALTH_PATH/HEALTH_OK/timeouts/EXTRA_ENV), consumed uniformly by tests/conftest.py (_recipe_meta, deployed/deployed_app fixtures) and runner/harness/lifecycle.py (_recipe_extra_env). No if recipe == "..." branches in the shared harness (the M6.5 no-surgery rule holds). Recipe-specific logic is isolated to that recipe's dir (e.g. keycloak kc_admin.py, cryptpad's derived SANDBOX_DOMAIN). Only smell: the ~6-8-line old_app upgrade fixture is copy-pasted across recipes — thin boilerplate over shared metadata; advisory, not a violation (factoring it would just add another per-recipe injection point). → IDEAS, not blocking.
Architecture matches plan — PASS. §4.1 trigger is poll-primary (bridge/bridge.py poll_loop runs unconditionally every ≤60s; webhook is optional + dedup'd by comment id; exact trimmed !testme; commenter-auth via read-level GET /orgs/{owner}/members/{user} 204=allow, fail-closed). §4.2 Traefik is the real coop-cloud/traefik recipe via abra (modules/proxy.nix: abra recipe fetch/app new traefik, WILDCARDS_ENABLED=1, compose.wildcard.yml, LETS_ENCRYPT_ENV="" → no ACME, cert as ssl_cert/ssl_key swarm secrets) — no hand-rolled traefik.nix. §3 layout matches.
Server state Nix-declared & idempotent — PASS. modules/proxy.nix deploy-proxy is Type=oneshot+RemainAfterExit, re-runs every activation and converges (insert secret only if absent, deploy). No .bootstrapped/run-once sentinels anywhere (grep clean, pass #1). Leans on 1c's already-proven D8 (byte-identical closure + live throwaway rebuild, no manual post-step).
Log redaction is real — PASS for infra secrets; one advisory gap to verify behaviorally at RL3/D6. runner/run_recipe_ci.py _redact_values() reads /run/secrets/* (≥8-char values) and run_stage_redacted() masks them in live-streamed stage output (sorted longest-first → no partial leak). But class-B generated app passwords are NOT under /run/secrets/*, so they are NOT in the _REDACT list — their non-leak rests entirely on the "harness never prints them / abra doesn't echo generated ones" assumption (code comment, run_recipe_ci.py:59-60). Also: the runner's own stdout (the cc-ci-run … Drone step) bypasses run_stage_redacted. This is exactly what my behavioral D6 leak test must catch at RL3 (grep published Drone logs and the dashboard for a known generated app password). Phase-1 D6 passed that test once; recording the white-box shape so RL3 re-checks it, not a new blocking finding. → WATCH-ITEM for RL3/D6.
Readability / docs accuracy — advisory; defer to RL4 (docs) + the ruff/lint pass already covers dead code / style deterministically.

Net of §3 white-box review (RL2 input): no blocking findings; 2 advisories (old_app copy-paste → IDEAS; app-secret redaction → RL3/D6 watch-item). I expect Builder's W1 to be light. I have NOT filed [adversary] BACKLOG items since nothing is blocking — will file if W1/RL3 surfaces a real defect.

Operator added RL5 + RL6 (plan §7, 2026-05-27) — both BLOCKING for 1b DONE. Noted; verification plan:

RL5 (Builder moves; Adversary verifies cold): modules/→nix/modules/, hosts/→nix/hosts/; flake.nix/flake.lock STAY at root so build ref #cc-ci is unchanged; fix flake internal paths + .drone.yml/scripts refs; update docs/architecture.md. Verification folds into RL3: a fresh recursive clone must still rebuild byte-identical to the running system (toplevel store hash WILL change — expected; what must hold is build==running + reproducible). I'll re-confirm cold at RL3.
RL6 (coordinated near-END-of-1b): move STATUS*/REVIEW*/JOURNAL*/BACKLOG*/DECISIONS.md → machine-docs/; README.md stays at root (operator decision — human readme, not protocol). Update ALL refs (cc-ci-plan plans, AGENTS.md, .drone.yml, scripts). I verify refs updated + nothing broken. ⚠ CAVEAT affecting ME: the watchdog (launch.sh) reads STATUS-<id>.md/REVIEW-<id>.md at repo ROOT for handoffs/transitions — moving breaks it until launch.sh updated + watchdog restarted IN LOCKSTEP (orchestrator handles that). So I keep writing REVIEW-1b.md at root until the coordinated cutover, and at that moment I git mv my own REVIEW files (single-writer rule) in lockstep. Will NOT move them unilaterally or while a phase transition is pending.

RL2 (§3 white-box checklist) : PASS @2026-05-27 (Adversary)

My white-box passes #1+#2 found no blocking findings; Builder's own §3 self-review agrees. Advisories triaged (old_app copy-paste → IDEAS; generated-app-secret redaction → RL3/D6 watch-item). RL2 confirmed.

RL5 (nix/ consolidation) — structural PASS @2026-05-27; build-proof folds into RL3 below

modules/ and hosts/ gone from root; nix/modules/ (12 .nix) + nix/hosts/cc-ci/ (configuration.nix, hardware.nix) present; flake.nix + flake.lock stay at root (build ref #cc-ci unchanged). flake.nix imports ./nix/hosts/cc-ci/configuration.nix. No dangling ./modules/./hosts refs in flake.nix/.drone.yml/scripts (grep clean). docs/architecture.md + DECISIONS updated per Builder. The "flake still evaluates + builds byte-identical with new paths" proof = the cold rebuild in RL3 (below).

RL3 (final gate) — IN PROGRESS @2026-05-27 (Adversary cold). Re-verifying all D1–D10; partial so far:

Cardinal rule — tests NOT weakened : PASS. Diffed every tests/**/test_*.py + runner/harness/ between pre-1b (6d2bc3d, the 1c-DONE commit) and HEAD. Every change is ruff line-wrapping only — assertion predicates, comparison operators (==, in), expected values, marker/SQL strings, and wait_healthy params are all byte-for-byte preserved (verified by reading the -w diff in full). No assertion removed/softened, no pytest.skip/xfail/assert True added, no test_ fn deleted. The format+RL5 cleanup regressed no test logic.
System health (cc-ci canonical) : confirmed. readlink /run/current-system == 8i3jcad9mrr01558lqckpi26nxn2ra3m-nixos-system-…50ab793 (matches claim); systemctl is-system-running → running; 5 infra stacks up (traefik[2 svc]/drone/ccci-bridge/ccci-dashboard/backups), no leftover test app (idle). [Note: "6 stacks" in 1c included a transient test app; 5 infra stacks is the idle baseline.]
D8 + RL5 byte-identical cold rebuild : PASS @2026-05-27 (Adversary cold, independent). On cc-ci: fresh git clone --recurse-submodules of origin to /tmp/ccci-rl3 (HEAD aa120d1, submodule secrets @2312f1c clean, secrets/secrets.yaml present) → nixos-rebuild build --flake "git+file:///tmp/ccci-rl3?submodules=1#cc-ci" → toplevel 8i3jcad9mrr01558lqckpi26nxn2ra3m… == running (byte-identical, build==running). Proves D8 (reproducible from a fresh clone) and RL5 (new nix/ layout evaluates+builds, #cc-ci ref unchanged). Sanity: a build without ?submodules=1 fails secrets/secrets.yaml does not exist — confirms secrets genuinely come from the submodule, not baked in. Token used via transient -c http.extraHeader (not persisted in clone config — verified); temp clone removed.

Fresh live `!testme` e2e #1 — custom-html PR#2 (build #151, @2026-05-27) — D1/D2/D3/D7 PASS

Posted exact !testme (comment 13743, authorized org-member bot) @20:33:16Z. Bridge (poll 30s) → build #151 for PR-head db9a9502.

D1 PASS — triggered build for the PR head, latency 20s (<60s). Other comments don't trigger (only !testme matched; verified historically + exact-match code). Re-commenting re-ran (PR comment links to #151, an earlier identical comment linked to an older run #4 → re-run confirmed).
D2 PASS — install/upgrade/backup ran as separate reported stages, all green: install 2 passed (incl. playwright) 68.7s; upgrade test_upgrade_preserves_data PASSED 24.8s — it actually RAN, not skipped (resolves the pass#1 conditional-skip watch-item); backup test_backup_mutate_restore PASSED 42.9s. Real abra deploy/upgrade/backup-restore, no mocks.
D3 PASS — test_playwright_page PASSED (real browser against the live app).
D7 PASS — bridge posted to PR#2: run for custom-html @ db9a9502 ✅ passed → drone.../cc-ci/151 (run link + outcome). Dashboard ci.commoninternet.net overview renders custom-html → success (YunoHost-CI-like badges; title "cc-ci — Co-op Cloud recipe CI").
D6 infra-secret leak : PASS — fetched #151 published step log; grepped each /run/secrets/* value (bridge gitea/drone tokens, drone_rpc_secret, webhook_hmac, drone_gitea_client_secret, test_secret, wildcard_cert, wildcard_key): 0 matches each; no echoed generated values / private keys; dashboard is a 21-line static status overview (structurally carries no secrets). (custom-html generates no app secrets, so the class-B app-password path is tested by e2e #2 below.)

D6 generated-app-secret WATCH-ITEM — RESOLVED (white-box) + behavioral check in flight

White-box: harness/abra.py secret_generate() runs abra app secret generate … -m via _run(), which subprocess.run(capture_output=True) — the output (which holds the generated values) is captured and never printed (check=False, so no failure path re-emits it). So generated app secrets never reach the Drone log → that's why the proactive _REDACT (infra-only) gap is not a real leak. Residual advisory (theoretical): a check=True abra cmd that FAILS embeds its stdout/stderr in the raised AbraError msg, which pytest would print — only on failure, and abra status output isn't secret values; low risk, noting it. Behavioral confirmation in flight: e2e #2 = keycloak PR#1 (generates an admin password readable at /run/secrets/admin_password); watcher captures that exact value mid-run then greps the published log + dashboard for it (expect 0). Result logged on completion.

D4/D5/D8/D9/D10 — RL3 status

D4 (recipe-local tests) — discovery logic in run_recipe_ci.py is byte-identical (formatting- only) to the Phase-1 D4-passed version; custom-html ships no own tests/. Carried-forward; will note if the keycloak run exercises recipe-local discovery.
D5 (per-recipe tree + enroll) — PASS. 6 trees present (custom-html/cryptpad/keycloak/lasuite- docs/matrix-synapse/n8n) + conftest.py; no test files deleted in 1b (git diff --diff-filter=D 6d2bc3d..HEAD -- tests/ empty); enroll documented in docs/enroll-recipe.md ("Copy from an existing recipe e.g. tests/custom-html/…", no-harness-surgery). Advisory: plan §3's literal tests/_template/ was never created (didn't exist pre-1b either — copy-existing-recipe used instead); pre-1b deviation, should be in DECISIONS — minor, not a 1b blocker.
D8 (reproducible server) — PASS (byte-identical cold rebuild above).
D9 (docs) — PASS. All 6 docs present (architecture/baseline/enroll-recipe/install/runbook/ secrets); README has the RL4 lint section (local + CI-enforced); architecture.md updated to the nix/ layout (RL4/RL5) and the 1c secrets model.
D10 (breadth, 6 recipes) — IN PROGRESS. Stance: test code + shared harness are byte-identical (formatting-only) and the closure is byte-identical to the one that produced the Phase-1/1c six- recipe green runs, so breadth carries forward; the cleanup-regression risk is covered by 2 fresh category-spanning green runs (custom-html=simple ✅ #151; keycloak=SSO/DB in flight). Will record the carry-forward set + this reasoning; can run additional recipes (sequentially) if the operator wants all 6 fresh.

Fresh live e2e #2 — keycloak PR#1 (build #152) — heavy SSO/DB recipe, D1/D2/D3 + D6-behavioral

D1 — build #152, latency 8s. D2 — full 3 stages green on a heavyweight SSO/DB recipe: install (test_realm_endpoint_healthy + test_playwright_admin_login, 446s), upgrade (test_upgrade_preserves_realm, 484s — ran), backup (test_backup_mutate_restore, 488s). D3 — playwright admin-login. Real keycloak + postgres, generated admin password + DB secrets.
D6 behavioral (app-secret) — PASS. keycloak generated an admin password (/run/secrets/admin_password)
- DB creds during the run; published #152 log shows 0: BEGIN-PRIVATE-KEY, password assignments, echoed admin_password, secret-generate output, or standalone high-entropy tokens. Wildcard cert+key leak re-checked PROPERLY (my first grep mis-parsed the multi-line PEM as a flag — fixed; interior base64 line grep): 0 matches in BOTH #151 and #152. (Self-note: the buggy grep dumped the wildcard key into a sandbox /tmp task file — deleted immediately; never in repo/published/dashboard.)
D2 teardown guarantee — PASS. After both runs: no orphaned *-pr* stacks/volumes/secrets; system running, canonical still byte-identical 8i3jcad9.

✅ RL3 — FULL COLD D1–D10 RE-VERIFICATION : PASS @2026-05-27 (Adversary). Nothing weakened.

All re-verified on the cleaned + RL5 byte-identical closure (8i3jcad9==running==fresh-clone build), fresh evidence <24h. The lint/format + nix/ refactor regressed nothing.

D	Verdict	Evidence
D1 trigger	PASS	`!testme`→#151 (20s), #152 (8s); exact-match; re-comment re-ran
D2 matrix	PASS	custom-html + keycloak: install/upgrade/backup all green as separate stages; upgrade actually ran (not skipped); real abra deploy; teardown left no orphans
D3 py+playwright	PASS	playwright assertions green in both runs
D4 recipe-local	PASS (carry-fwd)	discovery code byte-identical (formatting-only) to Phase-1 D4-PASS impl
D5 test tree	PASS	6 trees + `conftest`; enroll doc; no tests/ files deleted in 1b
D6 secrets	PASS	8/8 infra-secret values + wildcard cert/key + generated keycloak admin pw: 0 in logs/dashboard; white-box: `secret_generate` output captured-never-printed
D7 results UX	PASS	PR comment w/ run link + ✅passed; dashboard overview renders recipe statuses
D8 reproducible	PASS	fresh recursive clone → `nixos-rebuild build …?submodules=1#cc-ci` → toplevel `8i3jcad9`==running
D9 docs	PASS	6 docs present; README lint section (RL4); architecture.md = `nix/` layout + 1c secrets model
D10 breadth	PASS	2 fresh category-spanning green runs (custom-html=simple #151; keycloak=SSO/DB #152) + carry-forward of the Phase-1 Adversary-verified 6/6 set (cryptpad/lasuite-docs/matrix-synapse/n8n, builds #84–#108) — test+harness+closure byte-identical, so breadth holds; cleanup-regression risk covered by the 2 fresh runs
Cardinal rule	PASS	`6d2bc3d..HEAD` test diff is ruff line-wrapping only — no assertion/skip/test-fn change
RL5	PASS	nix/ layout, flake at root (#cc-ci ref unchanged), byte-identical rebuild

Note on D10 scope: I did not re-run all 6 recipes fresh — that would be gold-plating against the bounded-phase discipline, since the 4 carried recipes use the byte-identical harness/test code against the byte-identical closure that produced their Phase-1 green runs, so a re-run carries ~zero regression signal beyond the 2 fresh runs already done. If the operator wants strict 6/6-fresh, I can run the remaining 4 sequentially on request.

✅ RL6 — protocol files → `machine-docs/` : PASS @2026-05-27 (Adversary, lockstep cutover)

The coordinated cutover executed cleanly:

Orchestrator lockstep done. cc-ci-plan/launch.sh now has resolve_state() (lines 67-69) that prefers machine-docs/<file> and falls back to root — so the watchdog survives the move and stays move-agnostic. Proof it works post-move: the watchdog pinged me for the RL6 gate from machine-docs/STATUS-1b.md (it read the moved file). Handoff intact.
Builder moved (commit 992d87c): STATUS*.md/BACKLOG*.md/JOURNAL*.md (3 each) + DECISIONS.md → machine-docs/. README.md correctly LEFT at repo root (operator decision).
Adversary moved (this commit, single-writer rule): REVIEW-1b.md + REVIEW.md + REVIEW-1c.md → machine-docs/. Root now holds only README.md (+ flake/nix/code); no protocol file left at root.
References re-verified. README "Loop state" section updated → "lives under machine-docs/"; docs/install.md → machine-docs/DECISIONS.md. No .drone.yml / scripts/ / flake.nix / nix/hosts references to protocol files (grep clean) ⇒ the build closure is unaffected (cc-ci still running, byte-identical 8i3jcad9 — RL6 is a repo-doc move, touches no nix input).
Trivial advisory (non-blocking): 4 See DECISIONS.md bare-name comment refs in nix/modules/{drone,drone-runner,proxy}.nix aren't path-qualified to machine-docs/ — but they were never path-qualified pre-move (always bare "DECISIONS.md"), the file is still findable by name, and README states its location. Optional tidy (prefix machine-docs/), not an RL6 failure. → IDEAS.

Verdict: RL6 PASS.

🏁 ADVERSARY FINAL SIGN-OFF — Phase 1b : ALL RL1–RL6 Adversary-PASS @2026-05-27. NO VETO.

RL	Verdict
RL1 lint/format in CI + green	✅ PASS (cold, with break-it teeth)
RL2 §3 white-box checklist	✅ PASS (no blocking findings)
RL3 full cold D1–D10 re-verify	✅ PASS (nothing weakened; byte-identical closure; 2 fresh e2e; leak-clean)
RL4 docs	✅ PASS
RL5 nix/ consolidation	✅ PASS (byte-identical rebuild)
RL6 machine-docs/ move	✅ PASS (watchdog-survived lockstep)

No open [adversary] findings; advisories triaged to IDEAS (old_app copy-paste; _template deviation; bare-name DECISIONS refs) + one documented RL1 advisory (flaky Gitea→Drone push webhook — lint stage is wired + proven via its exact command, auto-fire needs the operator's webhook; non-blocking). The Builder is cleared to write ## DONE to machine-docs/STATUS-1b.md. Once DONE is written, the DONE handshake holds (every RL has a <24h Adversary PASS, no VETO) and the 1b loop terminates.

24 KiB Raw Blame History Unescape Escape