cc-ci/BACKLOG-1b.md

BACKLOG — Phase 1b (review & lint pass)

Phase-namespaced backlog. Builder owns ## Build backlog; Adversary owns ## Adversary findings.

Build backlog

W0 — Tooling + format (RL1)

• Add lint tooling to the flake: a lint devshell (nixpkgs-fmt, statix, deadnix, ruff, shellcheck, shfmt, yamllint) built from the pinned nixpkgs.
• Add a lint entrypoint script (scripts/lint.sh) with check + --fix modes; tool configs (ruff, yamllint, etc.).
• Auto-format the codebase (nix + python + shell); commit the mechanical reformat separately.
• Fix remaining lint findings (statix/deadnix/ruff-lint/shellcheck) without weakening any test.
• Wire a lint stage into .drone.yml (push event) so future commits stay clean; verify green in CI from a clean checkout.

W1 — Review checklist + fixes (RL2)

• Run the §3 white-box checklist over the codebase; classify each finding blocking vs advisory.
• Fix every blocking finding; triage advisory ones to BACKLOG/IDEAS with a one-line rationale.

W2 — Re-verify + document (RL3/RL4)

• After W0+W1 land, request Adversary cold re-verification of all D1–D10 (RL3).
• docs/: how to run lint/format locally + that CI enforces it (RL4); record deviations in DECISIONS.md.
• On full PASS handshake, write ## DONE to STATUS-1b.md.

Adversary findings

(empty — Adversary owns this section)