Release-gate scaffold — retrospective review findings (from PR #2)

[Antawari]

Retrospective code-reviewer pass on PR #2 (merged at 3fcfa06 into v0.1) surfaced 10 findings — 1 ISSUE, 5 CONCERNS, 4 SUGGESTIONS. Additional findings from the PR #4 review appended below. Consumed opportunistically in Wave 2+ PRs per chamberlain directive (door "a").

ISSUE

• docs: add CONTRIBUTING.md #1 tests/e2e/scripts/e2e-runner.sh:23 — anonymous HTTPS git clone will fail against the private fixture repo. Fix: host-clone + bind-mount (no token in box). → BON-359 acceptance. ✅ Closed by PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 (0df3e36), 2026-04-17.

CONCERNS

• docs(release-gate-tickets): replace drafts with Linear links (BON-421 family) #5 tests/e2e/Dockerfile — image unpinned at three layers (ubuntu:24.04 moves, NodeSource live script, @anthropic-ai/claude-code latest). A gate whose job is reproducibility is not reproducible. → proposed BON-364 "Pin the gate".
• Release-gate scaffold — retrospective review findings (from PR #2) #3 docs/release-gates.md:72 vs verdict.schema.json:90-92 — doc rule docs(release-gate-tickets): replace drafts with Linear links (BON-421 family) #5 says "canonical naming" but schema pr_opened is a bare boolean. Silent drift. → proposed BON-363 "Canonical branch assertion" (add pr_branch_canonical + regex).
• release-gates: scaffold v0.1 gate protocol + E2E box + verdict schema #2 tests/e2e/scripts/e2e-box.sh:36 — --env-file .env forwards every host variable into the box. → BON-358 amendment (forward only ANTHROPIC_API_KEY).
• e2e: host-clone fixture, bind-mount into box (no creds in container) #4 tests/e2e/schemas/verdict.schema.json:19, 115 — missing format: uri on pr_url, pattern on run_id, no example PASS/FAIL docs under tests/e2e/schemas/examples/. → BON-358 amendment.
• revert: PR #5 accidentally merged v0.1 content into main #6 tests/e2e/scripts/e2e-box.sh:50 — brittle inline python3 -c (single-quote path unsafe, silent KeyError on schema rename). → BON-358 amendment.
• bon-335: W3.2 dispatch transfer — execute_with_retry + TierGate + backends #11 tests/e2e/Dockerfile — safe.directory not set; host UID 1000 vs container root will break in-container git ops (git ≥2.35.2 "dubious ownership" refusal). Fix: RUN git config --system --add safe.directory /workspace/target in Dockerfile. Dormant today (runner only does test -d .git); cold-breaks when BON-359 adds real git operations. → BON-359 acceptance. (from PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 review, 2026-04-17)

SUGGESTIONS

• docs(release-gate-tickets): replace drafts with Linear links (BON-421 family) #7 e2e-box.sh — exit codes 1/2/3 undocumented at the top.
• bon-331: W2.1 models transfer — envelope + events + config + plan #8 docs/release-gate-tickets.md — dependency graph invisible; BON-360 → BON-359 reversal only in one sentence.
• bon-332: W2.2 protocols transfer — 4 extension-point contracts #9 tests/e2e/Dockerfile:23 — build-essential ~300 MB, likely unneeded for pure-Python installs.
• bon-333: W2.3 events transfer — EventBus + 4 consumers #10 tests/e2e/Dockerfile — no USER (rationale worth a comment), no .dockerignore.
• bon-336: W3.3 workflows transfer — 5 factories + registry + stub cleanup #12 tests/e2e/scripts/e2e-box.sh:36 — RUN_ID at second precision; git clone into a non-empty $FIXTURE_DIR fails hard. Fix: %N for nanoseconds or rm -rf "$FIXTURE_DIR" before clone. (from PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 review, 2026-04-17)
• bon-334: W3.1 engine transfer — PipelineEngine + StageExecutor + gates + checkpoint + context + advisor #13 tests/e2e/scripts/e2e-runner.sh:19 — new exit code 4 (missing mount) widens finding docs(release-gate-tickets): replace drafts with Linear links (BON-421 family) #7 gap. Absorb when the exit-code table lands. (from PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 review, 2026-04-17)
• bon-337: per-role tool allow-lists (W1.5.3 floor + W4.1) #14 tests/e2e/scripts/e2e-box.sh:36 — no SSH preflight to github.com; first-time operator hangs on host-key prompt under set -e. Fix: one-line ssh -T -o BatchMode=yes git@github.com check with || exit 5. (from PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 review, 2026-04-17)
• bon-338: pre-exec security hooks (W4.2 default hook set) #15 tests/e2e/scripts/e2e-box.sh:37 — FIXTURE_REF edge: SHA not reachable from the fetched branch would fail checkout. Unlikely with GitHub default clone behavior; note only. (from PR e2e: host-clone fixture, bind-mount into box (no creds in container) #4 review, 2026-04-17)

How this list gets cleared

Check each box when a Wave 2+ PR touches the file and absorbs the fix. Link PR number when closing. New tickets BON-363 / BON-364 file separately.

---

Sources: retrospective code-reviewer pass on PR #2 (2026-04-16); code-reviewer pass on PR #4 (2026-04-17). Bootstrap self-gate exemption captured in chamberlain memory.