docs(retro): v6.3.0 pipeline hardening (7 issues) + scope-lock complete

RELEASE-NOTES.md

@@ -2,7 +2,7 @@
 
 ## v6.3.0 — 2026-06-01
 
-Pipeline-hardening release closing five recurring gate-miss / context-waste issues
+Pipeline-hardening release closing seven recurring gate-miss / context-waste issues
 observed across autonomous runs and Codex compaction.
 
 - **`adversarial-design-review` — auth/authz chain-composition bug-class (#59):** a new

docs/plans/2026-06-01-pipeline-hardening-4issues.md

@@ -31,7 +31,7 @@
 |------|-------|-------|--------|
 | 1 | feat: v6.3.0 pipeline hardening (#41/#58/#59/#60/#61/#63/#64) | Task 1, Task 2, Task 3, Task 4, Task 5, Task 6, Task 7, Task 8, Task 9 | feat/pipeline-hardening-4issues-v6.3.0 |
 
-**Status:** Amended 2026-06-01T06:00:00Z (user-approved scope expansion to #63 + #64; see Amendment note + decisions/0004)
+**Status:** Complete 2026-06-01T06:08:10Z (v6.3.0 released; 7 issues; see docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md)
 
 ---
 

docs/retros/2026-06-01-v6.3.0-pipeline-hardening-retro.md

@@ -0,0 +1,86 @@
+# Retro: v6.3.0 Pipeline Hardening (7 issues)
+
+**PR:** #62 — feat: v6.3.0 pipeline hardening (merge c5566295)
+**Merged / Released:** 2026-06-01 · v6.3.0 (Latest)
+**Issues:** #41, #58, #59, #60, #61 (locked) + #63, #64 (user-approved amendment)
+**Design:** docs/plans/2026-06-01-pipeline-hardening-4issues-design.md (adversarial PASS @ cycle 3)
+**Plan:** docs/plans/2026-06-01-pipeline-hardening-4issues.md (plan-phase PASS @ cycle 2; alignment PASS; Locked → Amended)
+**ADRs:** 0003 (Implement-N completion trust-boundary), 0004 (scope amendment)
+
+## What shipped
+
+One coherent release hardening the autonomous pipeline against recurring gate-misses:
+- **#59** auth/authz chain-composition plan-phase bug-class.
+- **#60** sanctioned, host-scoped bash poll-loop CI-wait (the prior background-Agent monitor
+  early-exited ~6×/run).
+- **#58** completion trust-boundary (a flipped `Implement: N` isn't trusted until lead
+  `verification-before-completion`; hard hook-block infeasible — ADR 0003).
+- **#41** `run-hook.cmd` stdout-JSON discipline (recover a block decision even behind a
+  warning) + `tests/hook-stdout-discipline.sh`.
+- **#61** pr-review reminder once-per-session (quote-strip match + marker, reset on
+  PreCompact).
+- **#63** artifact-class precedent design check (survey *where* an artifact lives, not just
+  the mechanism).
+- **#64** session-start Linux `stat` time-dedup fix (a real Linux-breaking bug).
+- New `hooks-check.yml` CI gating both hook test suites.
+
+## Adversarial-review findings, scored
+
+| Phase | Finding | Sev | Outcome |
+|---|---|---|---|
+| design c1 | #41 suppress-all dropped block decisions behind a warning | Critical | Resolved upfront — switched to last-JSON-line extraction |
+| design c1 | #41 locale over-claim; #60 Codex path undefined; #41 trailing-newline | Important×3 | Resolved upfront |
+| design c2 | #61 pre-compact early-exit would skip the marker-clear (no-locked-plan case) | Important | **Prescient** — exactly the kind of place-it-wrong bug; clear forced before the early-exit |
+| plan c1 | #61 regex still matched `gh pr create` in a quoted body | Important | Resolved upfront — quote-strip (pre-tool-scope-guard precedent) + false-positive test |
+| plan c1 | #41 jq-absent test case dropped; missing trap/stderr asserts | Important | Resolved upfront |
+| code review | #41 `grep -vF` substring false-drop; non-atomic marker write | Important + Minor | Resolved upfront — `grep -vxF` + atomic temp-file rename |
+
+Design converged in 3 cycles, plan in 2. The plan-phase review's #61-early-exit catch and
+the code review's `grep -vxF` catch were both real bugs killed pre-merge.
+
+## Gate misses
+
+| Issue | Gate that missed | Why it slipped | Fix |
+|---|---|---|---|
+| `session-start` time-dedup broken on Linux (#64) | local test runs (macOS only) | `hook-contracts.sh` "passed locally" on macOS; the BSD-first `stat -f %m` only misbehaves on GNU/Linux, which was never exercised because **no CI ran the hook tests** | Task 6's new `hooks-check.yml` (ubuntu) surfaced it on the first CI run; fixed GNU-first + numeric guard |
+
+This is the **existence/runtime-validity discipline catching itself**: adding a CI gate that
+runs the hook tests on the *real* target platform immediately exposed a pre-existing
+Linux bug that every local (macOS) run had masked. The lesson "a test that never runs is
+theater" (the rationale for Task 6) paid off the same hour it shipped.
+
+## What worked
+
+- **The amendment path worked as designed.** Two items arose mid-execution (#64 found by
+  the new CI; #63 newly filed). Both were surfaced, user-approved, recorded (ADR 0004),
+  the manifest re-stamped Locked → Amended (7 → 9 tasks, PR count unchanged), re-aligned,
+  re-locked — no silent rescoping.
+- **Dogfooding:** the release shipped #58's "completion not trusted until lead-verified"
+  rule and then *applied it to itself* — the lead ran the full suite from a clean tree
+  before trusting "done," which is how the macOS/Linux gap would have been caught even
+  without the CI gate.
+- **Copilot review (functional again):** flagged a real `pull_request` path-filter gap +
+  a CodeQL permissions gap (both fixed) and one false "invalid YAML" claim (rejected with
+  the green CI run as evidence — receiving-code-review rigor, not blind compliance).
+
+## What didn't
+
+- The RELEASE-NOTES intro said "five" after the amendment grew it to seven (fixed in this
+  retro PR). Minor; a reminder to re-read summary prose after a scope amendment.
+- #64 should ideally have been caught before merge of Task 6, not after the first push —
+  but there is no way to run ubuntu CI locally; the push-and-observe loop is the only real
+  signal, and it worked.
+
+## Plugin-level follow-ups
+
+No new plugin change warranted. #63 itself is the follow-up to the v1-retro "verify against
+source" lesson (one level up: survey the artifact class, not just the mechanism). The hook
+test suite is now CI-gated; consider extending `hooks-check.yml` to a matrix (macOS +
+ubuntu) so BSD/GNU portability bugs like #64 are caught on both — filed as a note, not yet
+a trend.
+
+## Project guidance updates
+
+| File | Change | Reason |
+|---|---|---|
+| (none) | no change | The durable lessons are already encoded as the shipped bug-classes (#59, #63) + ADRs 0003/0004. |