Add bounded randomizer post-processing retry

[punk6529]

Summary

• Add admin-gated retryRandomnessPostProcessing(uint256) to both VRF and arRNG adapters for deterministic FailedPostProcessing requests.
• Track bounded retry attempts in lifecycle storage, reuse the stored derived seed, validate request state plus token/collection/provider/epoch bindings, and emit retry success/failure events without requesting new randomness.
• Address review feedback by keeping retry-failure events distinct from initial post-processing failure events, refreshing fulfillment timing on retry success, and adding arRNG parity coverage for retry limits and binding changes.
• Add focused P0-RAND-006 tests plus ADR/status/roadmap/test/run-state traceability.

Safety Model

• Retry is only available after provider output was already accepted and deterministic core post-processing failed.
• Retry does not accept new random words, collection IDs, token IDs, or salts.
• Retry validates the live token collection, randomizer provider, and randomizer epoch before writing the stored seed to core.
• Retry attempts are capped by MAX_RANDOMNESS_POST_PROCESSING_RETRIES; failed retries preserve failed state, update the failure-data hash, and emit only the retry-specific failure event.

Validation

• forge build
• forge test --match-contract StreamRandomizerRetryTest -vvv (10 tests, 0 failed)
• forge test --match-contract StreamRandomizerLifecycleTest -vvv (18 tests, 0 failed)
• make check (170 tests, 0 failed)
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 (170 tests, 0 failed)
• forge fmt --check smart-contracts\StreamRandomizerLifecycle.sol smart-contracts\RandomizerVRF.sol smart-contracts\RandomizerRNG.sol test\StreamRandomizerRetry.t.sol test\helpers\CharacterizationTestBase.sol
• git diff --check
• Traceability grep for P0-RAND-006, retry events, retry limit, provider/epoch safeguards, and retryRandomnessPostProcessing
• Markdown heading scan for roadmap, ADR 0005, known blockers, status, and test README
• Slither baseline comparison: slither_exit=-1, total=687, high=9, medium=29, weak-prng=2, arbitrary-send-eth=0, reentrancy-eth=0, reentrancy-no-eth=0, reentrancy-events=22; high/medium and production reentrancy counts unchanged

Closes #42.

Summary by CodeRabbit

• New Features

  • Admin-gated manual retry for failed randomness post-processing using stored derived seed
  • Retries are deterministic and capped at 3 attempts; emits clear retry-success and retry-failure events

• Tests

  • Added end-to-end tests validating retry success, failure, authorization, bounding, and precondition checks

• Documentation

  • Updated ADRs, roadmap, status, ops logs, and test docs to reflect bounded deterministic retry behavior and lifecycle details

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c1326317-2ed8-42a8-8d74-79f7724780d4

📥 Commits

Reviewing files that changed from the base of the PR and between 74e6220 and 7370e99.

📒 Files selected for processing (7)

• docs/adr/0005-randomness.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• smart-contracts/StreamRandomizerLifecycle.sol
• test/README.md
• test/StreamRandomizerRetry.t.sol
• test/helpers/CharacterizationTestBase.sol

✅ Files skipped from review due to trivial changes (2)

• test/README.md
• ops/ROADMAP.md

🚧 Files skipped from review as they are similar to previous changes (4)

• docs/adr/0005-randomness.md
• ops/AUTONOMOUS_RUN.md
• test/StreamRandomizerRetry.t.sol
• smart-contracts/StreamRandomizerLifecycle.sol

---

📝 Walkthrough

Walkthrough

Implements bounded admin-gated retry for deterministic randomness post-processing failures (P0-RAND-006): adds retry counters, a max-attempt constant, adapter entrypoints, success/failure events with retry metadata, lifecycle retry handlers, tests covering VRF/ARRNG cases, and documentation/ops updates reflecting the new behavior.

Changes

Post-processing Retry Implementation

Layer / File(s)	Summary
Lifecycle state, events, and constraints smart-contracts/StreamRandomizerLifecycle.sol	MAX_RANDOMNESS_POST_PROCESSING_RETRIES constant limits retries to 3 attempts; postProcessingRetryCount field tracks per-request retry state; custom errors RandomnessRequestNotFailedPostProcessing and RandomnessPostProcessingRetryLimitReached enforce valid retry paths; new events RandomnessPostProcessingRetried and RandomnessPostProcessingRetryFailed emit with retry count and failure hash metadata.
Lifecycle retry core workflow smart-contracts/StreamRandomizerLifecycle.sol	_prepareRandomnessPostProcessingRetry validates FailedPostProcessing state, enforces retry limits, re-validates provider/token/epoch consistency, increments retry count, and clears failure hash; _confirmRandomnessPostProcessingRetry emits success event and finalizes fulfillment; _markRandomnessPostProcessingRetryFailed emits failure event with retry count and hashed failure data.
RNG/VRF adapter retry entrypoints smart-contracts/RandomizerRNG.sol, smart-contracts/RandomizerVRF.sol	Both adapters add public retryRandomnessPostProcessing(requestId) functions gated by FunctionAdminRequired; each prepares retry inputs (collectionId, tokenId, derivedSeed, retryCount), attempts deterministic gencoreContract.setTokenHash write via try/catch, and routes to lifecycle success/failure handlers.
Comprehensive retry test suite test/StreamRandomizerRetry.t.sol, test/helpers/CharacterizationTestBase.sol	Test contract StreamRandomizerRetryTest validates VRF and ARRNG retry success with stored seed, unauthorized rejection, terminal-fulfillment rejection, retry-limit enforcement, and precondition checks; includes RetryVrfCoordinator/RetryArrngController helpers, log-decoding assertions, and adds Vm.roll cheatcode declaration.
Documentation: ADR, roadmap, blockers, status, test README docs/adr/0005-randomness.md, ops/ROADMAP.md, docs/known-blockers.md, docs/status.md, test/README.md	ADR 0005 moves bounded retry from open follow-ups to current implementation, specifying admin-gated paths and updated event schemas with retryCount; roadmap clarifies failed post-processing observability and deterministic retry semantics without new provider output; known-blockers and status docs refine lifecycle/retry wording; test README documents P0-RAND-006 coverage.
Autonomous run tracking ops/AUTONOMOUS_RUN.md	Updates active branch, marks PR #68 merged with completion notes, advances PR queue from PR #68 to PR #69 "bounded randomness post-processing retry," adds implementation outline and validation evidence checklist for PR #69, and extends the decision log with merge and validation milestones.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• [P0-RAND-007] Decide and implement raw random words versus derived hash storage policy #43: Addresses storing derived seed and failure-data hash and emitting seed-bearing events, which aligns with P0-RAND-007-related storage and visibility concerns.

Possibly related PRs

• 6529-Collections/6529Stream#65: Extends the StreamRandomizerLifecycle framework that this PR further augments with retry counters and retry events.
• 6529-Collections/6529Stream#68: Introduced the FailedPostProcessing state, derived-seed and failure-data handling that this PR builds on.
• 6529-Collections/6529Stream#63: Related to admin/gating and scope-aware FunctionAdminRequired authorization used by the new retry entrypoints.

Poem

🐰 A retry path for randomness that stumbled,
With bounded attempts and state not jumbled,
Admin-gated shores, no seed replayed,
Just deterministic dreams post-processed, remade.
—CodeRabbit

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add bounded randomizer post-processing retry' directly summarizes the main change: introducing a bounded retry mechanism for post-processing randomness failures, which is the primary objective of the PR.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from #42 [P0-RAND-006]: bounded retry for deterministic failures only, stored derived seed reuse, validation of bindings, retry authorization gating, attempt capping via MAX_RANDOMNESS_POST_PROCESSING_RETRIES, and comprehensive test coverage for all required scenarios.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing P0-RAND-006 retry functionality: contract modifications add the retryRandomnessPostProcessing function and supporting state/events, lifecycle management adds retry tracking and validation, documentation updates reflect the completed work, and tests validate the new retry behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/randomizer-post-processing-retry

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

Please review the bounded deterministic randomness post-processing retry implementation, especially the lifecycle state transitions around retry success/failure, provider/epoch validation, and the Slither reentrancy suppressions around the deterministic core write.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get PR overview and files changed
gh pr view 69 --repo 6529-Collections/6529Stream --json files,additions,deletions,title,body 2>/dev/null | jq '{title, additions, deletions, files: [.files[].path]}'

Length of output: 730

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Fetch the full diff for the PR
gh pr diff 69 --repo 6529-Collections/6529Stream 2>/dev/null | head -3000

Length of output: 56232

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Full lifecycle contract
cat smart-contracts/StreamRandomizerLifecycle.sol

Length of output: 15470

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Full retry test for completeness
cat test/StreamRandomizerRetry.t.sol

Length of output: 18623

---

---

@punk6529: Here is the detailed review of the bounded deterministic retry implementation.

---

Review: StreamRandomizerLifecycle.sol + Adapters

✅ Reentrancy suppressions — correctly scoped and justified

The slither-disable-start reentrancy-no-eth,reentrancy-events block around the try gencoreContract.setTokenHash(...) is sound:

• CEI is satisfied: _prepareRandomnessPostProcessingRetry commits state = Fulfilled and increments postProcessingRetryCount before the external call. A re-entrant retryRandomnessPostProcessing on the same request ID will immediately fail with RandomnessRequestNotFailedPostProcessing(Fulfilled).
• No ETH flow: reentrancy-no-eth suppression is correct.
• Events follow state: both success and failure handlers emit events only after storage is finalized, so reentrancy-events suppression is correct.
• Scope is tight: suppressions cover only the try/catch block, not the entire function.

Both VRF and arRNG adapters are identical in structure here.

---

✅ Lifecycle state machine — correct

FailedPostProcessing
   └─ _prepare (pre-call): → Fulfilled, retryCount++, failureDataHash cleared
         ├─ setTokenHash succeeds
         │    └─ _confirm: stays Fulfilled, emits Retried + Fulfilled events
         └─ setTokenHash fails (catch)
              └─ _markRetryFailed → _markPostProcessingFailed: → FailedPostProcessing, new failureDataHash stored

Pending counts are decremented exactly once — during the original _fulfillRandomnessRequest (Pending→Fulfilled). The retry path does not touch pending counts in either the success or failure branch. Verified by reading _markRandomnessPostProcessingFailed: it does not call _decrementPendingRandomnessRequest.

---

✅ Provider/epoch/binding validation — correct order

All five checks in _prepareRandomnessPostProcessingRetry fire before any storage mutation:

1. state == FailedPostProcessing
2. retryCount < MAX_RANDOMNESS_POST_PROCESSING_RETRIES
3. request.provider == address(this)
4. live viewColIDforTokenID matches stored collectionId
5. live viewRandomizerEpoch and viewCollectionRandomizerContract match stored epoch/provider

This ordering is important: if the token-collection binding or epoch has changed, the revert fires without incrementing postProcessingRetryCount or mutating state. Tests confirm this for changed collection, changed epoch, and changed provider.

---

⚠️ Medium — dual-event emission on retry failure

_markRandomnessPostProcessingRetryFailed delegates to _markRandomnessPostProcessingFailed, which unconditionally emits RandomnessPostProcessingFailed in addition to RandomnessPostProcessingRetryFailed:

// StreamRandomizerLifecycle.sol — _markRandomnessPostProcessingRetryFailed
bytes32 failureDataHash = _markRandomnessPostProcessingFailed(_requestId, failureData);
// ^ emits RandomnessPostProcessingFailed
// ...
emit RandomnessPostProcessingRetryFailed(...);  // also emitted

With MAX_RANDOMNESS_POST_PROCESSING_RETRIES = 3, an exhausted request emits RandomnessPostProcessingFailed four times total (once on initial failure, once per retry failure). Any off-chain monitor or subgraph treating RandomnessPostProcessingFailed as an admin-action trigger will re-fire on each retry attempt.

Options:

• Extract a _setFailedPostProcessingState(requestId, failureData) helper that only mutates storage and returns the hash, then emit RandomnessPostProcessingFailed explicitly only in the initial-failure path and RandomnessPostProcessingRetryFailed only in the retry-failure path.
• Or document and test the dual-emission explicitly if it's intentional (e.g., to simplify indexers that only need the latest failure hash).

// Suggested refactor sketch
function _setFailedPostProcessingState(uint256 _requestId, bytes memory failureData)
    private
    returns (bytes32 failureDataHash)
{
    RandomnessRequest storage request = randomnessRequests[_requestId];
    // state guard checks ...
    failureDataHash = keccak256(failureData);
    request.state = RandomnessRequestState.FailedPostProcessing;
    request.failureDataHash = failureDataHash;
}

function _markRandomnessPostProcessingFailed(uint256 _requestId, bytes memory failureData)
    internal
{
    bytes32 failureDataHash = _setFailedPostProcessingState(_requestId, failureData);
    emit RandomnessPostProcessingFailed(..., failureDataHash);
}

function _markRandomnessPostProcessingRetryFailed(
    uint256 _requestId, bytes memory failureData, uint256 retryCount
) internal {
    bytes32 failureDataHash = _setFailedPostProcessingState(_requestId, failureData);
    emit RandomnessPostProcessingRetryFailed(..., retryCount, ..., failureDataHash);
}

---

🔵 Low — fulfilledBlock/fulfilledTimestamp not refreshed on retry success

On a successful retry, _prepareRandomnessPostProcessingRetry does not update request.fulfilledBlock or request.fulfilledTimestamp. Off-chain consumers reading these fields to determine when the token hash was actually written to core will see the timestamp of the original (failed) fulfillment, not the retry. Whether this matters depends on downstream metadata or indexer logic, but it's worth documenting as intentional.

---

🔵 Low — redundant storage read in _confirmRandomnessPostProcessingRetry

function _confirmRandomnessPostProcessingRetry(uint256 _requestId, uint256 retryCount) internal {
    RandomnessRequest storage request = randomnessRequests[_requestId];
    if (request.state != RandomnessRequestState.Fulfilled) {  // <- always true post-_prepare
        revert RandomnessRequestNotFulfilled(_requestId, request.state);
    }
    ...
}

After _prepare commits state = Fulfilled, the only way this check fails is via reentrancy — which is already blocked by the Fulfilled-state guard at the top of _prepare. This costs one extra warm SLOAD (~100 gas) per successful retry. It is safe defense-in-depth; just worth being aware of if gas optimization becomes a concern.

---

🔵 Informational — arRNG binding-validation and limit tests not mirrored

testRetryLimitBoundsRepeatedDeterministicFailures, testRetryRejectsChangedTokenCollectionBinding, testRetryRejectsChangedRandomizerEpoch, and testRetryRejectsChangedRandomizerProvider exercise only VRF. Since the retry logic lives entirely in StreamRandomizerLifecycle (shared base), the arRNG adapter implicitly inherits the same guarantees, but explicit arRNG counterparts for those edge cases would close the gap in coverage traceability.

---

Summary

Area	Verdict
Reentrancy suppressions	✅ Correct and tightly scoped
Lifecycle state transitions	✅ Correct; pending counts updated exactly once
Provider/epoch/binding validation	✅ All checks precede state mutation
Retry count persistence	✅ Incremented before external call
Dual-event emission on retry failure	⚠️ Medium — RandomnessPostProcessingFailed fires on each retry failure
fulfilledBlock/fulfilledTimestamp staleness	🔵 Low — not refreshed on retry success
Redundant state re-check in _confirm	🔵 Low — safe but costs extra SLOAD
arRNG binding/limit test parity	🔵 Informational

The critical safety properties hold: no new randomness is accepted, stored seed is reused, provider/epoch bindings are live-validated before any state change, and reentrancy is properly closed by the pre-external-call Fulfilled state. The dual-event emission is the only item worth actively resolving before audit.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ops/ROADMAP.md (1)

19-23: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove stale “deterministic randomness retry” from remaining P0 blockers.

Line 21 still lists deterministic randomness retry as a remaining blocker, but this same file now marks P0-RAND-006 as implemented/passing (for example in Appendix B). Please update this top-level blocker sentence to avoid contradictory status reporting.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ops/ROADMAP.md` around lines 19 - 23, Update the top-level blockers sentence
in ROADMAP.md by removing the phrase "deterministic randomness retry" so it no
longer contradicts the implemented/passing status of P0-RAND-006 (see Appendix
B); locate the sentence containing "Known remaining P0 blockers" and edit it to
omit that specific blocker while keeping the rest of the list intact and
grammatically correct.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@ops/ROADMAP.md`:
- Around line 19-23: Update the top-level blockers sentence in ROADMAP.md by
removing the phrase "deterministic randomness retry" so it no longer contradicts
the implemented/passing status of P0-RAND-006 (see Appendix B); locate the
sentence containing "Known remaining P0 blockers" and edit it to omit that
specific blocker while keeping the rest of the list intact and grammatically
correct.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68ede4eb-bcbb-44f7-a0c2-c1ecbc5a50f0

📥 Commits

Reviewing files that changed from the base of the PR and between 0c46384 and 74e6220.

📒 Files selected for processing (10)

• docs/adr/0005-randomness.md
• docs/known-blockers.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• smart-contracts/RandomizerRNG.sol
• smart-contracts/RandomizerVRF.sol
• smart-contracts/StreamRandomizerLifecycle.sol
• test/README.md
• test/StreamRandomizerRetry.t.sol

[punk6529]

@coderabbitai review

Addressed the review on the latest push:

• Split failed-state mutation from initial failure event emission. Retry failures now emit only RandomnessPostProcessingRetryFailed; tests assert no duplicate RandomnessPostProcessingFailed on retry failure.
• Refresh fulfilledBlock and fulfilledTimestamp on retry success; VRF and arRNG success tests assert this.
• Added arRNG retry-limit and binding-validation parity coverage.
• Kept _confirmRandomnessPostProcessingRetry state re-check as defense-in-depth.

Validation: make check and the Windows wrapper both pass with 170 tests; Slither high/medium and production reentrancy counts are unchanged (total=687, high=9, medium=29, reentrancy-events=22).

[punk6529]

@coderabbitai review

Addressed the remaining roadmap-status comment on the latest push: the top-level Known remaining P0 blockers sentence no longer lists deterministic randomness retry as remaining now that P0-RAND-006 is implemented and marked passing in the traceability matrix. This push is docs/state only; git diff --check and the targeted roadmap/status grep passed locally.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check lifecycle contract for split event/state mutation
grep -n "RandomnessPostProcessingFailed\|RandomnessPostProcessingRetryFailed\|_setFailedPostProcessingState\|_markRandomness\|failureDataHash\|fulfilledBlock\|fulfilledTimestamp" smart-contracts/StreamRandomizerLifecycle.sol

Length of output: 1977

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check the retry test for arRNG parity and dual-event assertions
grep -n "testArrng\|testRetryLimit\|testRetryRejectsChanged\|RandomnessPostProcessingFailed\|fulfilledBlock\|fulfilledTimestamp" test/StreamRandomizerRetry.t.sol | head -80

Length of output: 1261

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the full _markRandomnessPostProcessingFailed and _markRandomnessPostProcessingRetryFailed implementations
grep -n -A 20 "_markRandomnessPostProcessingFailed\|_markRandomnessPostProcessingRetryFailed\|_setFailedPostProcessingState" smart-contracts/StreamRandomizerLifecycle.sol | head -120

Length of output: 2098

---

---

@punk6529: All four items verified against the latest push.

Prior finding	Fix	Verification
⚠️ Medium — dual RandomnessPostProcessingFailed on retry failure	_setRandomnessPostProcessingFailedState (private) now owns state-only mutation; _markRandomnessPostProcessingFailed and _markRandomnessPostProcessingRetryFailed each emit exactly their own event	Lines 276–292 vs 384–401 — clean separation confirmed
🔵 Low — stale fulfilledBlock/fulfilledTimestamp	Lines 369–370 refresh both fields in the retry-success path	Test assertions at lines 56–57 (VRF) and 87–88 (arRNG)
🔵 Informational — arRNG test parity	testArrngRetryLimitBoundsRepeatedDeterministicFailures and testArrngRetryRejectsChangedBindings added	Lines 155 and 268
🔵 Low — redundant SLOAD in _confirmRandomnessPostProcessingRetry	Kept intentionally as defense-in-depth	Acknowledged

The refactoring is clean: the private _setRandomnessPostProcessingFailedState helper correctly returns the failureDataHash without any event side-effects, keeping each call site in full control of which event it emits. All critical safety properties remain intact — no new randomness accepted, stored seed reused, provider/epoch/binding validation precedes state mutation, and reentrancy is properly closed.

Approving.

(੭˃ᴗ˂)੭ ✦

[approve]

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check the latest diff for this PR to see the docs-only changes
gh pr diff 69 --repo 6529-Collections/6529Stream 2>/dev/null | tail -200

Length of output: 7887

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get the latest commits on the PR to understand the latest push
gh pr view 69 --repo 6529-Collections/6529Stream --json commits --jq '.commits[-3:]'

Length of output: 1206

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check the diff for docs/status.md and ops/ROADMAP.md and docs/known-blockers.md on the full PR diff
gh pr diff 69 --repo 6529-Collections/6529Stream 2>/dev/null | grep -A 60 'diff --git a/docs/status.md'
gh pr diff 69 --repo 6529-Collections/6529Stream 2>/dev/null | grep -A 60 'diff --git a/ops/ROADMAP.md'
gh pr diff 69 --repo 6529-Collections/6529Stream 2>/dev/null | grep -A 60 'diff --git a/docs/known-blockers.md'

Length of output: 12149

---

---

@punk6529: Verified the latest push (7370e99 — "Fix randomizer retry roadmap status wording"). All three docs files are internally consistent and correctly reflect the implemented state:

File	Change	Status
ops/ROADMAP.md	Top-level P0 blockers sentence: "deterministic randomness retry" removed	✅
ops/ROADMAP.md	P0-RAND-001 narrative + P0-RAND-006 child ticket: retry marked as implemented	✅
docs/status.md	"bounded randomness retry" removed from blockers; "bounded deterministic post-processing retry" added to test coverage list	✅
docs/known-blockers.md	Retry described as implemented in the blocker narrative; removed from remaining list; "deterministic randomizer retry" moved from "still missing" into the "now exists" regression list	✅

No stray "retry as remaining" references remain across any of the affected files. All four items from the prior review are fully addressed — the implementation, tests, and documentation are consistent and audit-ready for this PR.

[approve]