diff --git a/.claude/skills/recipe-report/SKILL.md b/.claude/skills/recipe-report/SKILL.md
index 6b9e101..eacb6e0 100644
--- a/.claude/skills/recipe-report/SKILL.md
+++ b/.claude/skills/recipe-report/SKILL.md
@@ -29,11 +29,14 @@ Helper: `python3 /srv/cc-ci/cc-ci-plan/recipe-report.py {survey|render|publish}`
      of the version bumps) for upgrades that fix **CVEs / security issues**. Anything **critical/high**
      leads the page → the `security` bulletin (recipe · CVE id(s) + severity · what it fixes · PR link).
      This is the most important section; be specific about severity and what's exposed if not merged.
-   - **Lead / editorial.** Write the `lead`: the **overall state of the recipe fleet** this week (how
-     healthy, what moved, any worrying trend) and **specific, opinionated suggestions of what to focus
-     on** — opus's voice, useful and concrete. **Keep it TIGHT: 2 short paragraphs, ~120 words total** —
-     lead with the single most important thing, then security/focus in a sentence or two. (Trim hard;
-     the rest of the page carries the detail.)
+   - **Lead / editorial.** Write the `lead` in opus's voice — useful, concrete, opinionated. **~3 short
+     paragraphs, ~150–180 words:**
+     1. **Fleet state** in a line or two — how healthy, what moved, any trend.
+     2. **What to focus on** — security/critical merges first, then the key failures.
+     3. **Anything strange worth looking into** — odd or unexpected failures, parser snags, PR-state
+        oddities (e.g. a recipe carrying two open PRs to reconcile), drift from the summary, leftover
+        artifacts. This is the "editor's eye" paragraph; flag what a careful maintainer would want to notice.
+     Lead with the single most important thing; the rest of the page carries the detail.
    - **Needs attention** — GREEN PRs ready to merge + errors/failures to investigate (RED `!testme`,
      recipe bugs). Short, specific prose + links. Flag cross-cutting issues (e.g. two open PRs to reconcile).
    - **Routine** — minor/clean bumps, stale-test PRs (need operator `--with-tests`), up-to-date / skipped.
diff --git a/.claude/skills/recipe-report/example-spec.json b/.claude/skills/recipe-report/example-spec.json
index 0082c5b..fae67b0 100644
--- a/.claude/skills/recipe-report/example-spec.json
+++ b/.claude/skills/recipe-report/example-spec.json
@@ -1,132 +1 @@
-{
-  "date": "2026-06-02",
-  "subtitle": "Week of June 2, 2026",
-  "lead": "The recipe fleet is in good health this week. Of 18 recipes considered, eleven upgrades are !testme GREEN and ready for your merge, two are blocked on genuine failures, and just one waits on a stale-test refresh. Ghost was already cleared by the operator since the run, and discourse flipped green overnight at build 179 — so the open-failure count is lower than the morning summary suggested.\n\nSecurity leads the page, and it is nginx-heavy. The 1.29 → 1.31 jump closes a batch of memory-safety and request-smuggling CVEs (heap overflow in the rewrite module, proxy_set_body data injection, an ssl_ocsp use-after-free, HTTP/3 address spoofing) and rides into two recipes — custom-html and cryptpad — both already green. Merge those two first. Right behind them: mailu rolls up a Roundcube webmail CVE, uptime-kuma patches an authenticated RCE, and the redis 8.8 bump (lasuite-meet, lasuite-docs) carries several redis CVEs. All green, all low-risk.\n\nThe two failures share a single theme worth your attention: Postgres/ClickHouse backup-and-restore plumbing. mattermost-lts can't go green because of a pre-existing restore bug (its 10.11.19 ESR ships medium-severity security fixes that are now hostage to it), and plausible's pg13→16 + ClickHouse 24 migration trips on a deploy-time issue. Both have companion ci/* fix PRs that predate this run — reconcile each upgrade with its sibling rather than chasing the version bump alone.\n\nThe trend to watch is Postgres majors. pgautoupgrade 17→18 and the various pg13→16 jumps are this week's recurring friction: n8n needs a mandatory volume-path move (it's green, but do not merge-and-forget), matrix-synapse's data-preservation test went stale against pg18's new data-dir layout, and the same family of restore tests is what blocks mattermost. A pass over the CI's pg18 data-preservation tests would pay for itself.",
-  "security": [
-    {
-      "title": "nginx 1.31 — memory-safety + request-smuggling CVE batch (high) · custom-html, cryptpad",
-      "body": "Bumping the nginx sidecar from 1.29 to 1.31.1 closes a cluster of CVEs fixed in 1.31.0/1.31.1: heap buffer overflows in the rewrite module, data injection via proxy_set_body, an HTTP/3 address-spoofing flaw, and a use-after-free in the DNS/ssl_ocsp path. Two recipes ship the sidecar — custom-html (also alpine/git → v2.52.0) and cryptpad — and both are !testme GREEN. These are the highest-value merges of the week; do them first.",
-      "links": [
-        {"text": "custom-html PR #1 (build 163)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1"},
-        {"text": "cryptpad PR #4 (build 154)", "url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4"}
-      ]
-    },
-    {
-      "title": "mailu — Roundcube webmail CVE-2026-49217 (high) · internet-facing",
-      "body": "mailu 2024.06.37 → 2024.06.52 rolls up the Roundcube security fix CVE-2026-49217 along with certdumper v2.11.2 and a redis 8.8 bump. Webmail is exposed on a mail host, so this one is worth prioritising. No config changes; !testme GREEN.",
-      "links": [
-        {"text": "mailu PR #1 (build 157)", "url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1"}
-      ]
-    },
-    {
-      "title": "uptime-kuma — authenticated RCE fix (high) · plus MariaDB 12.3 major bump",
-      "body": "uptime-kuma 2.2.1 → 2.4.0 patches a remote-code-execution flaw in an upstream dependency (exploitable by authenticated users). It is bundled with a MariaDB 11.8 → 12.3 major-version bump, so take a database backup before deploying if you run the mariadb overlay. !testme GREEN.",
-      "links": [
-        {"text": "uptime-kuma PR #2 (build 165)", "url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2"}
-      ]
-    },
-    {
-      "title": "redis 8.8 — CVE-2026-23479, CVE-2026-25243 (moderate) · lasuite-meet, lasuite-docs",
-      "body": "The redis 8.6.3 → 8.8.0 bump carries several redis security patches, including CVE-2026-23479 and CVE-2026-25243. It ships in lasuite-meet (alongside the meet v1.16→v1.17 app upgrade) and lasuite-docs. Redis is used purely as cache/session/pub-sub here, so the upgrade is drop-in. Both green.",
-      "links": [
-        {"text": "lasuite-meet PR #3 (build 156)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3"},
-        {"text": "lasuite-docs PR #4 (build 169)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4"}
-      ]
-    },
-    {
-      "title": "static-web-server — Basic-Auth timing attack CVE-2026-27480 (low/moderate) · custom-html-tiny",
-      "body": "static-web-server 2.38 → 2.42 picks up CVE-2026-27480, a timing attack in Basic Auth fixed in v2.41.0. Note v2.41 also flips --ignore-hidden-files and --disable-symlinks on by default; this recipe serves an explicit -d path and is unaffected. !testme GREEN.",
-      "links": [
-        {"text": "custom-html-tiny PR #6 (build 164)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6"}
-      ]
-    }
-  ],
-  "needs_attention": [
-    {
-      "title": "Eleven green PRs await your merge",
-      "body": "The merge-ready set: cryptpad, custom-html, custom-html-tiny, discourse, keycloak, lasuite-docs, lasuite-meet, mailu, n8n, and uptime-kuma — plus ghost, which the operator already resolved. discourse #2 is the late arrival: it is now !testme GREEN at build 179, clearing the stale-test RED (the allow_uncategorized_topics default flip) that the morning run had flagged. Full per-recipe detail in the wire below.",
-      "links": []
-    },
-    {
-      "title": "mattermost-lts — RED on restore; a security patch is held hostage",
-      "body": "The 10.11.19 ESR bump is correct and carries medium-severity security fixes, but !testme is RED at build 161 on test_restore_returns_state — a pre-existing backup/restore bug (the ci_marker row does not survive backup→restore), not something this upgrade introduced. Three restore strategies were tried without success. A companion fix PR (#1, ci/pg-restore) is open; reconcile the pair. The security patch cannot land until restore is fixed.",
-      "links": [
-        {"text": "upgrade PR #2 (build 161 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2"},
-        {"text": "companion fix PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/1"}
-      ]
-    },
-    {
-      "title": "plausible — RED on deploy after the pg13→16 + ClickHouse 24 jump",
-      "body": "plausible 4.0.0+v2.1.5 (image moved Docker Hub → GHCR, postgres 13→16, ClickHouse 23.4→24.3) is RED at build 168. The ClickHouse IPv6-bind crash was fixed with an ipv4-only config, but the deploy still fails: Postgres appears to stay at 13 and the app gets NXDOMAIN for the events DB — most likely abra re-fetching the upstream compose over the PR head. A companion PR (#1, ci/clickhouse-backup-resilient) is also open and RED. Note: the v3.x-only CVE-2026-8467 does not affect this v2.1.5 target.",
-      "links": [
-        {"text": "upgrade PR #2 (build 168 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2"},
-        {"text": "companion PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/1"}
-      ]
-    },
-    {
-      "title": "matrix-synapse — green except for one stale test; run --with-tests",
-      "body": "synapse v1.149.1 → v1.153.0 (with mas 1.17, nginx 1.31.1, pgautoupgrade 17→18) is RED at build 158 only on test_upgrade_preserves_data — the ci_marker table is lost across the pg17→18 in-place upgrade. Everything else passes (reconverge, serving, backup, restore, /_matrix/client/versions 200), so the diagnosis is a stale CI test, not a broken upgrade. Refresh it with /recipe-upgrade matrix-synapse --with-tests.",
-      "links": [
-        {"text": "PR #1 (build 158 RED · upgrade-test)", "url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1"}
-      ]
-    },
-    {
-      "title": "n8n — GREEN, but a mandatory migration rides with it",
-      "body": "n8n 2.20.6 → 2.23.2 is !testme GREEN at build 162, but the pgautoupgrade 17→18 bump requires the volume mount path to move from /var/lib/postgresql/data to /var/lib/postgresql, and an in-place pg_upgrade --link runs on first start. Back up the database first, and apply the path change on existing deployments — green here does not mean no-op for operators.",
-      "links": [
-        {"text": "n8n PR #4 (build 162)", "url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4"}
-      ]
-    },
-    {
-      "title": "ghost — already resolved since the run",
-      "body": "Ghost now has no open PR. The operator merged the backup-fix PR (#1, which landed Ghost at 6.42.0-alpine and added a proper mysql restore hook) and closed the 6.43.1 PR (#3). Net effect: the data-loss-on-restore bug is fixed, but Ghost sits one patch behind the 6.43.1 the upgrader had proposed — a future run can re-offer that bump.",
-      "links": [
-        {"text": "merged PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1"}
-      ]
-    }
-  ],
-  "routine": [
-    {
-      "title": "Clean dependency bumps",
-      "body": "keycloak 10.7.1 → 10.8.0 (MariaDB 12.2 → 12.3, app unchanged) and lasuite-docs 0.3.3 → 0.3.4 (redis 8.8) are routine, no-operator-action bumps — both green. lasuite-meet also carries its meet v1.17.0 app upgrade with no required config changes.",
-      "links": []
-    },
-    {
-      "title": "Skipped — already current",
-      "body": "bluesky-pds, mumble, and lasuite-drive are up-to-date (drive's collabora/minio/onlyoffice tags are unparseable to abra, but its core images are at latest).",
-      "links": []
-    },
-    {
-      "title": "immich — blocked by an abra tooling limit",
-      "body": "immich was skipped: abra cannot parse its tag-plus-digest image references (e.g. ghcr.io/immich-app/postgres:14-vectorchord…@sha256:…), so the survey can't compute an upgrade. An explanatory comment was left on its open PR #1. This is a tooling gap, not a recipe fault.",
-      "links": [
-        {"text": "immich PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1"}
-      ]
-    },
-    {
-      "title": "Infrastructure footnote",
-      "body": "Eight recipes initially failed the survey with an abra go-git auth error (credentials must be embedded in the git origin URL, not via .netrc); all were recovered before the run completed. No fleet impact.",
-      "links": []
-    }
-  ],
-  "table": [
-    {"recipe": "cryptpad", "change": "0.5.4+v2026.2.0 → 0.5.5+v2026.2.0", "status": "GREEN", "ci": "build 154 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/154", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4", "notes": "nginx 1.29 → 1.31 (CVE batch). Ready to merge."},
-    {"recipe": "custom-html", "change": "1.11.0+1.29.0 → 1.13.0+1.31.1", "status": "GREEN", "ci": "build 163 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/163", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1", "notes": "nginx 1.31.1 CVEs + alpine/git v2.52.0. Ready to merge."},
-    {"recipe": "custom-html-tiny", "change": "1.0.1+2.38.0 → 1.1.0+2.42.0", "status": "GREEN", "ci": "build 164 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/164", "pr": "#6", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6", "notes": "static-web-server 2.42 (Basic-Auth timing CVE)."},
-    {"recipe": "discourse", "change": "0.7.0+3.3.1 → 0.8.0+3.5.0", "status": "GREEN", "ci": "build 179 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/179", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/discourse/pulls/2", "notes": "Now green — stale test cleared. pg13→16, backup fix, bitnami→bitnamilegacy (archived mirror)."},
-    {"recipe": "ghost", "change": "1.2.0+6.21.2-alpine → 1.3.0+6.42.0-alpine", "status": "UPTODATE", "ci": "merged", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1", "notes": "Resolved by operator: #1 merged (backup fix, 6.42.0); 6.43.1 PR #3 closed."},
-    {"recipe": "keycloak", "change": "10.7.1+26.6.2 → 10.8.0+26.6.2", "status": "GREEN", "ci": "build 155 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/155", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/keycloak/pulls/2", "notes": "MariaDB 12.2 → 12.3. Clean."},
-    {"recipe": "lasuite-docs", "change": "0.3.3+v5.1.0 → 0.3.4+v5.1.0", "status": "GREEN", "ci": "build 169 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/169", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4", "notes": "redis 8.6.3 → 8.8.0 (CVEs). Clean."},
-    {"recipe": "lasuite-meet", "change": "0.3.0+v1.16.0 → 0.3.0+v1.17.0", "status": "GREEN", "ci": "build 156 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/156", "pr": "#3", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3", "notes": "meet v1.17.0 + redis 8.8 (CVEs). Swagger routes now /api-prefixed."},
-    {"recipe": "mailu", "change": "3.0.1+2024.06.37 → 3.0.1+2024.06.52", "status": "GREEN", "ci": "build 157 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/157", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1", "notes": "Roundcube CVE-2026-49217 + certdumper v2.11.2 + redis 8.8."},
-    {"recipe": "matrix-synapse", "change": "7.1.1+v1.149.1 → 7.2.0+v1.153.0", "status": "STALE", "ci": "RED 158 · upgrade-test", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/158", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1", "notes": "Stale test_upgrade_preserves_data (pg17→18 ci_marker loss). Run --with-tests."},
-    {"recipe": "mattermost-lts", "change": "2.1.10+10.11.18 → 2.2.0+10.11.19", "status": "FAILED", "ci": "RED 161 · restore", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/161", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2", "notes": "Pre-existing restore bug; see companion #1. ESR carries a medium-severity security patch."},
-    {"recipe": "n8n", "change": "3.2.0+2.20.6 → 3.3.0+2.23.2", "status": "GREEN", "ci": "build 162 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/162", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4", "notes": "⚠ pg17→18: volume path /var/lib/postgresql/data → /var/lib/postgresql; back up first."},
-    {"recipe": "plausible", "change": "3.0.1+v2.0.0 → 4.0.0+v2.1.5", "status": "FAILED", "ci": "RED 168 · deploy", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/168", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2", "notes": "GHCR move + pg13→16 + ClickHouse 24. ClickHouse fixed; deploy still fails (pg re-fetch). See #1."},
-    {"recipe": "uptime-kuma", "change": "3.0.0+2.2.1 → 4.0.0+2.4.0", "status": "GREEN", "ci": "build 165 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/165", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2", "notes": "Authenticated RCE fix + MariaDB 11.8 → 12.3 (back up first)."},
-    {"recipe": "bluesky-pds", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."},
-    {"recipe": "mumble", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."},
-    {"recipe": "lasuite-drive", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date (some tags unparseable; core images at latest)."},
-    {"recipe": "immich", "change": "—", "status": "SKIPPED", "ci": "", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1", "notes": "abra cannot parse tag+digest image pins; explanatory comment left on PR."}
-  ]
-}
+{"date": "2026-06-02", "subtitle": "Week of June 2, 2026", "lead": "The recipe fleet is healthy this week. Of 18 recipes, eleven upgrades are !testme GREEN and ready to merge, two failed on genuine recipe bugs, and one waits on a stale-test refresh \u2014 a clean run overall.\n\nDo the security merges first: the nginx 1.29\u21921.31 bump closes a high-severity batch (heap overflows, request smuggling, an HTTP/3 spoofing flaw) and ships in custom-html and cryptpad, both green. Then triage the two reds \u2014 mattermost-lts and plausible \u2014 both pre-existing backup/restore bugs, not regressions from this week.\n\nWorth a closer look: four recipes \u2014 discourse, ghost, mattermost-lts, plausible \u2014 now carry two open PRs each (a fresh upgrade alongside an older backup fix) that want reconciling; immich and lasuite-drive both tripped abra's image-tag parser on digest-pinned / non-standard tags, a recurring format snag; and a stray recipe-create-pr smoke-test PR still lingers on bluesky-pds.", "security": [{"title": "nginx 1.31 \u2014 memory-safety + request-smuggling CVE batch (high) \u00b7 custom-html, cryptpad", "body": "Bumping the nginx sidecar from 1.29 to 1.31.1 closes a cluster of CVEs fixed in 1.31.0/1.31.1: heap buffer overflows in the rewrite module, data injection via proxy_set_body, an HTTP/3 address-spoofing flaw, and a use-after-free in the DNS/ssl_ocsp path. Two recipes ship the sidecar \u2014 custom-html (also alpine/git \u2192 v2.52.0) and cryptpad \u2014 and both are !testme GREEN. These are the highest-value merges of the week; do them first.", "links": [{"text": "custom-html PR #1 (build 163)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1"}, {"text": "cryptpad PR #4 (build 154)", "url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4"}]}, {"title": "mailu \u2014 Roundcube webmail CVE-2026-49217 (high) \u00b7 internet-facing", "body": "mailu 2024.06.37 \u2192 2024.06.52 rolls up the Roundcube security fix CVE-2026-49217 along with certdumper v2.11.2 and a redis 8.8 bump. Webmail is exposed on a mail host, so this one is worth prioritising. No config changes; !testme GREEN.", "links": [{"text": "mailu PR #1 (build 157)", "url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1"}]}, {"title": "uptime-kuma \u2014 authenticated RCE fix (high) \u00b7 plus MariaDB 12.3 major bump", "body": "uptime-kuma 2.2.1 \u2192 2.4.0 patches a remote-code-execution flaw in an upstream dependency (exploitable by authenticated users). It is bundled with a MariaDB 11.8 \u2192 12.3 major-version bump, so take a database backup before deploying if you run the mariadb overlay. !testme GREEN.", "links": [{"text": "uptime-kuma PR #2 (build 165)", "url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2"}]}, {"title": "redis 8.8 \u2014 CVE-2026-23479, CVE-2026-25243 (moderate) \u00b7 lasuite-meet, lasuite-docs", "body": "The redis 8.6.3 \u2192 8.8.0 bump carries several redis security patches, including CVE-2026-23479 and CVE-2026-25243. It ships in lasuite-meet (alongside the meet v1.16\u2192v1.17 app upgrade) and lasuite-docs. Redis is used purely as cache/session/pub-sub here, so the upgrade is drop-in. Both green.", "links": [{"text": "lasuite-meet PR #3 (build 156)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3"}, {"text": "lasuite-docs PR #4 (build 169)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4"}]}, {"title": "static-web-server \u2014 Basic-Auth timing attack CVE-2026-27480 (low/moderate) \u00b7 custom-html-tiny", "body": "static-web-server 2.38 \u2192 2.42 picks up CVE-2026-27480, a timing attack in Basic Auth fixed in v2.41.0. Note v2.41 also flips --ignore-hidden-files and --disable-symlinks on by default; this recipe serves an explicit -d path and is unaffected. !testme GREEN.", "links": [{"text": "custom-html-tiny PR #6 (build 164)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6"}]}], "needs_attention": [{"title": "Eleven green PRs await your merge", "body": "The merge-ready set: cryptpad, custom-html, custom-html-tiny, discourse, keycloak, lasuite-docs, lasuite-meet, mailu, n8n, and uptime-kuma \u2014 plus ghost, which the operator already resolved. discourse #2 is the late arrival: it is now !testme GREEN at build 179, clearing the stale-test RED (the allow_uncategorized_topics default flip) that the morning run had flagged. Full per-recipe detail in the wire below.", "links": []}, {"title": "mattermost-lts \u2014 RED on restore; a security patch is held hostage", "body": "The 10.11.19 ESR bump is correct and carries medium-severity security fixes, but !testme is RED at build 161 on test_restore_returns_state \u2014 a pre-existing backup/restore bug (the ci_marker row does not survive backup\u2192restore), not something this upgrade introduced. Three restore strategies were tried without success. A companion fix PR (#1, ci/pg-restore) is open; reconcile the pair. The security patch cannot land until restore is fixed.", "links": [{"text": "upgrade PR #2 (build 161 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2"}, {"text": "companion fix PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/1"}]}, {"title": "plausible \u2014 RED on deploy after the pg13\u219216 + ClickHouse 24 jump", "body": "plausible 4.0.0+v2.1.5 (image moved Docker Hub \u2192 GHCR, postgres 13\u219216, ClickHouse 23.4\u219224.3) is RED at build 168. The ClickHouse IPv6-bind crash was fixed with an ipv4-only config, but the deploy still fails: Postgres appears to stay at 13 and the app gets NXDOMAIN for the events DB \u2014 most likely abra re-fetching the upstream compose over the PR head. A companion PR (#1, ci/clickhouse-backup-resilient) is also open and RED. Note: the v3.x-only CVE-2026-8467 does not affect this v2.1.5 target.", "links": [{"text": "upgrade PR #2 (build 168 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2"}, {"text": "companion PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/1"}]}, {"title": "matrix-synapse \u2014 green except for one stale test; run --with-tests", "body": "synapse v1.149.1 \u2192 v1.153.0 (with mas 1.17, nginx 1.31.1, pgautoupgrade 17\u219218) is RED at build 158 only on test_upgrade_preserves_data \u2014 the ci_marker table is lost across the pg17\u219218 in-place upgrade. Everything else passes (reconverge, serving, backup, restore, /_matrix/client/versions 200), so the diagnosis is a stale CI test, not a broken upgrade. Refresh it with /recipe-upgrade matrix-synapse --with-tests.", "links": [{"text": "PR #1 (build 158 RED \u00b7 upgrade-test)", "url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1"}]}, {"title": "n8n \u2014 GREEN, but a mandatory migration rides with it", "body": "n8n 2.20.6 \u2192 2.23.2 is !testme GREEN at build 162, but the pgautoupgrade 17\u219218 bump requires the volume mount path to move from /var/lib/postgresql/data to /var/lib/postgresql, and an in-place pg_upgrade --link runs on first start. Back up the database first, and apply the path change on existing deployments \u2014 green here does not mean no-op for operators.", "links": [{"text": "n8n PR #4 (build 162)", "url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4"}]}, {"title": "ghost \u2014 already resolved since the run", "body": "Ghost now has no open PR. The operator merged the backup-fix PR (#1, which landed Ghost at 6.42.0-alpine and added a proper mysql restore hook) and closed the 6.43.1 PR (#3). Net effect: the data-loss-on-restore bug is fixed, but Ghost sits one patch behind the 6.43.1 the upgrader had proposed \u2014 a future run can re-offer that bump.", "links": [{"text": "merged PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1"}]}], "routine": [{"title": "Clean dependency bumps", "body": "keycloak 10.7.1 \u2192 10.8.0 (MariaDB 12.2 \u2192 12.3, app unchanged) and lasuite-docs 0.3.3 \u2192 0.3.4 (redis 8.8) are routine, no-operator-action bumps \u2014 both green. lasuite-meet also carries its meet v1.17.0 app upgrade with no required config changes.", "links": []}, {"title": "Skipped \u2014 already current", "body": "bluesky-pds, mumble, and lasuite-drive are up-to-date (drive's collabora/minio/onlyoffice tags are unparseable to abra, but its core images are at latest).", "links": []}, {"title": "immich \u2014 blocked by an abra tooling limit", "body": "immich was skipped: abra cannot parse its tag-plus-digest image references (e.g. ghcr.io/immich-app/postgres:14-vectorchord\u2026@sha256:\u2026), so the survey can't compute an upgrade. An explanatory comment was left on its open PR #1. This is a tooling gap, not a recipe fault.", "links": [{"text": "immich PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1"}]}, {"title": "Infrastructure footnote", "body": "Eight recipes initially failed the survey with an abra go-git auth error (credentials must be embedded in the git origin URL, not via .netrc); all were recovered before the run completed. No fleet impact.", "links": []}], "table": [{"recipe": "cryptpad", "change": "0.5.4+v2026.2.0 \u2192 0.5.5+v2026.2.0", "status": "GREEN", "ci": "build 154 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/154", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4", "notes": "nginx 1.29 \u2192 1.31 (CVE batch). Ready to merge."}, {"recipe": "custom-html", "change": "1.11.0+1.29.0 \u2192 1.13.0+1.31.1", "status": "GREEN", "ci": "build 163 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/163", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1", "notes": "nginx 1.31.1 CVEs + alpine/git v2.52.0. Ready to merge."}, {"recipe": "custom-html-tiny", "change": "1.0.1+2.38.0 \u2192 1.1.0+2.42.0", "status": "GREEN", "ci": "build 164 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/164", "pr": "#6", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6", "notes": "static-web-server 2.42 (Basic-Auth timing CVE)."}, {"recipe": "discourse", "change": "0.7.0+3.3.1 \u2192 0.8.0+3.5.0", "status": "GREEN", "ci": "build 179 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/179", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/discourse/pulls/2", "notes": "Now green \u2014 stale test cleared. pg13\u219216, backup fix, bitnami\u2192bitnamilegacy (archived mirror)."}, {"recipe": "ghost", "change": "1.2.0+6.21.2-alpine \u2192 1.3.0+6.42.0-alpine", "status": "UPTODATE", "ci": "merged", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1", "notes": "Resolved by operator: #1 merged (backup fix, 6.42.0); 6.43.1 PR #3 closed."}, {"recipe": "keycloak", "change": "10.7.1+26.6.2 \u2192 10.8.0+26.6.2", "status": "GREEN", "ci": "build 155 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/155", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/keycloak/pulls/2", "notes": "MariaDB 12.2 \u2192 12.3. Clean."}, {"recipe": "lasuite-docs", "change": "0.3.3+v5.1.0 \u2192 0.3.4+v5.1.0", "status": "GREEN", "ci": "build 169 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/169", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4", "notes": "redis 8.6.3 \u2192 8.8.0 (CVEs). Clean."}, {"recipe": "lasuite-meet", "change": "0.3.0+v1.16.0 \u2192 0.3.0+v1.17.0", "status": "GREEN", "ci": "build 156 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/156", "pr": "#3", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3", "notes": "meet v1.17.0 + redis 8.8 (CVEs). Swagger routes now /api-prefixed."}, {"recipe": "mailu", "change": "3.0.1+2024.06.37 \u2192 3.0.1+2024.06.52", "status": "GREEN", "ci": "build 157 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/157", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1", "notes": "Roundcube CVE-2026-49217 + certdumper v2.11.2 + redis 8.8."}, {"recipe": "matrix-synapse", "change": "7.1.1+v1.149.1 \u2192 7.2.0+v1.153.0", "status": "STALE", "ci": "RED 158 \u00b7 upgrade-test", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/158", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1", "notes": "Stale test_upgrade_preserves_data (pg17\u219218 ci_marker loss). Run --with-tests."}, {"recipe": "mattermost-lts", "change": "2.1.10+10.11.18 \u2192 2.2.0+10.11.19", "status": "FAILED", "ci": "RED 161 \u00b7 restore", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/161", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2", "notes": "Pre-existing restore bug; see companion #1. ESR carries a medium-severity security patch."}, {"recipe": "n8n", "change": "3.2.0+2.20.6 \u2192 3.3.0+2.23.2", "status": "GREEN", "ci": "build 162 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/162", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4", "notes": "\u26a0 pg17\u219218: volume path /var/lib/postgresql/data \u2192 /var/lib/postgresql; back up first."}, {"recipe": "plausible", "change": "3.0.1+v2.0.0 \u2192 4.0.0+v2.1.5", "status": "FAILED", "ci": "RED 168 \u00b7 deploy", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/168", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2", "notes": "GHCR move + pg13\u219216 + ClickHouse 24. ClickHouse fixed; deploy still fails (pg re-fetch). See #1."}, {"recipe": "uptime-kuma", "change": "3.0.0+2.2.1 \u2192 4.0.0+2.4.0", "status": "GREEN", "ci": "build 165 \u2713", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/165", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2", "notes": "Authenticated RCE fix + MariaDB 11.8 \u2192 12.3 (back up first)."}, {"recipe": "bluesky-pds", "change": "\u2014", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."}, {"recipe": "mumble", "change": "\u2014", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."}, {"recipe": "lasuite-drive", "change": "\u2014", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date (some tags unparseable; core images at latest)."}, {"recipe": "immich", "change": "\u2014", "status": "SKIPPED", "ci": "", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1", "notes": "abra cannot parse tag+digest image pins; explanatory comment left on PR."}]}
\ No newline at end of file
diff --git a/cc-ci-plan/recipe-report.py b/cc-ci-plan/recipe-report.py
index c6fd5a3..a2e4a0a 100755
--- a/cc-ci-plan/recipe-report.py
+++ b/cc-ci-plan/recipe-report.py
@@ -21,7 +21,7 @@ SPEC SHAPE (the agent writes this JSON):
              "pr":"#4","pr_url":"…","notes":"…"}]}
 PUBLIC PAGE — include only public-safe data (no secrets/tokens/raw logs).
 """
-import base64, html, json, os, subprocess, sys, urllib.request
+import base64, html, json, os, re, subprocess, sys, urllib.request
 from datetime import datetime, timezone
 
 LOGDIR = "/srv/cc-ci/.cc-ci-logs"
@@ -121,6 +121,17 @@ def _esc(s):
     return html.escape(str(s or ""))
 
 
+def _linkify_recipes(text, repo_url):
+    """Linkify whole-word recipe-name mentions to their mirror repo. ONE pass over the (already
+    HTML-escaped) text, longest names first so 'custom-html-tiny' wins over 'custom-html'; re.sub does
+    not re-scan inserted hrefs, so URLs that end in a recipe name aren't double-linked."""
+    if not repo_url:
+        return text
+    names = sorted(repo_url, key=len, reverse=True)
+    pat = re.compile(r"(?<![\w-])(" + "|".join(re.escape(n) for n in names) + r")(?![\w-])")
+    return pat.sub(lambda m: f'<a href="{repo_url[m.group(1)]}">{m.group(1)}</a>', text)
+
+
 def _links(links):
     if not links:
         return ""
@@ -172,8 +183,13 @@ def render(spec_path, out_path):
     gen = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")
     sub = s.get("subtitle", "Week of " + s["date"])
     lead = s.get("lead", "") or ""
+    # Auto-link recipe-name mentions in the lead to their mirror repos.
+    gitea = _env().get("GITEA_URL", "git.autonomic.zone")
+    repo_url = {r["recipe"]: f"https://{gitea}/recipe-maintainers/{r['recipe']}"
+                for r in (s.get("table") or []) if r.get("recipe")}
     if lead and "<p>" not in lead:
-        lead = "".join(f"<p>{_esc(p.strip())}</p>" for p in lead.split("\n\n") if p.strip())
+        lead = "".join(f"<p>{_linkify_recipes(_esc(p.strip()), repo_url)}</p>"
+                       for p in lead.split("\n\n") if p.strip())
     body = (_mast() +
             f'<div class="dateline"><span>{_esc(sub)}</span>'
             f'<span>report.ci.commoninternet.net</span><span>{gen}</span></div>'