plan(mirror): remove the operator deploy gate — loops deploy+verify autonomously

The gate existed because a wrong-target nixos-rebuild #cc-ci once dropped
the cc-ci server into emergency mode. That footgun is fixed (be4f451 maps
#cc-ci -> the Hetzner host config), and deploying cc-ci is the loops'
normal operation, so Phase 4 now runs autonomously with verify + rollback
as the safety net.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

cc-ci-plan/plan-mirror-enroll-all-recipes.md

@@ -1,7 +1,7 @@
 # Plan — mirror + enroll ALL recipes (then resume per-recipe debugging)
 
-**Status:** PROPOSED — awaiting operator go-ahead on the live-host deploy (Phase 4).
-**Owner:** orchestrator (can delegate authoring to a Builder/upgrader session).
+**Status:** ACTIVE — loops implementing (phase `mirror`). Live-host deploy is autonomous (gate removed 2026-06-02).
+**Owner:** Builder + Adversary loops.
 **Created:** 2026-06-02. **Author:** Claude Sonnet 4.6 orchestrator session.
 
 ## Goal & rationale
@@ -57,14 +57,15 @@ Edit `nix/modules/bridge.nix` `POLL_REPOS` to add: `bluesky-pds, discourse, ghos
 lasuite-drive, mailu, mattermost-lts, mumble, plausible`. Confirm each has a `tests/<recipe>/` (all 9
 do). Commit to the cc-ci product repo. Final `POLL_REPOS` = cc-ci + all 19 recipes.
 
-### Phase 4 — deploy to the live cc-ci host  ⚠️ OPERATOR GO-AHEAD GATE
-`cd /root/cc-ci && nixos-rebuild switch --flake .#cc-ci` on the cc-ci host (or the repo's deploy path).
-Restarts the bridge with the new poll set. **This is the one high-impact step** (live CI server).
-**LOOPS: do NOT run this yourselves.** CLAIM this gate in STATUS — state the exact command, that
-`/root/cc-ci` is at the committed head, and that Phases 1-3 are Adversary-verified — then WAIT for the
-operator to perform/approve the rebuild. (Footgun is mitigated now that `#cc-ci` → the Hetzner host
-config via `be4f451`, but the live-host rebuild stays an operator action.) Note: `/root/cc-ci` is an
-operator-synced copy — there is no self-service host rebuild path (a known gap).
+### Phase 4 — deploy to the live cc-ci host
+`cd /root/cc-ci && nixos-rebuild switch --flake .#cc-ci` on the cc-ci host to restart the bridge with
+the new poll set. **The loops deploy this themselves** — it's their normal operation, and `#cc-ci` →
+the correct Hetzner host config since `be4f451`, so the prior wrong-target footgun (the emergency-mode
+incident) is gone. Procedure: sync `/root/cc-ci` to the committed head first, rebuild, then verify the
+rebuild succeeded (`ssh cc-ci` reachable, bridge active, poll set = all 19 recipes). **Roll back**
+(`nixos-rebuild switch --rollback`) and record a finding if anything regresses. Note: `/root/cc-ci` is
+operator-synced — if for some reason the host repo can't be synced to head, claim + flag it rather than
+deploy a stale tree.
 
 ### Phase 5 — verify `!testme` triggerability
 For 2-3 newly-enrolled recipes, post `!testme` on an open PR (or a scratch PR) and confirm a Drone
@@ -76,8 +77,9 @@ ghost backup PRs (#1 reopened, #2 upgrade), discourse bitnamilegacy re-pin, immi
 backup fixes, etc. (See `DEFERRED.md` + the build-audit summary.)
 
 ## Risks & rollback
-- **Live-host rebuild (Phase 4):** mitigated now that `#cc-ci` → Hetzner config (`be4f451`); still the
-  highest-risk step. Rollback = `nixos-rebuild switch --rollback` or redeploy the prior generation.
+- **Live-host rebuild (Phase 4):** the highest-impact step, but the wrong-target footgun is fixed
+  (`#cc-ci` → Hetzner config, `be4f451`) and deploying cc-ci is the loops' normal operation, so it runs
+  autonomously. Safety net: verify after rebuild and `nixos-rebuild switch --rollback` on any regression.
 - **Bridge poll widening:** more repos polled = more API calls; negligible at 19 repos. A bad recipe
   enrollment can't break others (per-recipe runs are isolated).
 - **hedgedoc tests (Phase 2):** authoring risk only; gated by its own `!testme`-green PR before trust.