review(M2-nixenv): PASS — live parity cold-verified on cc-ci (claim f7b6f26, deploy d11f8f5). Deploy byte-identical to M1 build; host healthy post-sweep (systemctl --failed empty, timer+services active, endpoints 200, no orphan test stacks, live cc-ci-run=zxlx9jn). gitea test_lfs_roundtrip GREEN under BOTH real timer fire (git-lfs from runtimeInputs; unit PATH has no git-lfs) AND Drone #871 (cc-ci-run runner/run_recipe_ci.py). No regression: ZERO missing-tool signatures across whole sweep; SKIPs/promotes correct; gitea promote-fail (warm-gitea already deployed) + discourse/mattermost reds (image-assertion / postgres relation, docker resolved) all proven pre-existing — identical in OLD-env pre-deploy fires, runner/ unchanged since canon f94de22. No defects, no VETO. M1+M2 fresh PASS → DONE cleared.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

machine-docs/REVIEW-nixenv.md

@@ -3,7 +3,66 @@
 Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md`
 SSOT for verification. Verdicts below; cold-runs only.
 
-Status: **M1 PASS** @ 2026-06-17T17:40Z (claim `8b8fc1f`). M2 gated behind, not yet claimed.
+Status: **M1 PASS** @ 17:40Z (`8b8fc1f`) + **M2 PASS** @ 18:20Z (`f7b6f26`). Both milestones fresh
+Adversary PASS, no VETO → Builder cleared to write `## DONE`.
+
+---
+
+## M2 — PASS @ 2026-06-17T18:20Z — claim `f7b6f26` (deployed `/etc/cc-ci`@d11f8f5 = M1-reviewed tree)
+
+**Deploy + live parity proven — cold-verified.** Verdict from the plan (SSOT), the code, the claim's
+verification info, and my OWN live re-runs (Drone API, journald, host probes). JOURNAL-nixenv.md NOT
+read before this verdict (anti-anchoring preserved).
+
+**(1) Deploy clean + host healthy (re-verified live post-sweep @18:16–18:18Z).**
+- Deployed system `dhmpm232r6m0sq3s7y5r5jpyv5kxgzwi-nixos-system-…` BYTE-IDENTICAL to my M1 build.
+- `systemctl --failed` EMPTY; `nightly-sweep.timer` active+enabled; drone-runner-exec / deploy-proxy /
+  warm-keycloak / swarm-init all active; `nightly-sweep.service` finished Result=success
+  ExecMainStatus=0. drone `/healthz`→200, `ci.commoninternet.net`→200.
+- Live `cc-ci-run` = `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd` (M1-reviewed path). git-lfs/openssl/script/bash
+  resolve on host PATH AND inside cc-ci-run (git-lfs→`33ikv…-git-lfs-3.6.1`, openssl→`48p8b…-openssl-3.3.3`
+  from runtimeInputs, NOT host PATH). openssl was MISSING on this host pre-deploy.
+- NO orphan ephemeral test stacks left by the sweep (no `gite-/matt-/disc-` per-run stacks); only the
+  expected warm canonicals (bluesky-pds, gitea, keycloak) remain — clean teardown.
+
+**(2) Live LFS parity — GREEN on BOTH paths (the DEFECT-3 witness).**
+- **Real timer fire:** `systemctl start nightly-sweep.service` @17:35:38Z; gitea RUN-eligible
+  (canonical 3.5.3 < tag 3.6.0) → `tests/gitea/custom/test_lfs_roundtrip.py::test_lfs_roundtrip
+  PASSED` @17:57:54Z (+ install/upgrade/backup/restore all PASS). The systemd unit PATH carries NO
+  git-lfs and NO /run/current-system/sw/bin, so git-lfs MUST have resolved from cc-ci-run's
+  runtimeInputs — exactly the old DEFECT-3 condition, now satisfied by the shared env.
+- **Drone path:** independently inspected build **#871** via Drone API (status=success): stage
+  recipe-ci → step `ci` runs `cc-ci-run runner/run_recipe_ci.py` (`.drone.yml:83`). Log shows LFS
+  RAN not skipped: `test_lfs_roundtrip PASSED`; RUN SUMMARY install/upgrade/backup/restore/custom all
+  pass, level=5 of 5.
+- Both paths exec the SAME `zxlx9jn` cc-ci-run ⇒ git-lfs resolves identically. DEFECT-3 class
+  structurally eliminated, demonstrated live.
+
+**(3) No regression — sweep SKIPs/promotes correct; the 3 non-green results ALL pre-existing.**
+- **Regression canary:** scanned the ENTIRE post-deploy sweep journal for missing-tool signatures
+  (`command not found` / `not found` / `executable file not found` / `No such file`) → **ZERO**.
+  Nothing got dropped from the env (consistent with the M1 superset proof). No recipe went GREEN→RED.
+- SKIPs all correct (cryptpad/ghost/drone/hedgedoc/immich/lasuite-*/mailu/matrix-synapse/n8n/
+  plausible/uptime-kuma — no-new-version); promotes correct (custom-html, mumble).
+- **gitea GREEN-BUT-PROMOTE-FAILED**: tests green; WC5 promote `abra app deploy warm-gitea… -o -n`
+  fails `FATA … is already deployed` — abra idempotency on the persistent warm canonical (warm-gitea
+  confirmed still up). canonical.json unchanged (3.5.3, ts 08:39Z). Promote path = `nightly_sweep.py`
+  @canon f94de22, UNCHANGED by nixenv (diff dd6712c..d11f8f5 is nix/+machine-docs only, zero
+  runner/tests) → behaviour identical to canon by construction.
+- **discourse rc=1 / mattermost-lts rc=1**: recipe-level reds, env-independent —
+  discourse `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head`
+  (HEAD-image/service assertions); mattermost `test_restore_returns_state` → `docker exec … postgres …
+  relation "ci_marker" does not exist` (docker RESOLVED and ran — a restore-data failure, not a
+  missing tool). **Corroborated pre-existing:** the SAME reds occur in BOTH OLD-env pre-deploy fires
+  today (PID 2149231@14:xx, PID 2248547@15:xx) — mattermost byte-identical postgres error; discourse
+  red in all fires (never green). Not caused by the env change.
+
+**No defects, no VETO.** M2 DoD fully met live. The harness runtime env is single-sourced and proven
+identical across the Drone runner, the timer sweep, and host systemPackages, with git-lfs/openssl now
+guaranteed from one declaration — the DEFECT-3 divergence class is structurally impossible.
+
+**M1 + M2 fresh Adversary PASS → DONE is cleared.** (Consulted JOURNAL-nixenv.md? No — verdict stands
+on plan + code + my own live re-runs.)
 
 ---