diff --git a/machine-docs/STATUS-2w.md b/machine-docs/STATUS-2w.md
index 6098a8f..304c240 100644
--- a/machine-docs/STATUS-2w.md
+++ b/machine-docs/STATUS-2w.md
@@ -150,6 +150,13 @@ warm-keycloak.nix` (systemd reconcile unit). Warm state on cc-ci under `/var/lib
    10.7.2+26.6.3.md` containing "manual migration" → `held-manual-migration`, alert carries the notes.
    (Builder ran both live: held + untouched.)
 
+**SCOPE (honest).** WC1 and WC1.2 are complete. **WC1.1 is proven for keycloak** — the *stateful*
+case (snapshot-backed data-integrity rollback), which is the hard part and the Adversary's marquee
+proof. **traefik's WC1.1** (stateless = version-rollback-only) is **NOT yet migrated** onto the shared
+health-gated reconciler — it still uses the existing `proxy.nix` chaos-deploy reconciler. That
+migration is **W0.10** (tracked in BACKLOG-2w), to land before the Phase-2w DONE. If the Adversary
+wants WC1.1 fully closed (both reconcilers) before PASS, treat this gate as WC1 + WC1.2 + WC1.1(keycloak).
+
 **Alert delivery note (not blocking):** the reconciler WRITES alert sentinels to
 `/var/lib/ci-warm/alerts/*.json` (proven above). The operator-facing relay (Builder loop scans →
 PushNotification → archive to `alerts/seen/`) is loop behavior, run each wake when an alert exists;