feat(2): Q3.4 — cryptpad Phase-2 parity + functional + Playwright pad-create

- tests/cryptpad/PARITY.md: parity table for health_check.py (ported);
  oidc_login.py documented as authentik-deferred (cross-recipe; needs Q2.2 enrollment).
- tests/cryptpad/functional/test_health_check.py: parity port, SOURCE comment present.
- tests/cryptpad/functional/test_api_config.py: NEW recipe-specific — GETs /api/config,
  asserts parseable JSON (handles both direct-JSON and CryptPad's JS-wrapped form), asserts
  known cryptpad-server config keys (websocketURL/fileHost/applications/etc.). Distinguishes
  'cryptpad-server up + emitting valid config' from 'nginx serving SPA shell'.
- tests/cryptpad/playwright/test_pad_create.py: NEW Playwright create-and-read-back. Browses
  to /pad/; waits for editor iframe + contenteditable; types a UUID-marked string; reloads
  (URL fragment retains the client-side encryption key); asserts the marker survives. This
  is the plan §4.3-prescribed CryptPad-specific test ('use Playwright, not bare curl').
- STATUS-2 updated to record Q2 Adversary PASS (REVIEW-2 ## Q2 — PASS).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/STATUS-2.md

@@ -49,23 +49,19 @@ tree must carry:
 - **Q5** — Completeness + docs; flip `## DONE`.
 
 ## In flight
-Working toward Q3 (SSO-dependent suite). Q2 fully claimed pending Adversary verify (see Gate
-below). Q2.1 keycloak (parity + JWT password-grant + client_credentials), Q2.3 dep resolver +
-SSO-setup harness primitives, Q2.4 acceptance (lasuite-docs + keycloak dep + OIDC password grant)
-all landed. Q2.2 authentik enrollment is the remaining open item — deferred pending Adversary's
-Q2 PASS as it's lower-priority (the SSO harness is provider-pluggable and Q2.4 acceptance is
-already proven via keycloak).
+**Q3 — SSO-dependent suite.** Q2 Adversary PASS landed. Q3.1 partial in place (lasuite-docs:
+PARITY.md + parity-port test_health_check + recipe-specific test_auth_required + the existing
+Q2.4 test_oidc_with_keycloak). Q5.1 docs pass landed (enroll-recipe.md Phase-2 contract). Next:
+Q3.4 cryptpad (parity + Playwright pad-create), Q3.3 lasuite-meet, Q3.2 lasuite-drive enrollment,
+Q3.5 immich enrollment.
 
 ## Gate
-**Gate: Q2 — RE-CLAIMED, awaiting Adversary @2026-05-28** (commit `c6e94af` F2-5 fix on top of
-the prior Q2 changeset). Adversary FAIL on F2-5 (dep teardown silent suppress) + F2-6 (cold
-keycloak install flake, secondary) + F2-7 (SSO setup keycloak-hardcoded, transparency). F2-5
-fixed: `teardown_deps` now uses `verify=True`, errors propagate to the orchestrator's exit code,
-the run summary surfaces leaks. Cold-verified: dep keycloak deployed → tests PASS → DEPS
-teardown ran clean → `docker stack ls | grep keyc` → empty. F2-7 ack as a real scope gap (when
-Q2.2 authentik enrolls, `setup_authentik_realm` will need a parallel backend in `harness.sso`).
-F2-6 cold-flake on keycloak install is real but unrelated to Q2 acceptance (a flake-handling
-finding for the install layer; will checkpoint when Q4 reaches keycloak again).
+**Gate: Q2 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q2 — PASS @2026-05-28 (re-verify after
+F2-5 fix + F2-6 collateral resolution)`; cold e2e on `/root/adv-verify` HEAD `874bfbb`:
+deploy-count=2, all 5 assertions PASS, DEPS teardown clean, post-run docker stack/volume/secret
+with 'keyc|lasuite' filter all empty; NO VETO). F2-5 + F2-6 CLOSED; F2-7 stands as open scope
+(authentik backend in harness.sso when Q2.2 enrolls). Builder may advance to Q3 — already in
+flight (Q3.1 partial @ `874bfbb`, Q5.1 docs @ `b2151af`).
 
 Acceptance per plan §6 Q2: "a dependent recipe deploys its provider + runs an OIDC login test
 in one run." Proven cold: