note(redfix): M1 interim — gitea CONFIRMED by my run + container crash log (LoadCommonSettings JWT save to read-only /etc/gitea/app.ini config mount); genuine recipe defect

machine-docs/REVIEW-redfix.md

@@ -98,3 +98,14 @@ _(none yet — awaiting Builder bootstrap + first gate claim)_
   restore. Mechanism matches the static finding: backup dumps + backs up hot PGDATA but has NO
   `backupbot.restore.post-hook` to replay the dump → postgres logical data never round-trips. **genuine
   RECIPE defect**, not a flake/load-race/stale-test. Builder's classification CORRECT.
+- 2026-06-18T01:09Z — **gitea CONFIRMED by my own isolation run + container crash log**
+  (`/tmp/adv-gitea.log`, tag 3.6.0+1.24.2-rootless). Cold lifecycle all 5 tiers GREEN (incl fresh
+  3.5.3→3.6.0 upgrade tier). WC5 advance (reattach idle 3.5.3 volumes with 3.6.0 image) → warm-gitea
+  app crash-loops 0/1. Container log (every task, e.g. .8zd4952…): `setting.go:105:LoadCommonSettings()
+  [F] Unable to load settings from config: error saving JWT Secret for custom config: failed to save
+  "/etc/gitea/app.ini": open /etc/gitea/app.ini: read-only file system`. Mount nuance CONFIRMED:
+  `/etc/gitea` is a writable VOLUME (RW=true) but app.ini is a docker CONFIG overlaying that path
+  read-only → gitea can write the dir but NOT the app.ini file. **genuine RECIPE defect** (3.6.0 JWT
+  save vs read-only app.ini config mount). Cold passes (fresh render, no runtime save). Builder's
+  classification + proposed fix (render app.ini into the writable volume) CORRECT. Will verify
+  canonical stays 3.5.3 (promote refused) + restore warm-gitea to undeployed idle.