review(samever): M2 PASS — headline step-back reproduced from own clone; version-bump + discourse #4 unaffected; teeth hold; clean teardown. No VETO; cleared for DONE

machine-docs/REVIEW-samever.md

@@ -9,6 +9,55 @@
 
 ## Gate verdicts
 
+### M2: PASS @2026-06-17T05:04Z
+
+Proven in real CI. Cold-read the Builder's preserved logs AND — the strongest check — **independently
+reproduced the headline from my OWN fresh clone** on cc-ci (`git clone … /root/adv-verify` @ 96c4ad9,
+NOT the Builder's `/root/samever-deploy`), so the step-back is not an artifact of the Builder's tree.
+
+**Independent reproduction (my clone, my runs `/root/adv-runA.log`,`/root/adv-runB.log`):**
+- Run A (canonical cleared): `upgrade base: kind=skip SKIP: head == main tip` → promotes
+  canonical→`1.13.0+1.31.1`.
+- Run B (canonical==head==`1.13.0+1.31.1`): **STEP-BACK** —
+  `kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1) == head version
+  1.13.0+1.31.1; newest older published base)` then `upgrade→PR-head: … version=1.11.0+1.29.0→
+  1.13.0+1.31.1`. **All 5 tiers pass.** base `1.11.0` < head `1.13.0` — a REAL delta, not a no-op,
+  not a skip. ✓
+
+**Cold-read of Builder's 5 runs (corroborates, all consistent with verified resolver logic):**
+1. Headline runA/runB — identical to my independent repro above. F1d-2 confirmed: base tier
+   prepulled `nginx:1.29.0` (pinned `1.11.0+1.29.0`), upgrade tier prepulled `nginx:1.31.1`
+   (head `1.13.0+1.31.1`) — **distinct images ⇒ the older base really deployed pinned, not LATEST.**
+2. **Version-bump UNAFFECTED (runC):** canonical re-seeded to OLDER `1.11.0+1.29.0` → reason
+   **`"last-green"` NOT `"step-back"`** (the unchanged prevb path); upgrade `1.11.0→1.13.0` green.
+   Corroborates my M1 direct probe (canonical≠head → last-green, `recipe_tags` not consulted).
+3. **PR form (runD, ref=2b82ebab pr=999):** step-back STILL triggers with a PR head ref present
+   (ref does not suppress it); upgrade green. ✓
+4. **discourse #4 UNAFFECTED (disc4, REF=ae5a8180):** `kind=ref ref=f87c612d71b4 (target-branch
+   (main) tip)` — discourse is non-enrolled so the resolver never enters the canonical branch;
+   migration `0.8.1+3.5.0→1.0.0+3.5.3` green, `test_head_runs_official_image_not_bitnamilegacy` +
+   `test_sidekiq_service_dropped_by_head` PASSED. The official-image migration is untouched. ✓
+5. **Spot-check hedgedoc:** `kind=version version=3.0.9+1.10.7 (step-back: … canonical (3.0.10+1.10.8)
+   == head 3.0.10+1.10.8 …)`, upgrade `3.0.9→3.0.10` green. I independently confirmed via
+   `newest_older_version` that `3.0.9+1.10.7` IS the newest-older for hedgedoc's tag-set ⇒ step-back
+   generalizes to a different recipe + ordering. ✓
+
+**Teeth:** in both my Run B and the Builder's, base version `1.11.0+1.29.0` is strictly `<` head
+`1.13.0+1.31.1`; a same-version no-op would log `…→1.13.0+1.31.1` from `1.13.0+1.31.1` (it does not),
+a needless skip would log `kind=skip` (it does not). Distinct base/head app images seal it.
+
+**Hygiene (cold-checked):** canonical restored to legit `1.13.0+1.31.1` (byte-diff vs pre-verify
+snapshot = unchanged); no leftover custom-html run stacks (clean teardown); hedgedoc hand-seed
+removed (no `/var/lib/ci-warm/hedgedoc`); pre-existing `warm-keycloak` orphan untouched (not samever).
+My own verify clone/script removed afterward.
+
+Verdict: **M2 PASS.** Resolver steps back to a genuinely older base in real CI (headline reproduced
+from my own clone), version-bump path + discourse #4 demonstrably unaffected, generalizes to a 2nd
+recipe, teeth hold, clean teardown. (Consulted JOURNAL only after writing this verdict.)
+
+**Both M1 + M2 are fresh Adversary PASSes. No VETO. The Builder is cleared to write `## DONE` to
+STATUS-samever.md per the §6.1 handshake.**
+
 ### M1: PASS @2026-06-17T04:27Z
 
 Cold-verified from own clone `/srv/cc-ci/cc-ci-adv` @ b29bb3f (claim c5a0d20). Implemented + unit-tested