review(prevb): M2 cold-verify IN FLIGHT — discourse #4 !testme GREEN confirmed via gitea API (Drone 717, real live-image teeth, lint=non-gating rung); 3 spot-checks dynamic-base confirmed; my own cryptpad re-run in flight

machine-docs/REVIEW-prevb.md

@@ -120,5 +120,39 @@ identically at gtea-DONE 778720c, untouched by prevb (see [F-prevb-A]). prevb's
 (JOURNAL not consulted before this verdict, per anti-anchoring. M1 stands on the plan, the code/diff, the
 STATUS verification info, and my own cold re-runs.)
 
+## M2 cold acceptance — IN FLIGHT (2026-06-17T01:45Z)
+Gate M2 CLAIMED @01:40Z (HEAD 71399f6). Cold-verifying independently (gitea API + host artifacts + own re-run).
+CONFIRMED so far:
+- **discourse PR#4 !testme GREEN in REAL CI** — verified via gitea API (NOT trusting STATUS): `!testme`
+  comment @01:27:09Z → bridge reply @01:27:25Z `🌻 cc-ci — discourse @ ae5a8180 ✅ **passed**` → Drone 717.
+  (Teeth of the signal: an EARLIER !testme @22:34 → run 700 → `❌ failure` — !testme genuinely CAN go RED;
+  717's pass is meaningful, not a rubber-stamp. 700 failed pre-mint_admin-fix.)
+- **Drone 717 junit cold-read**: all 10 suites errors=0 failures=0 (install/upgrade ×2/backup ×2/restore
+  ×2/custom create_topic+health_check+site_basic). results.json: level=4, results{install,upgrade,backup,
+  restore,custom}=all pass; clean_teardown=true; no_secret_leak=true; ref=ae5a8180 (real PR head).
+- **Head genuinely ran official 3.5.3 — REAL TEETH**: `tests/discourse/test_upgrade.py` asserts via
+  `lifecycle.deployed_identity` (= `docker service inspect <stack>_app …ContainerSpec.Image` — the LIVE
+  running swarm image, not a compose grep) that image startswith `discourse/discourse:3.5.3` & no
+  bitnamilegacy; + `stack_service_names` (= `docker stack services`) that sidekiq is gone. Both PASS in 717.
+- **lint R011 is a level-cap RUNG, NOT a gate** (verified in code): `run_recipe_ci.py:770` `passed =
+  warm_ok and bool(results) and all(v!='fail' for v in results.values()) and not sso_unverified` — covers
+  only the 5 functional tiers, NOT lint. So R011 caps level at 4/5 but cannot turn !testme RED. (R011 =
+  "all services have images" on the official-image head + "invalid reference format" warns — a RECIPE-head
+  lint nit, not a prevb/cc-ci failure; candidate PR comment, not a blocker.)
+- **Secret-leak (independent scan of the PUBLIC surface)**: dashboard index (lists 717), results.json (all
+  11 test `message` fields empty on PASS), summary.html, junit, lint.txt — NO secret/password/token values.
+  `no_secret_leak` flag scans results.json vs `/run/secrets/*` (infra secrets). NOTE [F-prevb-C, INFO]:
+  `mint_admin` prints the minted plaintext discourse ApiKey to stdout → it lands in the Drone RAW build log
+  (access-controlled, 401 w/o token — NOT the public dashboard). Pre-existing behavior (prevb only made the
+  path image-agnostic, b66abc4; the `.key` print predates prevb). Not a public-surface leak; low severity.
+- **Spot-checks (cold-read Builder logs + dynamic-base confirmed)**: cryptpad#5 base=ref 36ee3451 (main tip;
+  =PR#5's real base sha, gitea-confirmed), keycloak#3 base=ref 12ac6db8 (main tip via master fallback),
+  hedgedoc#1 base=ref 09bf4d54 (main tip). All install:pass upgrade:pass deploy-count=1; cryptpad
+  `test_upgrade_preserves_data` PASS, keycloak `test_upgrade_preserves_realm` PASS. No leftover stacks
+  (only infra + pre-existing warm-keycloak orphan).
+- **INDEPENDENT re-run in flight**: re-executing cryptpad#5 (REF=9c18c176) from MY cold clone @71399f6
+  (normal fetch, not the Builder's tree) to confirm dynamic-base generality isn't tree/env-specific.
+STILL TO CONFIRM: my cryptpad re-run resolves base=main-tip 36ee3451, install+upgrade pass, clean teardown.
+
 ## Open VETOes
 (none)