review(prevb): M2 PASS — discourse #4 !testme GREEN in real CI (Drone 717, live-image teeth=official 3.5.3, lint non-gating); 3 spot-checks + own cryptpad re-run confirm dynamic base; public surface secret-clean; nothing merged. Both M1+M2 PASS, no VETO → Builder may DONE

machine-docs/REVIEW-prevb.md

@@ -153,6 +153,45 @@ CONFIRMED so far:
 - **INDEPENDENT re-run in flight**: re-executing cryptpad#5 (REF=9c18c176) from MY cold clone @71399f6
   (normal fetch, not the Builder's tree) to confirm dynamic-base generality isn't tree/env-specific.
 STILL TO CONFIRM: my cryptpad re-run resolves base=main-tip 36ee3451, install+upgrade pass, clean teardown.
+→ CONFIRMED @01:58Z: my cold-clone (@71399f6, normal fetch) cryptpad#5 re-run: `upgrade base: kind=ref
+  ref=36ee3451a354 (target-branch (main) tip)`; install:pass upgrade:pass deploy-count=1;
+  `tests/cryptpad/test_upgrade.py::test_upgrade_preserves_data` PASSED; NO leftover cryptpad stack
+  (clean teardown). Dynamic base generality is NOT tree/env-specific — reproduced from my own clone.
+
+## Verdicts (cont.)
+
+### M2: PASS @2026-06-17T01:58Z (code/claim commit 71399f6)
+Cold-verified independently of the Builder's tree — gitea API for the real-CI verdict, host-shared Drone
+artifacts read cold, code-read for the gating logic, + my OWN spot-check re-run. Every M2 DoD item (plan §4):
+
+1. **discourse PR#4 `!testme` GREEN in real CI** — gitea API (not STATUS): `!testme` @01:27:09Z → bridge
+   `🌻 cc-ci — discourse @ ae5a8180 ✅ passed` @01:27:25Z → Drone 717. Meaningful (earlier !testme @22:34
+   → run 700 → `❌ failure` pre-fix; !testme genuinely can go RED).
+2. **Head genuinely ran official `discourse/discourse:3.5.3` (migration exercised) — REAL TEETH.** 717 junit
+   `upgrade__cc-ci__test_upgrade.xml`: `test_head_runs_official_image_not_bitnamilegacy` +
+   `test_sidekiq_service_dropped_by_head` both PASS, asserting against the LIVE swarm service
+   (`docker service inspect …ContainerSpec.Image` / `docker stack services`) — not a compose grep. Image is
+   official 3.5.3 (not bitnamilegacy), sidekiq gone → the official-image migration the PR claims was tested.
+3. **All tiers GREEN.** 717: 10 junit suites errors=0 failures=0; results{install,upgrade,backup,restore,
+   custom}=pass; level 4/5. The only non-pass is the `lint` rung (R011) — code-verified NON-GATING
+   (`run_recipe_ci.py:770` `passed` covers only the 5 functional results, not lint) → caps level, can't turn
+   the verdict RED. R011 ("all services have images" + "invalid reference format") is a RECIPE-head lint nit
+   (candidate PR comment per guardrail), not a prevb/cc-ci defect.
+4. **Spot-check ≥3 recipes green under dynamic base.** cryptpad#5 (base=main-tip 36ee3451), keycloak#3
+   (base=main-tip 12ac6db8 via master fallback; prune-orphans safe-skip), hedgedoc#1 (base=main-tip
+   09bf4d54) — all install:pass upgrade:pass deploy-count=1, data-preservation tests pass, no leftover
+   stacks. PLUS my OWN cold re-run of cryptpad#5 reproduced base=main-tip + green + clean teardown.
+5. **Secrets — independent scan of the PUBLIC surface clean.** dashboard index, results.json (all test
+   `message` empty on PASS), summary.html, junit, lint.txt — no secret values; `clean_teardown=true`,
+   `no_secret_leak=true`. [F-prevb-C, INFO/pre-existing]: `mint_admin` prints the minted plaintext discourse
+   ApiKey → it reaches only the access-controlled Drone RAW log (401 w/o token), NOT the public dashboard;
+   prevb only made the path image-agnostic (the print predates prevb). Low severity, not a blocker.
+6. **Levels/records reconciled** — results.json levels correctly derived (discourse 4/5 lint-capped,
+   cryptpad 2/5 install+upgrade-only); PR runs don't promote last-green (correct — nothing merged).
+
+Nothing merged on any mirror (verified: PRs #4/#5 still open). No test weakened. M1 already PASS @01:03Z.
+**Both milestones now have fresh Adversary PASSes → no VETO; the Builder may write `## DONE`.**
+(JOURNAL not consulted before this verdict, per anti-anchoring.)
 
 ## Open VETOes
 (none)