claim(mirror): Ph1+Ph2+Ph3 complete — mirrors created, hedgedoc tests, 9 recipes enrolled

Phase 1: Create 3 missing Gitea mirrors (lasuite-drive, mailu, mumble) via API + force-sync
  upstream main (f4135d78, 23309a1a, 9fa5e949). All 3 return 200/empty=false from Gitea API.

Phase 2: Author tests/hedgedoc/ (uptime-kuma template) — recipe_meta.py, functional/
  test_health_check.py (GET / → 200/302), functional/test_branding.py (brand markers),
  PARITY.md. Generic tiers cover install/upgrade/backup baseline.

Phase 3: Enroll 9 unenrolled recipes in nix/modules/bridge.nix POLL_REPOS:
  bluesky-pds, discourse, ghost, immich, lasuite-drive, mailu, mattermost-lts, mumble, plausible.
  Final POLL_REPOS: 20 entries (cc-ci + 19 recipes).

Gate Ph4 CLAIMED: operator must run `nixos-rebuild switch --flake .#cc-ci` on cc-ci after
Adversary-verifies Ph1+Ph2+Ph3. See STATUS-mirror.md for exact repro.

tests/hedgedoc/PARITY.md

@@ -0,0 +1,37 @@
+# Parity — hedgedoc
+
+HedgeDoc (formerly CodiMD) is a collaborative real-time markdown editor. It is a single-service
+app backed by sqlite (default) or PostgreSQL, with a Node.js backend on port 3000.
+
+The upstream recipe-maintainer corpus (`recipe-info/hedgedoc/tests/`) does not exist, so this
+PARITY.md documents the cc-ci-authored suite as the baseline.
+
+## Recipe-specific tests (Phase mirror, ≥2 functional tests)
+
+HedgeDoc's defining behaviors:
+- Root path (`/`) responds 200 or 302 (redirect to `/login` or `/new` depending on auth config).
+- Served HTML contains HedgeDoc/CodiMD branding markers + bundled JS/CSS assets.
+
+| cc-ci file | what's verified | rationale |
+|---|---|---|
+| `tests/hedgedoc/functional/test_health_check.py` | `GET /` → 200 or 302 | Proves the app is up and routing through Traefik. A wedged HedgeDoc returns 5xx or no response. |
+| `tests/hedgedoc/functional/test_branding.py` | `GET /` HTML contains hedgedoc/codimd/hackmd markers OR bundle asset refs | Distinguishes "HedgeDoc is serving its own content" from "fallback page." A misrouted or empty backend lacks these markers. |
+
+## Backup data-integrity
+
+The default compose.yml includes `backupbot.backup=${ENABLE_BACKUPS:-true}`. HedgeDoc stores data
+in `codimd_database` (sqlite) and `codimd_uploads` volumes. The generic backup tier verifies a
+snapshot artifact is produced. Recipe-specific backup data-integrity overlay (ops.py +
+test_backup.py) is deferred; the generic tier suffices for initial enrollment.
+
+## Playwright
+
+Not yet authored. A Playwright flow would create an anonymous note, assert the content persists,
+and verify the collaborative editor loads. Deferred — the current functional tests plus the
+generic Playwright `assert_serving` pass the enrollment bar.
+
+## Deferred
+
+- Playwright note-creation + persistence flow
+- ops.py pre_backup/pre_restore with note content verification
+- PostgreSQL variant (`compose.postgresql.yml`) — current tests target sqlite (default)

tests/hedgedoc/functional/test_branding.py

@@ -0,0 +1,54 @@
+"""hedgedoc — branding probe: served HTML carries hedgedoc/codimd markers.
+
+Distinguishes "the HedgeDoc app is bound and serving its own content" from "a generic 200
+from a fallback page." A wedged backend or misconfigured proxy would lack these markers.
+"""
+
+from __future__ import annotations
+
+import os
+import ssl
+import sys
+import urllib.request
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+_CTX = ssl.create_default_context()
+_CTX.check_hostname = False
+_CTX.verify_mode = ssl.CERT_NONE
+
+
+def _get_body(url: str) -> tuple[int, str]:
+    req = urllib.request.Request(url, method="GET")
+    with urllib.request.urlopen(req, timeout=15, context=_CTX) as r:
+        return r.status, r.read().decode(errors="replace")
+
+
+def test_hedgedoc_has_branding(live_app):
+    """GET /; assert HedgeDoc-specific brand/asset markers in served HTML."""
+    url = f"https://{live_app}/"
+
+    def _ready():
+        try:
+            status, body = _get_body(url)
+        except Exception:  # noqa: BLE001
+            return None
+        # 200 = full page; 302 = redirect (follow manually not needed — just the HTML response)
+        return body if status in (200, 302) else None
+
+    body = harness_http.assert_converges(_ready, f"GET {url}", max_wait=90, interval=5)
+    lower = body.lower()
+    # HedgeDoc brand markers: any of "hedgedoc", "codimd" (the older brand), or the app meta tag
+    brand_markers = ("hedgedoc", "codimd", "hackmd")
+    present_brand = [m for m in brand_markers if m in lower]
+
+    # SPA asset markers: CSS/JS bundles or the favicon that HedgeDoc serves
+    asset_markers = ("/assets/", "/vendor.", "favicon", "bundle.", ".js")
+    present_assets = [m for m in asset_markers if m in body]
+
+    assert present_brand or present_assets, (
+        f"GET {url} HTML contains none of {brand_markers} or {asset_markers}. "
+        f"Excerpt: {body[:300]!r}"
+    )

tests/hedgedoc/functional/test_health_check.py

@@ -0,0 +1,21 @@
+"""hedgedoc — health check: root path responds (200 or 302 to login/new).
+
+HedgeDoc may redirect / to /login or /new depending on auth config; either is healthy.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def test_hedgedoc_root_serves(live_app):
+    """GET / → 200 or 302 (login/new redirect)."""
+    url = f"https://{live_app}/"
+    status, _ = harness_http.retry_http_get(
+        url, expect_status=(200, 302), max_wait=90, interval=5
+    )
+    assert status in (200, 302), f"GET {url} HTTP {status} (expected 200 or 302)"

tests/hedgedoc/recipe_meta.py

@@ -0,0 +1,6 @@
+# Per-recipe harness config for hedgedoc (Phase mirror — simple sqlite collaborative markdown editor).
+# HedgeDoc serves on port 3000 via Traefik. Root path returns 200 or redirects to /login or /new.
+HEALTH_PATH = "/"
+HEALTH_OK = (200, 302)
+DEPLOY_TIMEOUT = 600
+HTTP_TIMEOUT = 300