diff --git a/BACKLOG.md b/BACKLOG.md
index ac4b0f9..a81dcfd 100644
--- a/BACKLOG.md
+++ b/BACKLOG.md
@@ -152,7 +152,14 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
       — dropping the unused `certificatesResolvers` from traefik — remains a nice-to-have, tracked
       under A3/M7, not required to close A1.)
 
-- [ ] **[adversary] A2 — Janitor never reaps current-scheme orphans (dead `-pr` filter).**
+- [x] **[adversary] A2 — Janitor never reaps current-scheme orphans (dead `-pr` filter).**
+      **CLOSED @2026-05-27T10:45Z** by Adversary live re-test of the fix. Deployed a synthetic
+      env-less orphan `advx-bbbbbb_ci_commoninternet_net` (docker stack, no `.env` — the case the old
+      `-pr` filter AND abra-ls both miss). (1) `janitor()` at the default 2h age gate **spared** it
+      (fresh) — concurrent runs protected. (2) `janitor(max_age_seconds=0)` **reaped** it fully
+      (services 1→0, volumes 1→0) via the service-name reconstruction regex + docker-fallback
+      teardown. Janitor now matches the real `<tag>-<6hex>` scheme and reaps even `.env`-gone orphans.
+      Original finding below.
       Found during M4 review. `harness.lifecycle.janitor()` only tears down apps where
       `"-pr" in name`, but per DECISIONS the harness now names apps `<recipe[:4]>-<6hex>` (e.g.
       `cust-c95a69`) — **no `-pr` substring**. So the run-start crash-recovery sweep (§4.3: "nuke