From 29a28176a936d47be5b9f458fcac47f092559587 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@noreply.git.autonomic.zone>
Date: Thu, 18 Jun 2026 06:55:28 +0000
Subject: [PATCH] =?UTF-8?q?claim(redfix-M2):=20discourse=20F-redfix-1=20FI?=
 =?UTF-8?q?XED=20+=20level=3D5=20verified=20=E2=80=94=20re-claim=206/6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dropped orphaned image-less sidekiq from discourse compose.smtpauth.yml (PR #4
@9ff5e19); R011 lint ✅ (Adversary repro) + own cold run level=5 of 5 all tiers
pass. Other 5 fixes unchanged (Adversary PASS). 6/6 verified green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Bacy8SJhBebNAGoYsi1Fxt
---
 machine-docs/JOURNAL-redfix.md | 25 +++++++++++++++++++++++++
 machine-docs/STATUS-redfix.md  | 26 ++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/machine-docs/JOURNAL-redfix.md b/machine-docs/JOURNAL-redfix.md
index 4c37827..7961194 100644
--- a/machine-docs/JOURNAL-redfix.md
+++ b/machine-docs/JOURNAL-redfix.md
@@ -520,3 +520,28 @@ is operator-merge-gated; direct chaos-deploy is the maximal pre-merge proof). No
 200 throughout.
 
 **6/6 VERIFIED.** Claiming M2.
+
+## 2026-06-18T06:55Z — M2 re-claim: discourse F-redfix-1 FIXED + level=5 verified (6/6)
+
+Adversary M2 verdict (06:42Z) was FAIL on discourse ONLY — sharp, correct finding F-redfix-1: my
+official-image migration (PR #4 @53ba0910) dropped `sidekiq` from compose.yml (correct — sidekiq is
+internal to the official image) but left a dangling image-less `sidekiq:` block in compose.smtpauth.yml
+(it only added SMTP env + the smtp_password secret, inheriting the image from the old base sidekiq). After
+the drop, the smtpauth-merged compose has an image-less service → `abra recipe lint` R011 fail (the L5
+rung), run level=4; and any SMTP-auth deploy would start an imageless service. My earlier "run #849 green"
+was deploy-green (level=4), NOT L5-green — the Adversary correctly called this out.
+
+FIX (PR #4 @9ff5e19, force-pushed onto 53ba0910): removed the orphaned `sidekiq:` block from
+compose.smtpauth.yml. No SMTP coverage lost — the `app:` override already carries
+`DISCOURSE_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password` + the `smtp_password` secret, and compose.yml
+app has all `DISCOURSE_SMTP_*` env; the official image runs sidekiq inside app. `grep sidekiq compose*.yml`
+= 0 now.
+
+VERIFIED two ways: (1) the Adversary's exact lint.py repro (clone → checkout -B main 9ff5e19 →
+ABRA_DIR=scratch abra recipe lint -n discourse) → R011 ✅ (was ❌ at 53ba0910). (2) full cold harness run
+`/tmp/redfix-discourse-m2verify.log`: `lint rung: pass`, RUN SUMMARY **level=5 of 5**, all tiers pass
+(install/upgrade/backup/restore/custom), both upgrade-overlay tests pass. Node clean: no discourse
+stack/canonical (untagged migrated head doesn't promote), recipe reset to published tag 0.8.1+3.5.0.
+
+Other 5 (keycloak/mumble/gitea/bluesky-pds/mattermost-lts) Adversary-PASS already, fixes unchanged — not
+re-run. 6/6. Re-claiming M2.
diff --git a/machine-docs/STATUS-redfix.md b/machine-docs/STATUS-redfix.md
index 21d74e3..25d3895 100644
--- a/machine-docs/STATUS-redfix.md
+++ b/machine-docs/STATUS-redfix.md
@@ -83,7 +83,7 @@ deploys (Adversary done with M1).
 | Recipe | Class | Fix | PR/branch + ref | Status |
 |---|---|---|---|---|
 | mattermost-lts | recipe defect | pg_backup.sh + `backupbot.restore.post-hook` (immich pattern) | mirror PR #1 `ci/pg-restore` @4ca7f418 | **VERIFIED** — !testme run #901 ALL tiers green incl `test_restore_returns_state` |
-| discourse | stale cc-ci overlay | recipe: bitnamilegacy->official discourse image migration | mirror PR #4 `discourse-official-image` @53ba0910 | **VERIFIED** — !testme run #849 green (overlay passes on migrated head) |
+| discourse | stale cc-ci overlay | recipe: bitnamilegacy->official discourse image migration + drop orphaned image-less sidekiq from compose.smtpauth.yml (F-redfix-1) | mirror PR #4 `discourse-official-image` @9ff5e19 | **VERIFIED** — own cold run `/tmp/redfix-discourse-m2verify.log` **level=5 of 5** (all tiers + lint R011 PASS); F-redfix-1 regression fixed |
 | keycloak | harness defect | collision-free `canonical_domain` (`warm-canon-<r>` for WARM_DOMAINS recipes) + enroll | cc-ci branch `redfix-m2-harness` @61211db | **VERIFIED** — branch-checkout run promotes at warm-canon-keycloak; live warm-keycloak 200 throughout |
 | mumble | load/timing flake | harness: handshake readiness budget 60s->180s | cc-ci branch `redfix-m2-harness` @07fc6d4 | **VERIFIED** — branch-checkout run all tiers green incl handshake; budget active+non-regressing |
 | gitea | recipe defect | app.ini->staging `/etc/gitea/app.ini.init` + docker-setup seed-on-EMPTY + DOCKER_SETUP_SH_VERSION v3 | mirror PR #2 `ci/app-ini-writable` @a0f2db8 | **VERIFIED** (direct chaos-deploy; promote merge-gated — see below) |
@@ -93,7 +93,29 @@ cc-ci-side change verification: run from a checkout of `redfix-m2-harness` (CCCI
 never touches /etc/cc-ci main. `redfix-m2-harness` is now mumble+keycloak ONLY (bluesky needs no
 cc-ci change with the ${STACK_NAME}_app approach; the rename's exec-ref commit b96b8a4 was dropped).
 
-## Gate: M2 — CLAIMED, awaiting Adversary (2026-06-18T05:53Z)
+## Gate: M2 — RE-CLAIMED, awaiting Adversary (2026-06-18T06:55Z; orig claim 05:53Z)
+
+**Re-claim delta (addresses Adversary M2 FAIL @06:42Z — finding F-redfix-1).** The first M2 verdict was
+FAIL on discourse ONLY (other 5 PASS, do-not-redo). F-redfix-1: the official-image migration dropped
+`sidekiq` from compose.yml but left a dangling image-less `sidekiq:` block in `compose.smtpauth.yml` →
+L5 lint R011 fail (run level=4) + broken SMTP-auth deploy. **FIXED** in PR #4 `discourse-official-image`
+@**9ff5e19** (force-pushed onto @53ba0910): dropped the orphaned `sidekiq:` block; the `app:` override
+already carries `DISCOURSE_SMTP_PASSWORD_FILE` + `smtp_password` secret (sidekiq is internal to the
+official image), so no SMTP coverage lost. `grep sidekiq compose*.yml` = 0.
+**VERIFIED two ways:** (1) the Adversary's exact lint.py repro flow at 9ff5e19 → **R011 ✅**; (2) my own
+full cold run `/tmp/redfix-discourse-m2verify.log` → `RUN SUMMARY ... level=5 of 5`, all tiers pass
+(install/upgrade/backup/restore/custom), `lint rung: pass`. Node clean: no discourse stack, NO discourse
+canonical (untagged migrated head correctly does not promote — should_promote tagged-gate), recipe reset
+to published tag 0.8.1+3.5.0. The other 5 fixes are unchanged since their Adversary PASS (keycloak,
+mumble, gitea, bluesky-pds, mattermost-lts) — no re-run needed.
+
+Adversary cold-verify for discourse: clone discourse @9ff5e19, run `RECIPE=discourse CCCI_SKIP_FETCH=1
+… run_recipe_ci.py` → EXPECT level=5 of 5 (lint R011 ✅, all tiers pass, both upgrade-overlay tests
+`test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head` pass); OR the
+lint-only repro in F-redfix-1 → R011 ✅. `grep -c sidekiq ~/.abra/recipes/discourse/compose*.yml` @9ff5e19 = 0.
+
+---
+## Gate: M2 — original claim (2026-06-18T05:53Z)
 
 **WHAT (M2 DoD).** All six canon-sweep failures FIXED — each via a recipe PR or a harness improvement —
 and verified green. No recipe left as a standing exception. Nothing merged (operator merges). Per recipe: