journal(2): Phase 2 RESUMED post-2w — foundation re-confirmed (72 unit + custom-html full e2e green), reference-corpus mapping, lasuite-drive e2e in flight

machine-docs/JOURNAL-2.md

@@ -589,3 +589,49 @@ Full e2e (real deploy with a forced setup_custom_tests failure → observe overa
 the Docker Hub rate limit lifts; the unit + cold-real-test proofs cover the predicate, the conftest
 signal on real files, and the count flow — only the sequential read→sum→predicate→overall wiring is
 unexercised by a live run, and it's straight-line code.
+
+---
+
+## 2026-05-29 — Phase 2 RESUMED after the 2w (warm-canonical) detour
+
+Builder loop resumed on Phase 2 (per-recipe test authoring). Phase 2w ran to DONE in the interim
+(warm-canonical/quick); the 2w changes (`runner/warm*.py`, `canonical.py`, `nightly_sweep.py`, WC5
+promote-on-green-cold wired into `run_recipe_ci.main()`) are merged on origin/main HEAD `7b5ed9c`.
+
+**Re-orientation done this tick:**
+- Adversary's last Phase-2 commit `7b5ed9c review(2)` is a cross-phase break-it probe (2w WC5
+  promotion × F2-11 SSO-skip): NO regression, no finding, NO VETO — F2-11 protection holds under
+  WC5 (promotion strictly gated on the fully-computed `overall`, which the F2-11 predicate flips to
+  1 before the promote check). So no gate of mine to advance, nothing to fix.
+- All Adversary findings closed (F2-10, F2-11). Gates Q0/Q1/Q2 PASS. Q3/Q4 partial.
+
+**Server build clone established:** `/root/builder-clone` (origin/main, secrets submodule skipped —
+not needed for recipe tests; Gitea token comes from `/run/secrets/bridge_gitea_token`, dockerhub
+auth from sops-rendered `/root/.docker/config.json`). `/root/cc-ci` is the nix-deploy materialised
+copy (no `.git`), `/root/adv-verify` is the Adversary's. I run e2e from `/root/builder-clone`.
+
+**Foundation re-confirmed post-2w (this tick):**
+- `cc-ci-run -m pytest tests/unit -q` → **72 passed** (Phase-2 harness survived the 2w merge).
+- `RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py` → all 5 tiers PASS, deploy-count=1, WC5
+  promoted canonical custom-html → 1.11.0+1.29.0. Full install→upgrade→backup→restore→custom
+  pipeline healthy on the current harness.
+
+**Reference-corpus mapping (key planning fact).** Corpus at `/srv/recipe-maintainer/recipe-info/`
+(NOT `references/` — that path in the plan is stale). Present: authentik, bluesky-pds, cryptpad,
+custom-html, gitea, hedgedoc, immich, keycloak, lasuite-docs, lasuite-drive, lasuite-meet, lichen,
+lichen-markdown, matrix-synapse, mumble, n8n. Implication for P2 (parity):
+- §5 recipes WITH reference parity still to port: **lasuite-meet, immich, mumble** (+ already done:
+  bluesky-pds, cryptpad, custom-html, keycloak, lasuite-docs, lasuite-drive, matrix-synapse, n8n).
+- §5 recipes with NO reference → P2 vacuous, need only ≥2 specifics + lifecycle: **plausible, ghost,
+  uptime-kuma (done), mattermost-lts, discourse, mailu, drone**.
+- authentik: SSO provider, Q2.2 deferred (lands only if a dependent needs it).
+- gitea/hedgedoc/lichen* are in the corpus but NOT in §5 → out of scope.
+
+**Remaining §5 work:** Q3.3 lasuite-meet, Q3.5 immich, Q4.2 mumble (parity+specifics, need
+mirror/enroll), Q4.5 mattermost-lts, Q4.6 discourse, Q4.7 plausible (finish specifics), Q4.9 mailu,
+Q4.10 drone (specifics only), + deferral lift cryptpad create-pad (F2-9, must lift before DONE).
+
+**In flight this tick:** full `RECIPE=lasuite-drive` e2e on `/root/builder-clone`
+(log `/root/ccci-resume-lasuite-drive.log`) — lasuite-drive suite (health parity + real MinIO S3
+upload/list/download round-trip + OIDC password-grant JWT-claims against dep keycloak) is fully
+authored; driving it to its first verified-green full run (the Q3.2 acceptance evidence).