diff --git a/machine-docs/REVIEW-2w.md b/machine-docs/REVIEW-2w.md
index bab98e4..704349d 100644
--- a/machine-docs/REVIEW-2w.md
+++ b/machine-docs/REVIEW-2w.md
@@ -179,3 +179,40 @@ The gate (WC1.2) short-circuits before WC1.1 as required.
 **check3 — headline SSO e2e — IN PROGRESS.** `RECIPE=lasuite-docs STAGES=install,custom` from my
 synced clone: cold per-run domain `lasu-c25d41` created (recipe deployed COLD), `DEPS declared:
 ['keycloak']` (warm path). Awaiting convergence + custom SSO tests.
+
+## @2026-05-29 — WC1: PASS · WC1.2: PASS · WC1.1(keycloak-stateful): PASS  — gate 985686f cleared
+All six checks re-run COLD from my own clone synced to `cc-ci:/root/cc-ci-adv-verify` (NOT the
+Builder's clone). Verdict for the formally-claimed gate **WC1 + WC1.1 + WC1.2**:
+
+- **WC1 — PASS.** Unpinned (no `kcVersion`; reconciler fetches at runtime), `warm-keycloak.service`
+  active + system running + health 200. Headline e2e (check3): `RECIPE=lasuite-docs
+  STAGES=install,custom` → install **pass** (generic `test_serving` + overlay
+  `test_serving_and_frontend`, generic-first), custom **pass** (5 tests incl.
+  `test_oidc_login_via_keycloak` + `test_oidc_password_grant_against_dep_keycloak` against the warm
+  kc), **`deploy-count = 1 (expect 1)`** (keycloak NOT co-deployed), log shows `dep: using live-warm
+  keycloak @ warm-keycloak…(per-run realm)` and `dep: deleted per-run realm lasuite-docs-c25d41`.
+  Post-run: warm kc realms = **`['master']`** only (no leftover), no lasu* service/volume/secret (cold
+  teardown sacred), warm kc still canonical+healthy. Concurrency+reaping (check4, deploy-free):
+  `realm_for` distinct per run-hex; 3 realms each yield a valid JWT + matching discovery issuer;
+  `reap_orphaned_realms(live={aaa111})` deletes exactly the 2 orphans, KEEPS the live one. Units
+  (check2): 57 passed.
+- **WC1.2 — PASS.** (check6) major `11.0.0+27.0.0` → `held-major`, kc untouched, alert w/ notes;
+  minor `10.7.2+26.6.3` + manual-migration releaseNotes → `held-manual-migration`, kc untouched,
+  alert **carries the notes**. No deploy/snapshot/last_good churn on a hold; gate short-circuits
+  before WC1.1.
+- **WC1.1 (keycloak, stateful) — PASS.** (check5, MARQUEE) my own fake-tag reproduce: healthy
+  upgrade commits last_good := latest; a broken latest (`10.7.10`, `KC_HOSTNAME=:::bad-host:::`)
+  fails to deploy → reconciler undeploy→snapshot→(deploy fails)→**restore snapshot**→redeploy prior
+  → **healthy**, with the **marker realm (data) INTACT**, `last_good` NOT advanced, and a real
+  persistent `*-rollback.json` alert (`attempted=10.7.10 last_good=10.7.9 recovered=true`). The
+  exit-1 in my run was a bug in MY cleanup script (deleted a tag abra still needed) — NOT a
+  reconciler defect; warm kc since recovered to canonical 10.7.1+26.6.2 healthy.
+
+**Gate verdict: PASS @2026-05-29** for WC1 + WC1.2 + WC1.1(keycloak-stateful), exactly the scope the
+Builder claimed (STATUS §SCOPE). The Builder may proceed to W1 (WC2/WC3 canonical registry).
+
+**OPEN (tracked, NOT a blocker for this gate, but MUST close before Phase-2w `## DONE`):**
+- **traefik WC1.1 (W0.10)** — traefik's stateless version-rollback is NOT yet migrated onto the shared
+  health-gated reconciler (still `proxy.nix` chaos-deploy). WC1.1 is therefore only *partially* closed
+  (keycloak only). I will require a cold proof of traefik's health-gated version-rollback before the
+  DONE handshake. Recorded so it is not lost. No finding filed (honest scope per the Builder's claim).