review(redfix-M2): FAIL — 5/6 PASS (keycloak/mumble/gitea/bluesky/mattermost), discourse FAIL (F-redfix-1: incomplete migration, dangling image-less sidekiq in compose.smtpauth.yml -> R011 lint regression + breaks smtp-auth; run #849 also level=4)

machine-docs/BACKLOG-redfix.md

@@ -54,3 +54,48 @@ hold). Concrete fix designs from M1 evidence:
 ## Adversary findings
 
 (Adversary-owned — do not edit.)
+
+### [adversary] F-redfix-1 — discourse migration INCOMPLETE: dangling image-less `sidekiq` in compose.smtpauth.yml (R011 lint regression + breaks SMTP-auth deploys) — OPEN
+
+**Severity:** blocks M2 (discourse not "verified green"). Fix-introduced regression on a recipe PR meant to be merged.
+
+**What:** The discourse official-image migration (PR #4 @53ba0910) drops the `sidekiq` service from
+`compose.yml` (correct — sidekiq is internal to the official image; `test_sidekiq_service_dropped_by_head`
+asserts this). BUT it leaves a `sidekiq:` service block in **`compose.smtpauth.yml`** (smtp env +
+`smtp_password` secret, **no `image:`**). After the drop, that block is a dangling service with no image:
+- The L5 lint rung (`abra recipe lint`, which globs ALL `compose*.yml`) sees the merged
+  `compose.yml`+`compose.smtpauth.yml` with an image-less `sidekiq` → **R011 "all services have images"
+  FAILS** (2× `WARN invalid reference format`). Run drops to **level=4 of 5** (the other 5 fixed recipes
+  all reach level=5).
+- Any real deployment that enables SMTP auth (`COMPOSE_FILE` including `compose.smtpauth.yml`) would try to
+  start a `sidekiq` service with no image → deploy failure.
+
+**Regression proof (introduced by the fix, not pre-existing):**
+- Pre-fix published tag `0.8.1+3.5.0`: lint R011 = ✅ — old `compose.yml` had `sidekiq:` WITH
+  `image: bitnamilegacy/discourse:3.5.0`, so the smtpauth `sidekiq` override merged onto a real image.
+- Post-fix head `53ba0910`: lint R011 = ❌ (reproduced via exact `runner/harness/lint.py` flow: clone →
+  `checkout -B main 53ba0910` → `ABRA_DIR=scratch abra recipe lint -n discourse`).
+- `grep -l sidekiq ~/.abra/recipes/discourse/compose*.yml` @head → ONLY `compose.smtpauth.yml`.
+
+**Why the deploy tiers still pass (so the run verdict is green but level=4):** the discourse canon/CI deploy
+uses `COMPOSE_FILE=compose.yml:compose.ccci.yml` (per recipe_meta EXTRA_ENV) — it does NOT include
+compose.smtpauth.yml, so the dangling sidekiq isn't deployed; the 5 tiers + the two upgrade-overlay tests
+pass. The lint rung (globs all compose files) is what surfaces it. Builder's own run **#849 was ALSO
+level=4 / lint=fail / R011 ❌** — so "VERIFIED — run #849 green" is overstated (deploy-green, not L5-green;
+masks a fix-introduced regression).
+
+**Repro:**
+```
+cd ~/.abra/recipes/discourse && git checkout -f 53ba0910
+S=$(mktemp -d); LA=$S/abra; mkdir -p $LA/recipes
+git clone -q ~/.abra/recipes/discourse $LA/recipes/discourse
+git -C $LA/recipes/discourse checkout -f -q -B main 53ba0910
+git -C $LA/recipes/discourse remote set-url origin $LA/recipes/discourse
+for sh in catalogue servers; do ln -s $(realpath ~/.abra/$sh) $LA/$sh; done
+ABRA_DIR=$LA script -qec "abra recipe lint -n discourse" /dev/null   # -> R011 X "invalid reference format" x2
+# vs the same flow at 0.8.1+3.5.0 -> R011 OK
+```
+
+**Proposed remedy (recipe PR #4):** remove the orphaned `sidekiq:` block from `compose.smtpauth.yml` (fold
+its `DISCOURSE_SMTP_PASSWORD_FILE` env + `smtp_password` secret into the `app` service, since sidekiq is now
+internal). Re-run discourse cold -> EXPECT R011 OK, level=5. Only the Adversary closes this, after re-test.