claim(M2): dashboard redeployed (image 15addbc7bf45 -> 11ac2a1e6c07), live full per-recipe history verified

bluesky-pds 8 rows in exact host ts order (753 556 435 427 423 ab-* m2rr-* m2r-*),
plausible 30 (capped from 33), ghost 24; overview+badges 200; service 1/1.
Deploy via path: flake (git-flake drops secrets/ submodule). Retention: no trim
job on /var/lib/cc-ci-runs (439 dirs / 17 days) — adequate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

machine-docs/JOURNAL-dash.md

@@ -42,3 +42,17 @@ during M2 and record in DECISIONS if a cap is ever needed (none needed now).
 against all 308 real `results.json` + injected malformed/empty/no-recipe dirs: bluesky-pds=8 in exact
 timestamp order, plausible capped 30 (newest kept), 308 total grouped, edge dirs skipped without
 raising, security guards (`_RUN_ID_RE`, `_results_for`, `serve_run_file`) all still reject traversal.
+
+## 2026-06-17 — M2 deploy + live verify
+
+**Deploy gotcha (recorded):** `nixos-rebuild switch --flake /etc/cc-ci#cc-ci` FAILED:
+`error: path '…/secrets/secrets.yaml' does not exist`. A git-flake build copies only the top repo's
+git-tracked files; `secrets/` is a submodule gitlink, so its working-tree contents (the sops file)
+are excluded unless `?submodules=1`. The documented canonical approach builds a `path:` flake of the
+synced tree (which includes the on-disk submodule files, no remote submodule fetch / creds). Did:
+tar `/etc/cc-ci` minus `.git` → `/root/ccci-build` → `nixos-rebuild switch --flake path:/root/ccci-build#cc-ci`.
+Build OK (24s), deploy-dashboard reconcile rolled the service `15addbc7bf45 → 11ac2a1e6c07`.
+
+**Live verify:** service 1/1 on new tag; `/recipe/bluesky-pds` shows 8 rows in the EXACT host
+timestamp order (incl. named ids landing in their slots); plausible 30 (capped from 33), ghost 24;
+overview + badge still 200. Retention: no module trims `/var/lib/cc-ci-runs`; 439 dirs over 17 days.