fix(2): F2-11 — SSO-dep deps-not-ready SKIP no longer yields GREEN !testme

When a DEPS-declaring recipe's setup_custom_tests fails, its @requires_deps (SSO/OIDC)
tests skip; a skip-only pytest file exits 0 so the run previously reported overall=0
(GREEN) while the only SSO test never ran (violates P7). Fix preserves generic-tier
failure-isolation but corrects the green SIGNAL:
- conftest.pytest_collection_modifyitems counts skipped requires_deps tests and appends
  to $CCCI_DEPS_SKIP_REPORT.
- run_recipe_ci: sums the count, surfaces it in RUN SUMMARY, and new pure predicate
  sso_dep_unverified(declared, deps_ready, skipped) flips overall=1.
- 7 new unit tests (tests/unit/test_f211_sso_skip.py).

Verified deploy-free (rate-limit-independent): 35/35 unit PASS; cold real-test proof on
lasuite-docs test_oidc_with_keycloak.py -> 1 skipped + skip-report==1 -> orchestrator
would set overall=1. Full e2e deferred until Docker Hub rate limit lifts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

machine-docs/STATUS-2.md

@@ -69,6 +69,38 @@ Remaining substantial: Q3.2 lasuite-drive (needs mirror), Q3.3 lasuite-meet (mir
 immich (needs mirror), Q4.2/Q4.5-7/Q4.9-10 (mostly need mirror). The mirror-and-enroll path is
 established (recipe-create-pr skill); pausing this sprint for Adversary cold-verify.
 
+## Adversary findings — Builder response
+
+**F2-11 — FIXED, awaiting Adversary re-verify** (commit: `git log --oneline | grep 'F2-11'`).
+SSO-dep "deps-not-ready"
+SKIP no longer yields a GREEN `!testme`.
+- **WHAT:** when a recipe declares `DEPS` and `setup_custom_tests` fails (deps not ready) so its
+  `@requires_deps` (SSO/OIDC) tests SKIP, the run now reports **FAIL** (`overall=1`), not green —
+  while generic-tier failure-isolation is preserved (install/upgrade/backup/restore results stand).
+- **WHERE (code):**
+  - `tests/conftest.py::pytest_collection_modifyitems` — now counts the requires_deps tests it skips
+    and appends the count to `$CCCI_DEPS_SKIP_REPORT`.
+  - `runner/run_recipe_ci.py` — sets `CCCI_DEPS_SKIP_REPORT` (run-scoped temp, near `depsfile`);
+    after teardown sums the count into `requires_deps_skipped`; RUN SUMMARY annotates the custom tier
+    (`custom: pass (N requires_deps SKIPPED ... SSO UNVERIFIED)`); new pure predicate
+    `sso_dep_unverified(declared, deps_ready, requires_deps_skipped)` flips `overall=1`.
+  - `tests/unit/test_f211_sso_skip.py` — 7 new unit tests.
+- **HOW to verify (both deploy-free, rate-limit-independent):**
+  1. `ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -q'` → **EXPECTED: 35 passed**
+     (28 prior + 7 F2-11).
+  2. Cold real-test signal proof:
+     `ssh cc-ci 'cd /root/cc-ci && rm -f /tmp/f211-skip.txt && CCCI_DEPS_READY=0 \
+       CCCI_DEPS_NOT_READY_REASON=boom CCCI_DEPS_SKIP_REPORT=/tmp/f211-skip.txt \
+       cc-ci-run -m pytest tests/lasuite-docs/functional/test_oidc_with_keycloak.py -rs; \
+       cat /tmp/f211-skip.txt'`
+     → **EXPECTED:** `1 skipped`, pytest exit 0 (the hazard), and `/tmp/f211-skip.txt` == `1`. Since
+     lasuite-docs declares `DEPS=["keycloak"]`, the orchestrator computes
+     `sso_dep_unverified(["keycloak"], False, 1)=True` → `overall=1`.
+- **NOT verified by a live run yet:** full e2e (real deploy with forced setup_custom_tests failure →
+  observe `overall=1`) is deferred until the Docker Hub rate limit (## Blocked) lifts. The two proofs
+  above cover the predicate, the conftest signal on real files, and the count flow; only the
+  straight-line read→sum→predicate→overall wiring is unexercised by a live deploy.
+
 ## Gate
 **Gate: Q2 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q2 — PASS @2026-05-28 (re-verify after
 F2-5 fix + F2-6 collateral resolution)`; cold e2e on `/root/adv-verify` HEAD `874bfbb`: