fix(5 A5-1/A5-2): bridge commit status posting + enroll custom-html-tiny

A5-2: bridge.py now posts Gitea commit statuses on the recipe PR's head SHA:
- pending on build trigger (so testme-on-pr.sh sees the run immediately)
- success/failure on build finish (so testme-on-pr.sh returns VERDICT=GREEN/RED)
Added post_commit_status() using the existing _api() helper + GITEA_TOKEN.
Called from process_testme() (pending) and watch_and_reflect() (terminal state).

A5-1: added recipe-maintainers/custom-html-tiny to bridge POLL_REPOS in
bridge.nix so !testme on custom-html-tiny PRs is picked up by the bridge poller.

bridge/bridge.py

@@ -160,6 +160,18 @@ def edit_comment(owner, repo, comment_id, body):
     )
 
 
+def post_commit_status(owner, repo, sha, state, target_url, description=""):
+    """Post a Gitea commit status on a recipe PR's head SHA so testme-on-pr.sh can read
+    the verdict from GET /repos/{owner}/{repo}/commits/{sha}/status (Phase 5 / A5-2 fix)."""
+    _api(
+        f"{GITEA_API}/repos/{owner}/{repo}/statuses/{sha}",
+        GITEA_TOKEN,
+        method="POST",
+        data={"state": state, "target_url": target_url,
+              "description": description, "context": "cc-ci/testme"},
+    )
+
+
 def build_status(num):
     status, b = _api(f"{DRONE_URL}/api/repos/{CI_REPO}/builds/{num}", DRONE_TOKEN, scheme="Bearer")
     return b.get("status") if status == 200 and b else None
@@ -222,6 +234,8 @@ def watch_and_reflect(owner, name, number, num, recipe, sha, comment_id, run_url
         _t.sleep(15)
     if comment_id:
         edit_comment(owner, name, comment_id, result_comment_body(recipe, sha, num, run_url, last))
+    git_state = "success" if last == "success" else "failure"
+    post_commit_status(owner, name, sha, git_state, run_url, f"cc-ci: {git_state}")
     log(f"reflected outcome build {num} ({recipe} PR #{number}): {last}")
 
 
@@ -271,6 +285,7 @@ def process_testme(full_name, owner, name, number, user, comment_id, source, qui
         post_comment(owner, name, number, "cc-ci: failed to start a CI run (see bridge logs).")
         return None, "trigger failed"
     run_url = f"{DRONE_URL}/{CI_REPO}/{num}"
+    post_commit_status(owner, name, head["sha"], "pending", run_url, "cc-ci run in progress")
     mode = " **(--quick: lower-confidence fast lane; does not gate merge)**" if quick else ""
     # R2/U3: one comment per PR, updated in place. Reuse the existing marked comment if present
     # (re-`!testme` refreshes it back to the ⏳ placeholder), else post a new one.

machine-docs/JOURNAL-5.md

@@ -0,0 +1,27 @@
+# JOURNAL — cc-ci Phase 5
+
+## 2026-05-31 — Phase 5 boot
+
+Phase 5 starting. System state verified:
+- cc-ci: `systemctl is-system-running` → running; 0 failed units
+- Docker services: ccci-bridge 1/1, ccci-dashboard 1/1, drone 1/1, traefik 1/1
+- Bridge: 1/1 (container-based, logs via `docker service logs ccci-bridge_app`)
+
+**Sandbox recipe chosen:** `custom-html-tiny` (simple static-web-server; short timeouts; existing
+install_steps.sh hook; generic harness; ideal for upgrade-flow testing with minimal CI runtime).
+
+**Existing open PRs on custom-html-tiny mirror:**
+- #1 `serve-hidden-files` branch — "chore: publish 1.0.2+2.38.0 release" (feature + version bump,
+  NOT from upstream main, NOT merged upstream, from 2026-05-25). Will be closed as superseded when
+  we open the upgrade PR (expected V7 behavior).
+
+**Available upgrades for custom-html-tiny:**
+- `app` service (joseluisq/static-web-server): 2.38.0 → 2.42.0
+- `git` service (alpine/git, compose.git-pull.yml): v2.36.3 → v2.52.0
+- New version label: 1.1.0+2.42.0
+
+## 2026-05-31 — V3: recipe-upgrade flow starting
+
+Following SKILL.md procedure for /recipe-upgrade custom-html-tiny:
+Step 1 (Plan): fetched recipe, found upgrades available — see above.
+Step 2 (Implement): upgrading image tags on cc-ci; bumping version label; committing.

machine-docs/STATUS-5.md

@@ -0,0 +1,32 @@
+# STATUS — cc-ci Phase 5 Builder
+
+**Phase:** 5 — Verify `/recipe-upgrade` + `testme-on-pr.sh` end-to-end flow
+**SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase5-verify-upgrade-flow.md`
+**Started:** 2026-05-31
+
+## Current focus
+
+Running V3 — `/recipe-upgrade custom-html-tiny` end-to-end (V1/V2/V7 evidence collected alongside).
+
+## Verification item status
+
+| Item | Status | Evidence |
+|---|---|---|
+| V1 — !testme trigger + result-back | IN PROGRESS | D1 PASS from Phase 3 (REVIEW.md); fresh run pending via V3 |
+| V2 — testme-on-pr.sh reads verdict | IN PROGRESS | Running via V3 flow |
+| V3 — /recipe-upgrade sandbox GREEN | IN PROGRESS | custom-html-tiny upgrade underway |
+| V4 — 3-iter regression loop | TODO | |
+| V5 — stale-test DEFAULT = comment | TODO | |
+| V6 — --with-tests opens+verifies cc-ci test PR | TODO | |
+| V7 — mirror reconciliation | IN PROGRESS | open-recipe-pr.sh reconciler running |
+| V8 — /upgrade-all DEFAULT run | TODO | |
+| V8a — cc-ci-upgrader agent | TODO | |
+| V9 — cleanup | TODO | |
+
+## Phase 5 gates
+
+(None claimed yet — working V3.)
+
+## Blocked
+
+(none)

nix/modules/bridge.nix

@@ -40,7 +40,7 @@ let
           # admin-registered push optimization deduped against the poller (§4.1). Enrollment = add
           # the repo to POLL_REPOS (csv) + ensure tests/<recipe>/ exists.
           - POLL_INTERVAL=30
-          - POLL_REPOS=recipe-maintainers/cc-ci,recipe-maintainers/custom-html,recipe-maintainers/keycloak,recipe-maintainers/cryptpad,recipe-maintainers/matrix-synapse,recipe-maintainers/lasuite-docs,recipe-maintainers/n8n,recipe-maintainers/hedgedoc
+          - POLL_REPOS=recipe-maintainers/cc-ci,recipe-maintainers/custom-html,recipe-maintainers/custom-html-tiny,recipe-maintainers/keycloak,recipe-maintainers/cryptpad,recipe-maintainers/matrix-synapse,recipe-maintainers/lasuite-docs,recipe-maintainers/n8n,recipe-maintainers/hedgedoc
           - HMAC_FILE=/run/secrets/webhook_hmac
           - DRONE_TOKEN_FILE=/run/secrets/drone_token
           - GITEA_TOKEN_FILE=/run/secrets/gitea_token