claim(M1): canonical sweep machinery built + live-proven on custom-html

M1 (machinery works locally, each piece proven) — code HEAD d4cc9e4, unit suite 295 passed:
- M1.1 tagged-promote gate + promote-tested-version: live proof-A wrote a fresh canonical
  (commit df2e273 = the tag commit, correcting samever's main-HEAD 2b82eba); live proof-C
  green-untagged → 0 promotes, canonical byte-identical (tagged-gate blocks untagged).
- M1.2 sweep_decision (version-keyed trigger) + vendored faithful recipe-mirror-sync.sh
  (smoke-tested: faithful no-op main/tags push, closed merged-upstream PR #2, left PR #5);
  nightly_sweep rewritten (mirror_sync -> trigger -> run_on_tag). Live SKIP demo on custom-html.
- M1.3 all 21 used-recipes enrolled. M1.4 hollow-sweep fix (CCCI_REPO=/etc/cc-ci). M1.5 weekly timer.
- M1(A) reattach: live proof-B --quick reused the retained volume green; known-good unchanged.

Evidence + verify recipes in STATUS-canon.md; reasoning in JOURNAL-canon.md; DECISIONS appended.
Gate: M1 CLAIMED, awaiting Adversary.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

machine-docs/DECISIONS.md

@@ -1462,3 +1462,31 @@ but stays well within the ≤90 s budget. Acceptable.
   remove it"). The all-deploys `compose.ccci.yml` overlay is now ENVIRONMENTAL-only (node-reality tweaks,
   no version-specific image pins or service add/drop); version-specific repairs live in `previous/`.
   Discourse ships NO `previous/` (base bitnamilegacy:3.5.0 deploys clean).
+
+## Phase canon (2026-06-17) — canonical sweep made real
+
+- **Tagged-promote gate (§2.A).** A canonical only ever advances to a PUBLISHED RELEASE TAG.
+  `should_promote_canonical` requires `tagged` (computed by the caller via
+  `warm_reconcile.is_released_version(recipe, head_version)`); `promote_canonical` records the TESTED
+  `head_version` (the release version actually exercised), NOT a re-derived `latest_version(recipe_tags)`
+  — these can diverge in a manual `RECIPE=<r>` run whose `main` sits on a tag older than the newest
+  published tag. An untagged `main` commit never becomes a canonical.
+- **New-release-tag trigger (§2.D).** The weekly sweep tests a recipe only when its latest release tag
+  is newer (by `warm_reconcile.version_key`) than its canonical version — NOT on new commits. No new
+  tag → SKIP (even if `main` has untagged commits). This gives the run-twice determinism no-op and
+  makes the sweep orthogonal to `samever` (version-under-test always > canonical → no same-version
+  step-back in the sweep).
+- **Mirror-sync is a VENDORED `scripts/recipe-mirror-sync.sh`, not the nix-store
+  recipe-upgrade/open-recipe-pr.sh.** Rationale: open-recipe-pr.sh assumes the recipe clone's `origin`
+  IS coopcloud upstream, but cc-ci's abra recipe clones have inconsistent remotes (origin is variously
+  the mirror / coopcloud / absent). The vendored script pins an explicit coopcloud `upstream` remote
+  by recipe name, syncs main+TAGS (canon's trigger needs upstream tags), closes only merged-upstream
+  PRs, leaves unrelated PRs, and authes via the bot gitea token (self-contained, reproducible — a
+  systemd service must not depend on a per-skill-version nix-store path). Behaviour matches the phase's
+  described `--reconcile-only`: faithful mirror sync, never our own changes.
+- **Hollow-sweep root cause + fix.** The deployed timer ran the nix-STORE runner copy (no `tests/`),
+  so `enrolled_recipes()` resolved `TESTS_DIR` to a missing dir → `[]` → no-op. Fix: the sweep runs
+  from `$CCCI_REPO=/etc/cc-ci` (has runner/ AND tests/); deploys `git -C /etc/cc-ci pull` +
+  nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only).
+- **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly
+  `cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled.