journal(2): mailu Q4.9 enrollment plan + discourse Q4.6 block recorded (handoff to next iteration)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

machine-docs/JOURNAL-2.md

@@ -1053,3 +1053,28 @@ Recon (abra recipe fetch + compose inspect; non-deploy) of the 3 remaining unenr
 (no upstream backup config) needing Adversary §7.1 sign-off or a recipe-PR. Plan discourse next: HTTP
 health, admin-API create-a-topic (+ read-back) for §4.3, postgres ci_marker for P4 (backupbot present).
 Hold the deploy until the Adversary's mumble cold-verify frees the single node.
+
+## 2026-05-29 — mailu (Q4.9) investigation; discourse (Q4.6) blocked
+- **discourse Q4.6 BLOCKED**: `bitnami/discourse:*` images removed from Docker Hub (manifest unknown;
+  swarm "No such image" rejection). bitnamilegacy/discourse exists but install tier uses the gone
+  prev-published version → recipe-PR can't unblock until upstream re-releases. DEFERRED.md entry filed.
+  Scaffolding (recipe_meta+postgres-P4 ops/overlays+health) staged at ca7acf3 for when fixed.
+- **mailu Q4.9 plan** (images all pullable — ghcr.io/mailu/* OK; NOT bitnami):
+  - Services: front(nginx)/admin/imap(dovecot)/smtp(postfix)/antispam(rspamd)/webmail(snappymail)/
+    resolver/oletools/dkim... (~11). NO backupbot label → P4 N/A (recipe-PR-deferrable like immich) —
+    document in PARITY.md + DEFERRED, seek Adversary §7.1 sign-off OR file a backup recipe-PR.
+  - EXTRA_ENV needed: DOMAIN (harness sets), MAIL_DOMAIN, HOSTNAMES, TRAEFIK_STACK_NAME (cc-ci's
+    traefik stack name = traefik_ci_commoninternet_net), SITENAME, POSTMASTER, TLS_FLAVOR. Set
+    API=true + a MAILU API token if using the REST API; else use the admin-container CLI.
+  - Health: front serves; WEBROOT_REDIRECT=/webmail. HEALTH_PATH candidate `/admin` (login 200) or
+    `/` (302→/webmail). admin healthcheck is DISABLED in compose → rely on front + HTTP probe.
+  - §4.3 functional: create-an-object+read-back via the admin container CLI (headless, reliable):
+    exec_in_app(service="admin") `flask mailu domain <MAIL_DOMAIN>` + `flask mailu user <u> <domain>
+    <pw>` → read back via `flask mailu user` list / admin API → assert mailbox exists. Distinctive #2:
+    real mail flow — SMTP send (smtp service) → IMAP retrieve (imap service) of a unique-marker mail;
+    reachability likely needs host-published mail ports (like mumble host-ports) OR exec inside the
+    container using swaks/openssl. Simpler distinctive #2 if SMTP/IMAP host-reach is hard: create a
+    2nd domain/alias via CLI + verify, or assert the admin API lists the created user.
+  - recipe_meta: DEPLOY_TIMEOUT generous (multi-service); confirm version tags for the upgrade tier.
+  - Build next iteration (fresh context): scaffold tests/mailu/, smoke deploy install,custom to find
+    the exact `flask mailu` invocation + health path + mail-port reachability, then add §4.3 tests.