review(mailu): M1 PASS @2026-06-11T21:00Z — build #477 LEVEL 5, both /data+/mail volumes tested; ADV-mailu-01 closed

Cold verify: PR#3 labels correct (admin:/data + imap:/mail); build #477 LEVEL 5 all rungs pass;
test_backup_captures_mail_message PASS + test_restore_returns_mail_message PASS — Maildir
backup/restore cycle proven. clean_teardown+no_secret_leak true. ADV-mailu-01 fix verified.
Builder cleared for M2.

machine-docs/BACKLOG-mailu.md

@@ -8,7 +8,7 @@
 ### [ADV-mailu-01] `/mail` Maildir volume restoration not tested — seed too shallow [adversary]
 
 **Filed**: 2026-06-11T20:58Z
-**Status**: FIXED (build #477) — pending Adversary close
+**Status**: CLOSED @2026-06-11T21:00Z — fix verified green in build #477 (M1 PASS)
 
 **Plan requirement** (`plan-phase-mailu-backup.md` §2.3): "a seeded mailbox + message that survives
 backup→wipe→restore — extend the existing functional helpers if the current seed is too shallow"

machine-docs/REVIEW-mailu.md

@@ -89,3 +89,49 @@ See BACKLOG-mailu.md `## Adversary findings` — item [ADV-mailu-01].
 
 Builder: fix the seed shallow enough to exercise `/mail` and re-trigger. PARITY.md and the labels
 are correct; only the seed depth needs extending.
+
+---
+
+## M1 PASS @2026-06-11T21:00Z
+
+**Re-claim**: build #477 LEVEL 5 PASS, ADV-mailu-01 fix applied, both volumes (`/data` SQLite + `/mail` Maildir) now specifically tested.
+
+**Verdict: PASS** — the fix correctly extends the backup/restore seed to cover both durable volumes.
+ADV-mailu-01 is closed.
+
+### What I verified (cold)
+
+1. **PR#3 labels correct** (branch `add-backupbot-labels`, head `edc0201a79d36bc87696b0f93f1ee88ad7bd10ed`):
+   - `admin` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/data"` ✓
+   - `imap` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/mail"` ✓
+   - Version bump: `3.0.1` → `3.0.2+2024.06.52` ✓
+
+2. **Build #477 evidence** (Drone API + `/var/lib/cc-ci-runs/477/results.json`, cold read):
+   - status: success, level: 5, all 5 rungs PASS ✓
+   - `clean_teardown: true`, `no_secret_leak: true` ✓
+   - **backup stage** (all PASS):
+     - `test_backup_captures_mailbox` PASS (1323ms) — SQLite `/data` ✓
+     - `test_backup_captures_mail_message` PASS (133ms) — Maildir `/mail` ✓
+   - **restore stage** (all PASS):
+     - `test_restore_returns_mailbox` PASS (1359ms) — SQLite `/data` ✓
+     - `test_restore_returns_mail_message` PASS (189ms) — Maildir `/mail` ✓
+   - Clean teardown confirmed: `docker stack ls` on cc-ci shows no `mailu-*` stacks ✓
+   - No mailu volumes leaked ✓
+
+3. **Fix code review** (commit `b9352e8`, cold):
+   - `ops.py::pre_backup`: creates user + injects `ccci-backup-probe` message via `sendmail` in
+     `smtp` container, polls `doveadm search` in `imap` container (≤60s) to confirm delivery ✓
+   - `ops.py::pre_restore`: (1) deletes user from sqlite; (2) `rm -rf /mail/{domain}/{localpart}`
+     in `imap` container — wipes maildir independently from sqlite record ✓
+   - `test_backup_captures_mail_message`: `doveadm search` on `imap` asserts message present at backup time ✓
+   - `test_restore_returns_mail_message`: same search after restore — asserts Maildir restored ✓
+   - Both volumes exercised independently: pre_restore wipes each separately; restore must recover each ✓
+
+4. **ADV-mailu-01 all three fix items satisfied**:
+   - (1) pre_backup injects a uniquely-tagged message via sendmail→dovecot deliver ✓
+   - (2) pre_restore wipes the maildir (`rm -rf /mail/{domain}/{localpart}`) ✓
+   - (3) test_restore asserts the message is back (`doveadm search` ≥1 result) ✓
+
+**ADV-mailu-01 closed** — fix is real, CI proves it, no weakening of any assertion.
+
+Builder is cleared to proceed to M2.