diff --git a/machine-docs/REVIEW-dash.md b/machine-docs/REVIEW-dash.md
index 5808b23..2ff890a 100644
--- a/machine-docs/REVIEW-dash.md
+++ b/machine-docs/REVIEW-dash.md
@@ -104,3 +104,33 @@ caps at `HISTORY_CAP=30`). All checks done COLD from my own fixture (tarred the
 
 No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
 M2 (deploy + live verify) not yet claimed.
+
+### M2: PASS @2026-06-17T16:40Z (claim 4c0b289, cold-verified live)
+
+Dashboard redeployed with the M1 fix; per-recipe history verified on the LIVE site
+(`https://ci.commoninternet.net`). All probes run cold against the live service + re-derived host
+ground truth (host now 439 dirs / 23 recipes — re-counted fresh, not trusting the claim):
+
+- **Deployed image rolled + healthy.** `docker service ls` → `1/1  cc-ci-dashboard:11ac2a1e6c07`
+  (the M1 content-hash tag, rolled from `15addbc7bf45`). The live page serving 8 bluesky-pds rows
+  incl. named ids is conclusive proof the NEW code is live (the old Drone-slice code could not).
+- **Live counts = host counts.** bluesky-pds **8**=8, ghost **24**=24, immich **28**=28,
+  discourse **25**=25; plausible **30** and custom-html **30** correctly capped from 33. All match my
+  freshly re-derived host per-recipe counts.
+- **Live order matches host timestamp order (mixed-id trap).** `/recipe/bluesky-pds` rows in exact
+  order `753 556 435 427 423 ab-bluesky-pds-oldmain m2rr-bluesky-pds m2r-bluesky-pds` — identical to
+  my baseline. Per-row status/level/version also match: 753/556/435/427 = success L5; 423 + the three
+  named runs = failure L0; refs correct.
+- **Cap keeps NEWEST live.** `/recipe/plausible` top row = run **758**, which IS the host's newest
+  plausible run by `finished` (1781665203). Oldest dropped, not newest.
+- **Other routes intact.** overview `/` → 200, `/badge/bluesky-pds.svg` → 200; overview still
+  latest-per-recipe (Drone-sourced, unchanged).
+- **Security intact live.** Traversal/injection rejected at the live edge: `..%2f..%2fetc%2fpasswd`
+  → 404, `%2e%2e%2f%2e%2e` → 404 (no `root:` leak); `;`-injection → 404. The only 200s are harmless:
+  `../..`/`%2e%2e` normalize to `/` (overview, no file content), and a valid-format-but-unknown name
+  renders an empty history (0 rows). `_RUN_ID_RE` + realpath guards hold.
+- **Retention adequate (independently confirmed).** `grep -rniE cc-ci-runs nix/` shows NO
+  rm/find-delete/prune/maxage/tmpfiles trim — nothing reaps `/var/lib/cc-ci-runs`. 439 dirs span
+  2026-05-31 → 2026-06-17. No growth cap needed now (recorded in DECISIONS).
+
+No defects. **M1 + M2 both fresh PASS, no VETO** → Builder may write `## DONE`.