diff --git a/machine-docs/BACKLOG-2.md b/machine-docs/BACKLOG-2.md
index d5c50df..4093cc1 100644
--- a/machine-docs/BACKLOG-2.md
+++ b/machine-docs/BACKLOG-2.md
@@ -81,11 +81,17 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
       RED). Test assertions are all correct (run 1 proved health+MinIO+OIDC green); the flakiness is in
       the redeploy infra. **Two open issues block a reliable Q3.2 green:** (a) [Q3.2a] flaky OIDC
       redeploy — see below; (b) upgrade tier disk-blocker (DEFERRED/operator). See JOURNAL-2 2026-05-29.
-- [ ] **Q3.2a** — Make lasuite-drive OIDC wiring reliable. The full 12-service `--chaos` redeploy to
-      apply OIDC env exposes collabora's flaky reconverge (+ transient backend gunicorn-perms / celery
-      WOPI-404). Fix direction: wire OIDC at INSTALL time (install_steps, no post-deploy redeploy — the
-      lasuite-docs model) OR make setup_custom_tests redeploy resilient (retry + wait for collabora WOPI
-      discovery 200 before ready). Then re-run subset to a reliable green before claiming Q3.2.
+- [ ] **Q3.2a** — Make lasuite-drive OIDC wiring reliable. **PLAN:**
+      `cc-ci-plan/plan-lasuite-drive-oidc-robustness.md` (orchestrator, 2026-05-29). The full
+      12-service `--chaos` redeploy to apply OIDC env exposes collabora's flaky reconverge (+ transient
+      backend gunicorn-perms / WOPI-404). Structured as: **Step 0** capture real failure logs first;
+      **Part A** (cc-ci harness) — create the per-run realm/client in the live-WARM keycloak + set OIDC
+      env in `.env` BEFORE a single `abra app deploy` (deploy ONCE, NO mid-run `--chaos` reconverge);
+      REAL abra commands only (no `docker service update/scale` patching); verify full suite green **3×
+      in a row**. **Part B** — lasuite-drive RECIPE PR (collabora WOPI healthcheck-gating + backend
+      retry; gunicorn-perms entrypoint fix; lazy/retrying OIDC discovery); "working" ONLY once cc-ci
+      runs the full suite (incl. upgrade tier, now disk-unblocked) on the PR repeatedly-green +
+      Adversary cold-verified → operator merges. Q3.2 claimed + this item closed only after A+B green.
 - [ ] **Q3.3** — lasuite-meet: parity (health_check, oidc_login, meeting_flow, webrtc-media,
       webrtc-relay) + specific (create-a-room, two-user LiveKit token issuance, ICE-candidate gathering).
 - [~] **Q3.4** — cryptpad: parity port (health_check) ✓ + 2 NEW recipe-specific