status(1d): G4 — DG7 migration + DG8 docs done; DG6 !testme e2e in flight (build #153, hedgedoc)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/BACKLOG-1d.md

@@ -35,9 +35,12 @@
 
 ### G4 — !testme e2e + per-op reporting + docs + cold verify (DG6, DG7, DG8)
 - [ ] !testme on an unconfigured recipe → full generic suite via real pipeline; per-op pass/fail/skip.
-- [ ] Migrate remaining recipe tests to the new contract so nothing regresses (DG7).
-- [ ] docs/: generic suite, overlay convention (names/locations/precedence), install-steps hook,
-      how to add an overlay.
+      IN FLIGHT: hedgedoc enrolled + deployed; `!testme` PR#1 → bridge triggered Drone build #153
+      (hedgedoc@441c411c) <60s; watching to completion.
+- [x] Migrate remaining recipe tests to the new contract so nothing regresses (DG7) — afd75a4
+      (keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs → assertion-only deploy-once contract).
+- [x] docs/: generic suite, overlay convention (names/locations/precedence), install-steps hook,
+      how to add an overlay — b756e72 (docs/testing.md + enroll-recipe.md + README).
 - [ ] Request Adversary cold-verify DG1–DG8 → flip STATUS-1d to ## DONE.
 
 ## Adversary findings (Adversary-only)

machine-docs/JOURNAL-1d.md

@@ -198,3 +198,35 @@ hook writes index.html straight to the swarm volume's mountpoint (no container/i
 Hub rate-limit risk); deploy-count stays 1 (the pre-created volume is not a deploy). recipe_meta for
 custom-html-tiny shortens timeouts (fast static app). lint PASS (shellcheck+shfmt+ruff+yamllint).
 Claiming G3.
+
+## 2026-05-28 — G4: DG7 migration + DG8 docs (committed); DG6 !testme e2e in flight
+
+G3 Adversary PASS @2026-05-28 (9b5bcff). DG1–DG5 all verified; F1d-1/F1d-2 closed. Working G4.
+
+**DG7 (no-regression / DRY) — afd75a4.** Migrated the remaining recipe overlays
+(keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs) to the assertion-only deploy-once contract so the
+generic lifecycle OP is owned solely by the shared harness (no per-recipe deploy/teardown copy-paste).
+
+**DG8 (docs) — b756e72.** `docs/testing.md` (127 lines): the generic suite, the overlay convention
+(fixed file names test_install/upgrade/backup/restore.py + locations tests/<recipe>/ in cc-ci and
+repo-local tests/ + precedence repo-local>cc-ci>generic + extend-by-composition), the install-steps
+hook, backup-capability detection, and how to add an overlay. Updated enroll-recipe.md to the
+deploy-once contract; README pointer.
+
+**DG6 (!testme e2e on an unconfigured recipe) — IN FLIGHT.** hedgedoc has NO cc-ci/repo-local
+overlays ⇒ it is the unconfigured target; enrolled in bridge POLL_REPOS (8262912).
+
+Deploy of the enroll change to cc-ci (the only nix change in 1d): synced working tree via `tar | ssh`
+→ `/root/cc-ci`; `nixos-rebuild build` EXIT 0; detached `nixos-rebuild switch` (unit ccci-1d-switch)
+Result=success. **Gotcha:** the activation's restart of `deploy-bridge.service` was canceled by the
+concurrent tailscale-network restart (why we run switch detached), so the new generation was active
+but the reconcile oneshot still held the OLD ExecStart; a `systemctl daemon-reload && systemctl
+restart deploy-bridge` reconciled the swarm service. A clean re-switch on a stable network would do
+this itself (it is declarative). Live bridge POLL_REPOS now includes recipe-maintainers/hedgedoc;
+poller log: `watching [... 'recipe-maintainers/hedgedoc'] every 30s`.
+
+Posted `!testme` (comment 13750, autonomic-bot — org member ⇒ authorized) on hedgedoc PR #1 at
+01:10:16Z. Bridge poller log: `[poll] triggered build 153 for hedgedoc@441c411c (PR #1, comment
+13750) by autonomic-bot` — trigger latency <60s (DG1 path re-exercised). Build #153 running the full
+generic suite on the unconfigured recipe; watching to completion for per-op pass/fail/skip + the
+PR-comment outcome reflection.

machine-docs/STATUS-1d.md

@@ -40,13 +40,21 @@ per-recipe overlay authoring is Phase 2.
 - **G4** — `!testme` e2e + per-op reporting + docs + cold verify. *Accept: DG6, DG7, DG8 → DONE.*
 
 ## In flight
-**G4 — !testme e2e + per-op reporting + docs + migrate remaining recipes (next).** Wire the full
-generic suite through a real `!testme` PR on an unconfigured recipe (per-op reporting), migrate the
-remaining recipe overlays (keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs) to the assertion-only
-deploy-once contract so nothing regresses (DG7), write docs (DG8), then request final cold-verify.
+**G4 — !testme e2e + per-op reporting + docs + migrate remaining recipes.**
+- **DG7 (no-regression/DRY) — DONE (afd75a4):** migrated keycloak/cryptpad/matrix-synapse/n8n/
+  lasuite-docs overlays to the assertion-only deploy-once contract (lifecycle OP owned by the shared
+  harness; test files = assertions only).
+- **DG8 (docs) — DONE (b756e72):** docs/testing.md (generic suite + overlay convention names/
+  locations/precedence + install-steps hook + add-an-overlay); enroll-recipe.md + README updated.
+- **DG6 (!testme e2e on unconfigured recipe) — IN FLIGHT.** hedgedoc (no cc-ci/repo-local overlays)
+  enrolled in bridge POLL_REPOS (8262912), deployed to cc-ci (nixos-rebuild switch Result=success;
+  live POLL_REPOS now lists hedgedoc). Posted `!testme` on hedgedoc PR #1 (comment 13750,
+  autonomic-bot) @01:10:16Z → bridge `[poll] triggered build 153 for hedgedoc@441c411c` (<60s).
+  Build #153 running the full generic suite; watching for per-op pass/fail/skip + PR-comment outcome.
 
-**F1d-1 — FIXED, awaiting Adversary close.** F1d-2 — FIXED (deploy honors the pin; upgrade has a
-move-assertion so a no-op can't pass), awaiting Adversary re-test+close.
+After DG6 green → request Adversary cold-verify DG1–DG8, then flip to ## DONE.
+
+F1d-1 + F1d-2 both CLOSED by Adversary @2026-05-28.
 
 ## Gate
 **G0/DG1 — Adversary PASS @2026-05-27.** Cleared.