backlog(2): plausible Q4.7b scoped + ready (staged hardened entrypoint.clickhouse.sh; mirror+PR+run steps); queued behind Adversary Q4.6/F2-14c verifies

machine-docs/BACKLOG-2.md

@@ -199,11 +199,23 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
       when GitHub answers the first wget (proven: install,custom run + probe). Path to green: GitHub
       cooldown + ONE clean full run. Test content is correct; this is upstream-recipe fragility.
 - [ ] **Q4.7b** — plausible recipe PR (DEFERRED robustness, like Q3.2b/immich): harden
-      `entrypoint.clickhouse.sh` — cache clickhouse-backup on the persistent `/var/lib/clickhouse`
-      volume (skip-if-present → no re-download amplification), retry-with-backoff, `set +e` so a
-      download failure never blocks clickhouse-server start. NOTE: only fixes the upgrade tier + FUTURE
-      installs once released (install tier deploys the prev PUBLISHED version), so it does NOT unblock
-      this gate's install tier under throttle. Use recipe-create-pr skill; merge rule per Q3.2b.
+      `entrypoint.clickhouse.sh`. **READY-TO-EXECUTE (scoped 2026-05-31):** the fixed file is staged at
+      `machine-docs/plausible-entrypoint.clickhouse.sh.fixed` — caches clickhouse-backup on the persistent
+      `event-data:/var/lib/clickhouse/.ccci-bin` volume (skip-if-present → no re-download amplification),
+      retry×5 w/ backoff, best-effort `install_clickhouse_backup || true` so a download failure NEVER
+      blocks `exec /entrypoint.sh` (the server start), un-silenced. Root cause confirmed: published
+      entrypoint is `set -ex` + single silenced no-retry wget of a 22MB GitHub tarball to ephemeral /tmp
+      → any transient throttle exits before the server starts → swarm restart-storm → amplified throttle.
+      **Execution steps (node-free except the final run):** (1) mirror `coop-cloud/plausible` →
+      `recipe-maintainers/plausible` (NOT mirrored yet; gitea API POST /orgs/recipe-maintainers/repos +
+      `git clone --mirror` upstream → push, incl tags — plan §0b / recipe-create-pr). (2) branch
+      `ci/clickhouse-backup-resilient`, replace `entrypoint.clickhouse.sh` with the staged file, push,
+      open PR. (3) on the FRESH-IP Hetzner box the first wget should succeed (no accumulated throttle),
+      so a single full `RECIPE=plausible PR=<n> REF=<head> SRC=recipe-maintainers/plausible` run should
+      go green (install+upgrade+backup-restore). NOTE: the install tier deploys the prev PUBLISHED
+      version (old entrypoint), so its green-ness still depends on the fresh-IP download succeeding; the
+      PR makes the upgrade-tier head deploy + within-run restarts resilient (cache). Merge rule per Q3.2b.
+      **QUEUED behind the Adversary's Q4.6 + F2-14c cold-verifies (single node, MAX_TESTS=1).**
 - [ ] **Q4.7 gate** — full lifecycle (install+upgrade+backup-restore) green via clean run + Adversary.
 - [x] **Q4.8** — uptime-kuma: enrolled. PARITY.md + recipe_meta.py + 3 functional tests
       (health_check, socketio_handshake, spa_branding). Cold green (commit `1aaf3bd`).