review(gtea): M2 ADVERSARY PASS @2026-06-15T22:10Z

Build #695 (gitea PR=1 REF=357926f26e69): level=5, all stages PASS, test_lfs_roundtrip
PASS (18s) — LFS roundtrip verified in real CI on lfs-plain-gitea PR #1.
Build #692 (drone dep path PR=0 REF=main): level=5, drone recipe unaffected.
Build #684 (gitea main PR=0): level=5 (verified in prior round).
cc-ci self-test lint green. Unit tests 53/53. no_secret_leak in all runs.

Also records build #691 FAIL finding: STACK_NAME not in .env (fixed in ad53b5a).

Gate M2: ADVERSARY PASS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

machine-docs/BACKLOG-gtea.md

@@ -143,6 +143,20 @@ Unit tests (test_gitea_dep.py 10/10) still pass.
 Builder should trigger a RECIPE=drone run (e.g., post !testme on a drone recipe PR)
 to complete the M2 DoD dep-path verification.
 
+### [critical — FIXED] Build #691 STACK_NAME not in .env @2026-06-15T22:05Z
+
+Build #691 (RECIPE=gitea, PR=1, REF=357926f26e69): FAIL in UPGRADE_SECRET_PREP hook with:
+`RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in /root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
+
+Root cause: d832b35's UPGRADE_SECRET_PREP read STACK_NAME from the app's .env file. But abra
+does NOT write STACK_NAME to that file — it derives it from the domain at runtime. The .env
+only contains DOMAIN, TYPE, COMPOSE_FILE, and app-specific vars.
+
+Fix: derive STACK_NAME from domain as fallback — `domain.replace(".", "_")` — matching abra's
+own derivation (dots replaced by underscores). Applied in commit ad53b5a.
+
+Status: FIXED. Build #695 (retriggered) PASS level=5 with test_lfs_roundtrip PASS. ✓
+
 ### [non-blocking] Stale screenshot in manual runs @2026-06-15T20:32Z
 
 `/var/lib/cc-ci-runs/manual/screenshot.png` mtime = June 13, not from today's M1 run.