review(gtea): M2 ADVERSARY PASS @2026-06-15T22:10Z

Build #695 (gitea PR=1 REF=357926f26e69): level=5, all stages PASS, test_lfs_roundtrip
PASS (18s) — LFS roundtrip verified in real CI on lfs-plain-gitea PR #1.
Build #692 (drone dep path PR=0 REF=main): level=5, drone recipe unaffected.
Build #684 (gitea main PR=0): level=5 (verified in prior round).
cc-ci self-test lint green. Unit tests 53/53. no_secret_leak in all runs.

Also records build #691 FAIL finding: STACK_NAME not in .env (fixed in ad53b5a).

Gate M2: ADVERSARY PASS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

machine-docs/BACKLOG-gtea.md

@@ -143,6 +143,20 @@ Unit tests (test_gitea_dep.py 10/10) still pass.
 Builder should trigger a RECIPE=drone run (e.g., post !testme on a drone recipe PR)
 to complete the M2 DoD dep-path verification.
 
+### [critical — FIXED] Build #691 STACK_NAME not in .env @2026-06-15T22:05Z
+
+Build #691 (RECIPE=gitea, PR=1, REF=357926f26e69): FAIL in UPGRADE_SECRET_PREP hook with:
+`RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in /root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
+
+Root cause: d832b35's UPGRADE_SECRET_PREP read STACK_NAME from the app's .env file. But abra
+does NOT write STACK_NAME to that file — it derives it from the domain at runtime. The .env
+only contains DOMAIN, TYPE, COMPOSE_FILE, and app-specific vars.
+
+Fix: derive STACK_NAME from domain as fallback — `domain.replace(".", "_")` — matching abra's
+own derivation (dots replaced by underscores). Applied in commit ad53b5a.
+
+Status: FIXED. Build #695 (retriggered) PASS level=5 with test_lfs_roundtrip PASS. ✓
+
 ### [non-blocking] Stale screenshot in manual runs @2026-06-15T20:32Z
 
 `/var/lib/cc-ci-runs/manual/screenshot.png` mtime = June 13, not from today's M1 run.

machine-docs/REVIEW-gtea.md

@@ -296,3 +296,78 @@ full M2 DoD dep-path verification. Filed in BACKLOG as pending.
    Root cause: lfs_jwt_secret generated with wrong format/length (commented-out .env.sample spec)
 
 Gate M2: **NOT CLAIMED** — Builder must fix lfs_jwt_secret generation and re-trigger build #685
+
+---
+
+## M2 re-verification round 3 @2026-06-15T22:10Z (builds #691, #692, #695)
+
+Builder applied two further fixes (commits d832b35 + ad53b5a):
+- d832b35: `UPGRADE_SECRET_PREP` hook in `meta.py` + `generic.py`; `recipe_meta.py` UPGRADE_SECRET_PREP
+  implementation uses `docker secret create` directly with correct 43-char base64 URL-safe value
+- ad53b5a: derive `STACK_NAME` from domain (`domain.replace(".", "_")`) when not found in .env
+  (abra does NOT write STACK_NAME to the .env file — it derives it at runtime from the domain)
+- 2d865f0: ruff format + check all gtea files (cc-ci self-test lint now passes)
+
+### Build #691 — RECIPE=gitea PR=1 REF=357926f26e69 — FAIL (STACK_NAME not found) ✗
+
+`UPGRADE_SECRET_PREP` aborted: `RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in
+/root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
+
+Root cause: the hook attempted to read STACK_NAME from the app's .env, but abra writes only
+app-specific vars to that file (DOMAIN, TYPE, COMPOSE_FILE etc.) — STACK_NAME is derived from
+the domain at runtime by abra's own code. The fix in ad53b5a (domain.replace(".", "_") fallback)
+is the correct approach and matches how abra derives stack names.
+
+New finding filed in BACKLOG-gtea.md. Builder fixed in commit ad53b5a.
+
+### Build #692 — RECIPE=drone PR=0 REF=main — **PASS** level=5 ✓
+
+Full results.json from ci.commoninternet.net/runs/692/results.json:
+- recipe: drone, pr=0, ref=main
+- level: 5 (install: PASS, upgrade: PASS, custom: PASS; backup/restore: skip — correct, drone
+  is not backup-capable)
+- rungs: install=pass, upgrade=pass, functional=pass, lint=pass, backup_restore=skip ✓
+- skips.intentional: backup_restore: "not backup-capable (no backupbot labels / declared)" ✓
+- clean_teardown=true, no_secret_leak=true ✓
+- customization: DEPS=["gitea"] confirmed (gitea dep used in drone's own dep chain) ✓
+
+**M2 drone dep path condition: MET** — drone recipe CI unaffected by all gtea changes
+
+### Build #695 — RECIPE=gitea PR=1 REF=357926f26e69 — **PASS** level=5 ✓
+
+Full results.json from ci.commoninternet.net/runs/695/results.json:
+- recipe: gitea, pr=1, ref=357926f26e69 — THIS IS THE LFS PR
+- level: 5, all 5 stages: install=pass, upgrade=pass, backup=pass, restore=pass, custom=pass
+- No intentional or unintentional skips ✓
+- clean_teardown=true, no_secret_leak=true ✓
+
+Custom tests (all PASS):
+- `test_admin_api_user_org_token_lifecycle`: PASS (333ms) ✓
+- `test_git_push`: PASS (889ms) ✓
+- `test_gitea_root_returns_200`: PASS (36ms) ✓
+- `test_lfs_roundtrip`: **PASS (18147ms = 18s)** ✓ — LFS ROUNDTRIP VERIFIED
+
+UPGRADE_SECRET_PREP hook in customization.meta_non_default confirms it ran.
+version=ce4de9e6451f (deployed recipe HEAD at upgrade time — expected, as chaos deploy uses PR HEAD).
+
+**M2 PR #1 LFS capstone: MET** — test_lfs_roundtrip PASS in real CI on PR #1
+
+### cc-ci self-test lint: CLEARED
+
+Builds #690 and #693 (push events) report success — ruff format + check now both pass.
+All M2 DoD conditions now satisfied.
+
+## M2 VERDICT: PASS @2026-06-15T22:10Z
+
+All M2 DoD conditions met:
+
+1. ✓ Full 5-tier suite green on gitea main in real CI — build #684, level=5, upgrade SHA-match
+   correct, HC1 PASS, LFS correctly SKIP on main ✓
+2. ✓ LFS roundtrip green in real CI on PR #1 — build #695, level=5, `test_lfs_roundtrip` PASS
+   (18s), lfs_jwt_secret correct length via UPGRADE_SECRET_PREP hook, all tiers PASS ✓
+3. ✓ Drone dep path unaffected — build #692, level=5, drone recipe still fully green ✓
+4. ✓ cc-ci self-test lint green — ruff format+check pass on all gtea files ✓
+5. ✓ Unit tests 53/53 pass throughout (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
+6. ✓ No secrets in any run artifact — no_secret_leak=true in #684, #692, #695 ✓
+
+Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z