claim(2): Q3.2 lasuite-drive — full lifecycle 3x green via install-time OIDC + collabora-ready upgrade gate

3× repeat-green (logs /root/ccci-drive-q32a-r2/r3/r4.log): install+upgrade+backup+restore+custom all
pass, OIDC password-grant PASSED (not skip), deploy-count=1, clean teardown each run. Resolves the
Adversary's standing veto-eligible obligation (lasuite-drive upgrade tier GREEN + reliable OIDC).

Fixes: install-time OIDC wiring (a151489: _provision_deps before single deploy + OIDC_AT_INSTALL +
install_steps.sh) eliminated the flaky post-deploy --chaos reconverge; collabora-WOPI-ready upgrade
gate + DEPLOY_TIMEOUT plumbing (4b38b66) fixed the upgrade tier (was killing a still-booting collabora,
exit 70). Gate evidence + cold-verify HOW/EXPECTED/WHERE in STATUS-2.md. BACKLOG-2 Q3.2/Q3.2a ticked;
DEFERRED.md disk follow-on noted done.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

machine-docs/STATUS-2.md

@@ -49,15 +49,9 @@ tree must carry:
 - **Q5** — Completeness + docs; flip `## DONE`.
 
 ## In flight
-**Q3.2a — lasuite-drive OIDC robustness (Part A) — VALIDATING (not claimed).**
-Phase 2pc DONE; resumed the Adversary's standing veto-eligible obligation (lasuite-drive upgrade
-tier GREEN + reliable OIDC). Step 0 root-cause logs captured (JOURNAL-2; gunicorn `/.gunicorn`
-perms + celery WOPI-404 vs collabora boot). Part A landed @ commit `a151489`: OIDC wired at INSTALL
-time (provision warm-keycloak realm BEFORE the single deploy; `tests/lasuite-drive/install_steps.sh`
-writes OIDC env into the one deploy) — the flaky post-deploy `--force --chaos` 12-service reconverge
-is gone. Running the full suite (install+upgrade+backup+restore+custom) on cc-ci to confirm 3× green
-incl. the now-required upgrade tier before claiming Q3.2. First run in flight @
-`/root/ccci-drive-q32a-r1.log` (install-time OIDC confirmed wired in log head).
+**Q3.2 lasuite-drive — CLAIMED (Gate: Q3.2 below), awaiting Adversary.** Full lifecycle 3× green
+(install+upgrade+backup+restore+custom incl. OIDC). Resolves the Adversary's standing veto-eligible
+obligation (upgrade tier GREEN + reliable OIDC). Working next unblocked item meanwhile.
 
 ---
 **Q3 + Q4 — recipe enrollment sprint.** After capacity unblock + Adversary checkpoint, landed:
@@ -113,6 +107,53 @@ SKIP no longer yields a GREEN `!testme`.
   straight-line read→sum→predicate→overall wiring is unexercised by a live deploy.
 
 ## Gate
+
+**Gate: Q3.2 lasuite-drive — CLAIMED @2026-05-29, awaiting Adversary.**
+
+**WHAT.** lasuite-drive (the heaviest Phase-2 stack: 12 services incl. collabora + onlyoffice +
+minio/S3 + postgres, OIDC-dependent) now runs its **full lifecycle GREEN, repeatably** — install +
+upgrade (prev→PR-head chaos crossover) + backup + restore + custom (health + MinIO round-trip + OIDC
+password-grant), via **two fixes**:
+1. **Install-time OIDC wiring** (commit `a151489`) — the orchestrator provisions the per-run realm on
+   the live-warm keycloak BEFORE the single `abra app deploy`, and `tests/lasuite-drive/install_steps.sh`
+   writes the OIDC env + client secret into that one deploy. This **eliminates the flaky post-deploy
+   `--force --chaos` 12-service reconverge** the old `setup_custom_tests.sh` did (collabora WOPI-discovery
+   race; JOURNAL Step 0). New per-recipe `OIDC_AT_INSTALL` meta flag + reusable `_provision_deps()`
+   helper; legacy post-deploy path unchanged for all other dep recipes (gated on `not oidc_at_install`).
+2. **collabora-ready upgrade gate + DEPLOY_TIMEOUT plumbing** (commit `4b38b66`) — `ops.py::pre_upgrade`
+   waits for collabora WOPI discovery (`/hosting/discovery` on `collabora-<domain>`) → 200 BEFORE the
+   chaos redeploy, so it no longer SIGTERMs a still-booting collabora (which caused exit 70 / "FATA
+   deploy failed" in run 1); `DEPLOY_TIMEOUT` now threads to the upgrade `chaos_redeploy` (was abra's
+   900s default vs the .env internal TIMEOUT 1500s).
+
+**HOW (Adversary, cold, on cc-ci):**
+```
+ssh cc-ci 'cd /root/<your-clone> && git pull && RECIPE=lasuite-drive PR=0 cc-ci-run runner/run_recipe_ci.py'
+```
+
+**EXPECTED:**
+- RUN SUMMARY: `deploy-count = 1 (expect 1)`; `install/upgrade/backup/restore/custom` **all `pass`**.
+- `tests/lasuite-drive/functional/test_oidc_with_keycloak.py::test_oidc_password_grant_against_dep_keycloak`
+  **PASSED** (NOT skipped) — real password-grant JWT against a per-run realm on warm keycloak.
+- `test_minio_storage` PASSED (real S3 upload→list→cat readback round-trip inside the minio container).
+- Data-integrity: `test_upgrade_preserves_data` (ci_marker survives prev→PR-head chaos crossover) +
+  backup/restore ci_marker survive.
+- Log shows `install-time OIDC: deps provisioned` + `install_steps: OIDC env wired` (no post-deploy
+  reconverge) and `pre_upgrade: collabora WOPI discovery ready (200)` before the upgrade redeploy.
+- Clean teardown: post-run `docker stack ls | grep lasu` and `docker volume ls | grep lasu` both empty.
+
+**WHERE.** Commits `a151489` (Part A) + `4b38b66` (upgrade gate). Files: `runner/run_recipe_ci.py`
+(`_provision_deps`, `OIDC_AT_INSTALL` branch, `_perform_op` timeout), `runner/harness/lifecycle.py`
+(`chaos_redeploy` timeout), `runner/harness/generic.py` (`perform_upgrade` timeout),
+`tests/lasuite-drive/{install_steps.sh,setup_custom_tests.sh,ops.py,recipe_meta.py}`.
+**3× repeat-green** (flakiness gone, not absent-once): `/root/ccci-drive-q32a-r2.log`,
+`…-r3.log`, `…-r4.log` — each full-suite green, deploy-count=1, OIDC PASSED, clean teardown
+(run 1 `…-r1.log` showed the upgrade-tier failure that `4b38b66` fixed). Step-0 root-cause logs in
+JOURNAL-2 (2026-05-29). DEFERRED.md disk-blocker entry CLOSED (host grew to 64G); flaky-OIDC
+BACKLOG-2 Q3.2a item now resolved.
+
+---
+
 **Gate: Q2 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q2 — PASS @2026-05-28 (re-verify after
 F2-5 fix + F2-6 collateral resolution)`; cold e2e on `/root/adv-verify` HEAD `874bfbb`:
 deploy-count=2, all 5 assertions PASS, DEPS teardown clean, post-run docker stack/volume/secret