diff --git a/machine-docs/DEFERRED.md b/machine-docs/DEFERRED.md
index 10fc7a5..e299eee 100644
--- a/machine-docs/DEFERRED.md
+++ b/machine-docs/DEFERRED.md
@@ -231,3 +231,22 @@ before the build is called done) — but does **not** force closure.
   test_create_doc.py (closed in the entry above). Upload/conversion exercises a distinct subsystem
   (y-provider + docspec) and adds two binary fixtures + a multi-service-readiness wait.
   Defensible defer; lift when the operator wants the deeper coverage OR Phase-4 reviews.
+
+### 2026-05-29 — immich recipe needs a pg_dump backup hook for reliable DB restore (P4)
+- [ ] **What:** immich's upstream recipe backs up the LIVE postgres data VOLUME via restic
+      (`backupbot.backup=true` on `database`, no pg_dump hook), so a DB row does NOT survive
+      `abra app restore` (diagnosed: seed→backup→drop→restore→row absent; app healthy). Real
+      backup data-integrity (P4) requires a consistent SQL dump. **Fix:** add the drive/meet pattern
+      to the immich recipe — `pg_backup.sh` swarm-config + labels `backupbot.backup.pre-hook:
+      "/pg_backup.sh backup"` + `backupbot.backup.volumes.postgres.path: "backup.sql"` +
+      `backupbot.restore.post-hook: "/pg_backup.sh restore"` (adapt POSTGRES_USER=postgres,
+      POSTGRES_DB=immich). Via the recipe-create-pr flow (mirror immich on recipe-maintainers → branch
+      → cc-ci full-suite GREEN on the PR incl. restore tier → Adversary cold-verify → operator merge),
+      exactly like the parked Q3.2b lasuite-drive recipe-robustness PR.
+- **Filed by:** Builder, phase 2 (Q3.5 immich enrollment).
+- **Reason for deferral:** UPSTREAM recipe defect; the proper fix is a recipe PR (we maintain it),
+      which is operator-merge-gated — not a cc-ci/test change. immich's other tiers (install/upgrade/
+      backup-artifact/restore-healthy/custom incl. §4.3 asset upload→readback→thumbnail) are GREEN.
+- **Re-entry trigger:** pick up as a recipe-PR unit (parallel to Q3.2b); OR Adversary §7.1 sign-off on
+      the documented maximal subset if a recipe PR is out of scope for Phase-2 DONE.
+- **Linked IDEA:** —
diff --git a/machine-docs/JOURNAL-2.md b/machine-docs/JOURNAL-2.md
index e64da67..e7589df 100644
--- a/machine-docs/JOURNAL-2.md
+++ b/machine-docs/JOURNAL-2.md
@@ -941,3 +941,31 @@ post-type sync wait 9s→12s.
 Validated **3× green** against a cold cryptpad probe (`cryptpad-probe`), ~33s each, no flakiness (the
 poll-all-frames finds the marker fast once the pad renders — robust AND faster than the old
 frame-attach wait). F2-13 is Adversary-owned — left for the Adversary to re-verify + close F2-9.
+
+---
+
+## 2026-05-29 — Q3.5 immich: 4/5 tiers green + §4.3; restore data-integrity blocked by UPSTREAM recipe (no pg_dump hook)
+
+Full suite (`/root/ccci-immich-full.log`): install PASS, upgrade PASS (real crossover
+1.5.1+v2.6.3→1.6.0+v2.7.5, ci_marker survived), backup PASS (artifact created), custom PASS
+(test_immich_upload_asset_readback_and_thumbnail = §4.3 upload→read-back→thumbnail-derivative;
+health), deploy-count=1, clean teardown. **ONLY `test_restore_returns_state` FAILED** — postgres
+`ci_marker` does not survive `abra app restore` (relation does not exist; app itself healthy).
+
+**Diagnosed (harness path, immich probe):** seed ci_marker='original' → `abra app backup create`
+(restic snapshot, 1729 files / 190MB) → drop ci_marker → `abra app restore` → ci_marker STILL absent.
+**Root cause:** immich's UPSTREAM recipe backs up the **live postgres data VOLUME** via restic
+(`backupbot.backup=true` on `database`, NO pg_dump hook) — a hot pgdata snapshot that cannot reliably
+restore a DB row into a running postgres. Contrast lasuite-drive/meet, which ship a `pg_backup.sh` +
+labels (`backup.pre-hook: /pg_backup.sh backup` → `backup.volumes.postgres.path: backup.sql` →
+`restore.post-hook: /pg_backup.sh restore`) producing a CONSISTENT SQL dump that restores cleanly
+(their restore tiers pass). This is an upstream immich-recipe defect (same class as the parked Q3.2b
+lasuite-drive recipe-robustness PR), not a cc-ci/test bug — the ci_marker pattern is correct (works on
+drive/meet).
+
+**Decision:** Q3.5 immich = PARTIAL. The maximal subset is proven (install/upgrade/backup-artifact/
+restore-healthy/custom incl. §4.3 + health). Real DB-restore data-integrity (P4) needs the immich
+recipe to gain a `pg_dump` backup hook — a recipe-create-pr unit (mirror immich → add pg_backup.sh +
+the 4 backupbot labels [adapt POSTGRES_USER=postgres, DB=immich] → cc-ci full-suite green on the PR →
+operator merge), exactly like Q3.2b for drive. Filed DEFERRED + BACKLOG. NOT claiming Q3.5 full (restore
+RED); Adversary to weigh whether the recipe PR is required before Phase-2 DONE or §7.1 sign-off applies.