claim(M2): samever proven in real CI — step-back base<head, version-bump unaffected, discourse #4 + hedgedoc spot-check

5 real cc-ci runs (samever-deploy @ cc-ci main): Run B nightly steady-state step-back
custom-html 1.11.0+1.29.0→1.13.0+1.31.1 (base<head real delta, 5 tiers green); Run C
version-bump UNAFFECTED (last-green path); Run D PR-form step-back (ref set); discourse #4
kind=ref main-tip unaffected (migration 0.8.1→1.0.0 green); hedgedoc spot-check step-back
3.0.9→3.0.10 green. WHAT/HOW/EXPECTED/WHERE in STATUS-samever.md; logs /root/samever-*.log,
artifacts /var/lib/cc-ci-runs/samever-*/ on cc-ci.

machine-docs/BACKLOG-samever.md

@@ -15,3 +15,11 @@
 - Run A (custom-html cold-on-latest, /root/samever-runA.log on cc-ci): launched 04:3xZ. No canonical
   yet → upgrade base kind=skip (head==main tip); on green promotes canonical→latest 1.13.0+1.31.1.
 - Run B (next): cold-on-latest again → canonical==head → expect step-back base 1.11.0+1.29.0 (<latest).
+
+### M2 result — CLAIMED 2026-06-17T04:55Z (all 5 demonstrations green)
+- [x] Run B nightly steady-state step-back: custom-html canonical==head 1.13.0 → base 1.11.0+1.29.0,
+  upgrade 1.11.0→1.13.0 (base<head real delta), 5 tiers green. [§5 DoD]
+- [x] Run C version-bump UNAFFECTED (enrolled): canonical older 1.11.0 → head 1.13.0, "last-green" path.
+- [x] Run D PR form: ref=2b82ebab pr=999, head==canonical → step-back still triggers.
+- [x] discourse #4 UNAFFECTED: kind=ref main-tip f87c612d, migration 0.8.1→1.0.0 green. [§5 DoD]
+- [x] Spot-check hedgedoc: step-back 3.0.9→3.0.10 generalizes to a 2nd recipe/tag-set, green.

machine-docs/JOURNAL-samever.md

@@ -79,3 +79,22 @@ Two-run authentic nightly simulation on cc-ci (/root/samever-deploy @ cc-ci main
 
 Artifacts preserved on cc-ci: /root/samever-run{A,B,C}.log, /root/samever-disc4.log; run B/C results
 copied to /var/lib/cc-ci-runs/samever-run{B,C}/ (Adversary-readable).
+
+## 2026-06-17T04:55Z — M2 complete (PR form + spot-check), claiming
+
+- **Run D (PR form):** ran custom-html with REF=2b82ebab PR=999 (a PR head whose compose version is
+  still 1.13.0 == canonical). Resolver stepped back to 1.11.0+1.29.0 even with the ref present —
+  confirming the step-back is ref-independent (the canonical branch precedes the main-tip/ref path).
+  Upgrade 1.11.0→1.13.0 green.
+- **Spot-check (hedgedoc):** only custom-html is WARM_CANONICAL-enrolled, so to exercise the resolver on
+  a SECOND recipe + different tag ordering I hand-seeded hedgedoc's canonical record to its latest
+  (3.0.10+1.10.8) — the resolver reads canonical.read_registry regardless of enrollment, so this is the
+  same production code path. cold-on-latest → step-back to 3.0.9+1.10.7, upgrade green. Removed the
+  seeded record afterward (`rm -rf /var/lib/ci-warm/hedgedoc`) to leave clean state; hedgedoc is not
+  enrolled and would be pruned anyway.
+- **State hygiene:** custom-html canonical left at the legitimately-promoted 1.13.0+1.31.1 (its real
+  enrolled steady state). No leftover run stacks (clean teardown verified). Pre-existing warm-keycloak
+  orphan untouched.
+
+Design B (canonical history) is already recorded out-of-scope in cc-ci-plan/IDEAS.md (per plan §5) —
+verify before DONE.

machine-docs/STATUS-samever.md

@@ -9,10 +9,76 @@ Started 2026-06-17. Gates: **M1** (implemented + unit-tested), **M2** (proven in
 ## Current status
 
 **M1: PASS** (REVIEW-samever.md @2026-06-17T04:27Z — cold-verified, teeth hold, no regression).
-**M2: IN PROGRESS** — real-CI demonstration on cc-ci. Plan: custom-html cold-on-latest twice (run A
-promotes canonical→latest 1.13.0+1.31.1; run B = nightly steady state → step-back to 1.11.0+1.29.0,
-base<latest); PR form (head==canonical → step-back); version-bump UNAFFECTED (canonical older→head);
-discourse #4 unaffected; spot-check.
+**Gate: M2 CLAIMED, awaiting Adversary** @2026-06-17T04:55Z.
+
+## M2 — WHAT is claimed
+
+Proven in real CI on cc-ci that the resolver steps back to a genuinely older base when the last-green
+canonical == head version (never a same-version no-op, never a needless skip), and that the
+version-bump path is UNAFFECTED. Five real runs (cc-ci@main = samever code, run from
+`/root/samever-deploy`; the runner logs the resolver decision + the deployed version-label move):
+
+1. **Nightly steady state (THE headline, §5 DoD)** — custom-html cold-on-latest, run TWICE:
+   - Run A (first nightly, no canonical): `upgrade base: kind=skip SKIP: head == main tip`; 5 tiers
+     green; `WC5 promote: canonical custom-html advanced to known-good 1.13.0+1.31.1`.
+   - Run B (2nd consecutive nightly, canonical==latest==head): **STEP-BACK** —
+     `upgrade base: kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1)
+     == head version 1.13.0+1.31.1; newest older published base)`, then the upgrade tier deployed that
+     base and chaos-upgraded to head: `upgrade→PR-head: ... version=1.11.0+1.29.0→1.13.0+1.31.1`
+     (label MOVED, **base < head, REAL delta** — not a no-op, not a skip). All 5 tiers green. Proves
+     F1d-2: the older base really deployed pinned 1.11.0 then upgraded to 1.13.0.
+2. **Version-bump UNAFFECTED (enrolled)** — Run C: re-seeded canonical→OLDER 1.11.0+1.29.0, cold-on-latest
+   head 1.13.0 → `upgrade base: kind=version version=1.11.0+1.29.0 (last-green (warm canonical, status=idle))`
+   — reason **"last-green", NOT "step-back"**: the unchanged prevb path; upgrade 1.11.0→1.13.0 green.
+3. **PR form (ref set, head==canonical)** — Run D: `recipe=custom-html ref=2b82ebab pr=999` →
+   `kind=version version=1.11.0+1.29.0 (step-back: ... canonical (1.13.0+1.31.1) == head version
+   1.13.0+1.31.1 ...)` — step-back STILL triggers with a PR head ref present (ref does not suppress it);
+   upgrade green.
+4. **discourse #4 UNAFFECTED (non-enrolled version-bump, §5 DoD)** — REF=ae5a8180:
+   `upgrade base: kind=ref ref=f87c612d71b4 (target-branch (main) tip)` — byte-identical to prevb run 717;
+   discourse is not enrolled so the resolver never enters the canonical branch. Migration green:
+   `version=0.8.1+3.5.0→1.0.0+3.5.3`, `test_head_runs_official_image_not_bitnamilegacy` +
+   `test_sidekiq_service_dropped_by_head` PASSED. install/upgrade pass.
+5. **Spot-check, second recipe/tag-set** — hedgedoc: seeded canonical=3.0.10+1.10.8 (its latest),
+   cold-on-latest → `kind=version version=3.0.9+1.10.7 (step-back: ... canonical (3.0.10+1.10.8) == head
+   version 3.0.10+1.10.8 ...)`; upgrade `version=3.0.9+1.10.7→3.0.10+1.10.8` green. Step-back generalizes
+   to a different recipe + different published-tag ordering. (hedgedoc is NOT WARM_CANONICAL-enrolled —
+   only custom-html is — so its canonical record was hand-seeded to exercise the same resolver path; the
+   seed was removed after, leaving clean state. The resolver reads `canonical.read_registry` regardless
+   of enrollment, so this faithfully exercises the production code path.)
+
+## M2 — WHERE (logs + artifacts on cc-ci, Adversary-readable)
+
+- Code under test: cc-ci@main (samever), checked out at `/root/samever-deploy` (HEAD 1310a95, includes
+  resolver commit b29bb3f). Runner: `runner/run_recipe_ci.py`.
+- Run logs: `/root/samever-runA.log`, `…-runB.log`, `…-runC.log`, `…-runD.log`, `…-disc4.log`,
+  `…-hedgedoc.log`.
+- Preserved results.json/junit/badge: `/var/lib/cc-ci-runs/samever-runB/`, `…-runC/`, `…-runD/`,
+  `…-disc4/`, `…-hedgedoc/` (each /var/lib/cc-ci-runs/manual is overwritten per run, so these are copies).
+- custom-html canonical (legit enrolled state, left as-is): `/var/lib/ci-warm/custom-html/canonical.json`
+  = version 1.13.0+1.31.1. No leftover run stacks (clean teardown verified; pre-existing
+  `warm-keycloak` orphan untouched — not samever).
+
+## M2 — HOW to verify (cold, from a clean clone / fresh runs)
+
+A. **Cold-read the preserved logs** — `grep "upgrade base" /root/samever-run{A,B,C,D}.log
+   /root/samever-{disc4,hedgedoc}.log` reproduces the resolver lines above; `grep "upgrade→PR-head"`
+   reproduces the version-label moves; `grep ": pass\|: fail" … | sed -n '/RUN SUMMARY/,$p'` shows tier
+   outcomes (all pass for the tiers run).
+B. **Re-run the headline yourself** (most adversarial) from your own clone on cc-ci:
+   ```
+   # ensure no canonical, run twice; 2nd run must step back:
+   rm -rf /var/lib/ci-warm/custom-html        # clear canonical
+   cd <your-clone>; HOME=/root RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py   # run A → promotes
+   HOME=/root RECIPE=custom-html cc-ci-run runner/run_recipe_ci.py                    # run B → STEP-BACK
+   ```
+   EXPECTED run B: `upgrade base: kind=version version=1.11.0+1.29.0 (step-back: …)` and
+   `upgrade→PR-head: … version=1.11.0+1.29.0→1.13.0+1.31.1`, all tiers pass. (Single test node — don't
+   run while another `run_recipe_ci.py` is active.)
+C. **Teeth:** in run B the base version (1.11.0+1.29.0) is strictly < head (1.13.0+1.31.1) AND the
+   upgrade tier's generic `test_upgrade_reconverges` + cc-ci `test_upgrade_preserves_data` PASSED — a
+   same-version no-op would show `version=1.13.0+1.31.1→1.13.0+1.31.1` (it does not) and a skip would
+   show `kind=skip` (it does not).
 
 ## M1 — WHAT is claimed