diff --git a/machine-docs/STATUS-canon.md b/machine-docs/STATUS-canon.md
index 947da27..7836338 100644
--- a/machine-docs/STATUS-canon.md
+++ b/machine-docs/STATUS-canon.md
@@ -1,6 +1,6 @@
 # STATUS — phase `canon` (canonical sweep, make it real)
 
-Gate: M1 PASS (Adversary 3bdd5d1, no VETO). **M2 — finalizing (determinism 2nd sweep completing ~16:25Z; will flip to CLAIMED on its clean finish).**
+Gate: M1 PASS (Adversary 3bdd5d1, no VETO). **M2 CLAIMED, awaiting Adversary.**
 
 WHAT/HOW/EXPECTED/WHERE for the Adversary. Reasoning lives in JOURNAL-canon.md.
 
@@ -56,25 +56,27 @@ ADVANCED a canonical).
 - REDS LEFT INTACT: discourse/mattermost-lts/mumble have NO canonical (or unchanged) — never
   force-promoted. bluesky-pds no canonical (warm-routing). gitea kept 3.5.3 (advance failed safely).
 
-### M2.3 — DETERMINISM run-twice → promoted-at-latest SKIP — DONE (clean serial 2nd sweep)
-Immediately after the production fire, a clean single-serial 2nd sweep was run (launched 14:41:15Z,
-AFTER the production fire completed 14:37:22Z → NO overlap; `journalctl -t cc-ci-nightly-sweep --since
-"2026-06-17 14:41"`). It demonstrates the operative no-op (DECISIONS M2.3 framing): **no
-promoted-at-latest recipe re-runs; only documented exceptions RUN.**
-- EXPECTED/OBSERVED decisions:
+### M2.3 — DETERMINISM run-twice → promoted-at-latest SKIP — DONE (clean serial 2nd sweep, COMPLETED)
+A clean single-serial 2nd sweep ran **14:41:16Z → 16:05:38Z** (started AFTER the production fire
+completed 14:37:22Z → NO overlap; single proc pid 2248547, no concurrent sweep/run_recipe_ci; clean
+structured exit with a final per-recipe summary block, no traceback). It demonstrates the operative
+no-op (DECISIONS M2.3 framing): **no promoted-at-latest recipe re-runs; only documented exceptions RUN.**
+- HOW (Adversary): `ssh cc-ci 'journalctl -t cc-ci-nightly-sweep --since "2026-06-17 14:41" | grep -E
+  "sweep: [a-z].* (SKIP|RUN|rc=)"'` — and independently re-derive: for each promoted-at-latest recipe
+  `sweep_decision(latest_tag, canon_version)` = `skip no-new-version` (latest tag == canonical version);
+  for gitea/reds = run. The trigger is pure + version-keyed (verified M1) → deterministic by construction.
+- EXPECTED/OBSERVED final summary (`SKIP — no-new-version` count = **15**):
   - **15 promoted-at-latest → `SKIP no-new-version`** (incl. **custom-html 1.13.0**, which had just
-    been ADVANCED in the production fire → now skips, the central determinism proof; cryptpad,
-    custom-html-tiny, drone, ghost, hedgedoc, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse,
-    n8n, plausible, uptime-kuma).
+    been ADVANCED in the production fire → now skips = the central determinism proof: cryptpad,
+    custom-html, custom-html-tiny, drone, ghost, hedgedoc, immich, lasuite-{docs,drive,meet}, mailu,
+    matrix-synapse, n8n, plausible, uptime-kuma). ZERO needless CI reruns of good-current recipes.
   - **gitea → RUN** (new release 3.6.0 > canonical 3.5.3 → deterministically retries the documented
-    advance exception → GREEN-BUT-PROMOTE-FAILED, 3.5.3 kept). Correct: it should keep offering to
-    advance in case the recipe is fixed.
-  - **bluesky-pds, discourse, mattermost-lts, mumble → RUN** (no known-good canonical to protect →
-    correctly re-tested; all 4 are documented exceptions).
-- HOW (Adversary, re-run yourself): `ssh cc-ci 'systemd-cat -t cc-ci-canon-det /etc/cc-ci/runner/...'`
-  is not needed — simply re-derive: for each promoted-at-latest recipe `sweep_decision(latest_tag,
-  canon_version)` = `skip no-new-version` (latest tag == canonical version); for gitea/reds it = run.
-  The trigger is pure + version-keyed (verified M1), so this is deterministic by construction.
+    advance exception → GREEN-BUT-PROMOTE-FAILED, 3.5.3 kept). Correct: keeps offering to advance.
+  - **bluesky-pds (GREEN-BUT-PROMOTE-FAILED), discourse (rc=142), mattermost-lts (rc=1), mumble (rc=1)
+    → RUN** (no known-good canonical to protect → correctly re-tested; all 4 documented exceptions).
+  - Total = 20 enrolled = 15 SKIP + gitea + 4 reds. Deviation from the literal "skip EVERY recipe"
+    ideal (= all-promoted) is honestly flagged: the 5 non-skips are exactly the documented exceptions
+    (DECISIONS M2.3 framing), and no test was weakened to force a promote (guardrail).
 
 ### M2.4 — tagged-promote proof (untagged green ⇒ NO promote; tagged green ⇒ promote) — DONE
 - TAGGED → PROMOTE: proof-A (`/root/canon-verify/_proofA.log`) cold-ran custom-html on tag
@@ -132,4 +134,9 @@ mumble (test_handshake red); bluesky-pds (warm-domain routing 000). All recorded
 
 ## Claims awaiting verification
 - **M1 — PASS** (Adversary 3bdd5d1, no VETO).
-- **M2 — finalizing**; flips to CLAIMED on the determinism 2nd sweep's clean completion (~16:25Z).
+- **M2 — CLAIMED** (awaiting Adversary). All §3 M2 + samever-orthogonality DoD items proven: real
+  non-hollow timer fire (14:37:22Z, Result=success, single serial) promoted 16 canonicals incl. a live
+  custom-html 1.11→1.13 advance, left reds intact, skipped no-new-tag; determinism 2nd sweep (clean,
+  14:41→16:05) shows 15 promoted-at-latest SKIP + only documented exceptions RUN; tagged-vs-untagged
+  proven (proof-A/C); samever step-back never fires in-sweep; disk budget recorded; UPGRADE_BASE_VERSION
+  retired; NO AI at runtime. 6 exceptions documented in DECISIONS (none silent).