diff --git a/machine-docs/JOURNAL-redfix.md b/machine-docs/JOURNAL-redfix.md
index 616e496..76d08bf 100644
--- a/machine-docs/JOURNAL-redfix.md
+++ b/machine-docs/JOURNAL-redfix.md
@@ -408,3 +408,15 @@ from the branch checkout — NO tag-revert — so they verify cleanly. Doing key
 For bluesky: force chaos (deploy_app does chaos when has_ccci_overlay) OR reconsider a cc-ci-side
 overlay fix (alias + caddyfile override) — both verifiable; recipe PR #4 (rename) stays as the ideal
 upstream fix. gitea: rework + reproduce-with-inspection.
+
+## 2026-06-18T03:40Z — M2 keycloak FIXED + VERIFIED (collision-free canonical)
+
+Ran keycloak cold-on-latest from branch checkout /tmp/cc-ci-m2run (harness fix: canonical_domain ->
+warm-canon-keycloak for WARM_DOMAINS recipes; WARM_CANONICAL=True). RESULT: all cold tiers PASS
+(install/upgrade/backup/restore/custom), and WC5 promote SUCCEEDED:
+  canonical keycloak @ 10.8.0+26.6.3, domain="warm-canon-keycloak.ci.commoninternet.net", idle, volume retained.
+- Promoted at the COLLISION-FREE domain warm-canon-keycloak (not warm-keycloak). ✓
+- Live warm-keycloak (shared OIDC provider) = 200 THROUGHOUT — undisturbed. ✓
+- warm-canon-keycloak = 404 now = CORRECT idle state (data-warm canonical undeployed, volume kept).
+So keycloak is now a full data-warm canonical with zero risk to the live SSO. **FIXED + verified.**
+3/6 verified: mattermost-lts, discourse, keycloak. Doing mumble next (harness, tractable).