status+journal(2w): W2 gate WC4+WC7 ADVERSARY PASS @2026-05-29; advance to W3 (WC5/WC6) + traefik W0.10a quiet window

machine-docs/JOURNAL-2w.md

@@ -291,3 +291,20 @@ doing so. Claiming WC4+WC7 now with that prefix.
 
 System clean post-rebuild: keycloak 200, custom-html canonical idle@1.11.0+1.29.0, 0 failed units,
 disk 50%. Parked at the W2 gate; next quiet-window work = W0.10a traefik WC1.1 migration.
+
+## 2026-05-29 — W2 gate WC4+WC7 ADVERSARY PASS; advancing to W3 (+ traefik quiet window)
+
+Adversary cold-verified WC4+WC7 (REVIEW-2w 31f0e42): 64 units; WC7 adversarial trigger battery
+(all negatives rejected on the live bridge); WC4 never-promote (snapshot byte-identical sha256
+9ef62bdf, registry unchanged); WC4 FAIL→rollback restored EXACT known-good (marker back, app 200,
+broken image gone, exit 1 — "WC9 rollback-proof in miniature"); no-canonical fallback to a cold
+per-run domain (canonical untouched). No tests softened. **WC4+WC7 PASS @2026-05-29.**
+
+Three of four milestones now PASS (W0, W1, W2). Advancing to W3 (WC5 promote-on-green-cold + WC6
+nightly sweep). ALSO: the Adversary is now idle (post-W2), so this is the QUIET WINDOW for the
+tracked W0.10a traefik WC1.1 migration (it disrupts TLS, so it must NOT overlap an Adversary verify).
+
+Plan for next: (a) W0.10a traefik health-gated reconciler migration (quiet window, careful — traefik
+serves all TLS); (b) W3 WC5 promote-on-green-cold (extend cold-run teardown to re-seed the canonical
+on green-latest, reusing seed_canonical); (c) W3 WC6 nightly sweep (systemd timer: rebuild-then-cold-
+sweep). traefik first (use the window) or interleave; W0.10b alert-relay is a small loop step.