status(mirror): ## DONE — Ph0-Ph5 all Adversary-verified PASS @01:16Z

Ph0 pre-flight ✓ | Ph1 3 mirrors created ✓ | Ph2 hedgedoc tests + !testme #113 PASS ✓
Ph3 9 recipes enrolled (POLL_REPOS 11→20) ✓ | Ph4 nixos-rebuild switch deployed ✓
Ph5 ghost/immich/plausible triggered ≤16s, built, reported back ✓

Phase 6 deferred: ghost/immich restore bugs + plausible ClickHouse (pre-existing, not regressions).
All: clean_teardown=true, no_secret_leak=true. Loop stopped.

machine-docs/STATUS-mirror.md

@@ -4,75 +4,58 @@
 **SSOT:** `/srv/cc-ci/cc-ci-plan/plan-mirror-enroll-all-recipes.md`
 **Started:** 2026-06-02
 
-## Current state
+## DONE — 2026-06-02T01:16Z
 
-### Phase 0 — Pre-flight ✓ COMPLETE
-- abra recipe fetch: lasuite-drive, mailu, mumble all exit 0 (already fetched on cc-ci)
-- Gitea: lasuite-drive=404, mailu=404, mumble=404 (mirrors absent — to create)
-- Gitea: bluesky-pds, discourse, ghost, immich, mattermost-lts, plausible = 200 (mirrors exist)
-- POLL_REPOS (bridge.nix): 11 entries; 9 unenrolled recipes absent
-- tests/: all 9 unenrolled recipes have tests/<recipe>/ already (Adversary-confirmed)
-- hedgedoc: NO tests/hedgedoc/ (plan Phase 2 must author)
+All phases (Ph0–Ph5) complete and independently **Adversary-verified PASS** in REVIEW-mirror.md.
+No standing VETO or open adversary finding.
 
-### Phase 1 — Create 3 missing mirrors ✓ COMPLETE
-- lasuite-drive: created (HTTP 201), main synced to f4135d78 (upstream) ✓
-- mailu: created (HTTP 201), main synced to 23309a1a (upstream) ✓
-- mumble: created (HTTP 201), main synced to 9fa5e949 (upstream) ✓
-- Verified: all 3 return HTTP 200 from Gitea API, empty=false ✓
-- Method: Gitea API POST /orgs/recipe-maintainers/repos + git push --force gitea main on cc-ci
+| Phase | Item | Verdict | Evidence |
+|---|---|---|---|
+| Ph0 | Pre-flight (abra fetch, mirror survey, POLL_REPOS snapshot) | PASS | Adversary cold-probe @00:18Z |
+| Ph1 | 3 missing mirrors created + synced (lasuite-drive, mailu, mumble) | PASS | Adversary @00:40Z — HTTP 200, SHA match |
+| Ph2 | hedgedoc test suite (recipe_meta+functional+PARITY) + !testme build #113 | PASS | Adversary @00:50Z — A-mirror-1 closed |
+| Ph3 | 9 recipes enrolled in POLL_REPOS (20 total) | PASS | Adversary @00:40Z — all 9 present |
+| Ph4 | nixos-rebuild switch deployed; bridge watching 20 repos | PASS | Adversary @01:02Z |
+| Ph5 | !testme on ghost/immich/plausible triggered ≤16s, built, reported back | PASS | Adversary @01:16Z |
 
-### Phase 2 — hedgedoc test suite ✓ COMPLETE
-- tests/hedgedoc/recipe_meta.py (HEALTH_PATH=/, HEALTH_OK=(200,302), DEPLOY_TIMEOUT=600) ✓
-- tests/hedgedoc/functional/test_health_check.py (GET / → 200 or 302) ✓
-- tests/hedgedoc/functional/test_branding.py (hedgedoc/codimd/hackmd brand markers in HTML) ✓
-- tests/hedgedoc/PARITY.md (documents scope + deferred items) ✓
-- NOTE: test_install.py/test_upgrade.py/ops.py deferred (generic tiers cover baseline)
+**Phase 6 deferred findings** (pre-existing, not regressions from this phase):
+- ghost restore: MySQL reimport bug (Table 'ghost.ci_marker' doesn't exist)
+- immich restore: PG restore bug (relation "ci_marker" does not exist)
+- plausible: ClickHouse-backup boot-download robustness (known DECISIONS.md entry)
+All are Phase 6 per-recipe debugging scope; clean_teardown=true, no_secret_leak=true on all.
 
-### Phase 3 — Enroll 9 unenrolled recipes ✓ COMPLETE
-- nix/modules/bridge.nix POLL_REPOS updated: added bluesky-pds,discourse,ghost,immich,
-  lasuite-drive,mailu,mattermost-lts,mumble,plausible (9 new entries → 20 total)
-- Final POLL_REPOS: cc-ci + 19 recipes (all enrolled recipes + all 9 previously unenrolled)
+---
 
-### A-mirror-1 — hedgedoc !testme post-authoring — CLOSED ✓ (Adversary @00:50Z)
-- Build #113 PASS: install+upgrade+backup+restore+custom (test_health_check+test_branding) all green
-- Adversary verified: cc-ci/testme state=success; clean_teardown=true; no_secret_leak=true
-- A-mirror-1 closed in BACKLOG-mirror.md by Adversary @00:50Z
+## Completed phases summary
 
-### Phase 4 — Deploy ✓ COMPLETE @2026-06-02T00:47Z
-- Synced /root/builder-clone to HEAD (git rebase origin/main → 19747bf)
-- Ran: `systemd-run --unit=nixos-rebuild-mirror nixos-rebuild switch --flake path:/root/builder-clone#cc-ci`
-- nixos-rebuild built 6 derivations: bridge-stack.yml, reconcile-bridge, deploy-bridge.service, system-units, etc, nixos-system
-- deploy-bridge.service ran at 00:47:17Z, updated bridge swarm service: `Updating service ccci-bridge_app`
-- Live POLL_REPOS verified: 20 entries (docker service inspect confirms all 19 recipes + cc-ci)
-- Bridge log: `poller (primary) watching [...all 20 repos...] every 30s` ✓
-- System healthy: `systemctl is-system-running` → `running`, NixOS 24.11.20250630.50ab793 ✓
-- `ssh cc-ci` reachable ✓ ; no rollback needed
+### Phase 0 — Pre-flight ✓
+- abra recipe fetch for lasuite-drive, mailu, mumble: exit 0 (already fetched)
+- Gitea: lasuite-drive=404, mailu=404, mumble=404 (confirmed missing); 6 others = 200 (exist)
+- POLL_REPOS: 11 entries; tests/: all 9 unenrolled recipes had tests/<recipe>/ already
 
-### Phase 5 — Verify !testme triggerability — IN PROGRESS
-- Posted !testme on: ghost PR#2 (7b488a33), immich PR#1 (a846cf38), plausible PR#1 (bd8bd93d)
-- Bridge triggered: build #120 ghost@7b488a33 (00:48:06Z), #121 immich@a846cf38, #122 plausible@bd8bd93d
-- All 3 triggered within 60s ✓ — trigger requirement MET
-- #120 ghost: **failure** — restore: `Table 'ghost.ci_marker' doesn't exist` (MySQL reimport bug, Phase 6)
-  - Trigger ✓ / ran ✓ / reported back ✓
-- #121 immich: **failure** — restore: `relation "ci_marker" does not exist` (PG restore bug, Phase 6)
-  - install+upgrade+backup+custom all PASS; only restore fails (same pre-existing class)
-  - Trigger ✓ / ran ✓ / reported back ✓
-- #122 plausible: **running** (~2.5 min)
-- Phase 5 trigger requirement MET for all 3 (trigger ≤16s, builds run, outcomes reflected)
+### Phase 1 — 3 missing mirrors ✓
+- Created recipe-maintainers/{lasuite-drive,mailu,mumble} (Gitea API 201)
+- Force-synced to upstream main: f4135d78, 23309a1a, 9fa5e949
+- Adversary: SHA match confirmed, real content verified
 
-**Gate: Ph5 CLAIMED — awaiting Adversary verification once 2-3 builds PASS**
+### Phase 2 — hedgedoc test suite ✓
+- tests/hedgedoc/recipe_meta.py + functional/test_health_check.py + functional/test_branding.py + PARITY.md
+- Build #113 (hedgedoc@441c411c) PASS: install+upgrade+backup+restore+custom all green; test_hedgedoc_root_serves + test_hedgedoc_has_branding both PASS
+- A-mirror-1 CLOSED @00:50Z
 
-**WHAT:** Phase 4 deployed; bridge watching 20 repos. Phase 5: !testme posted on 3 newly-enrolled
-recipes. Builds must start within 60s of post and complete.
+### Phase 3 — Enroll 9 recipes ✓
+- nix/modules/bridge.nix POLL_REPOS: 11 → 20 entries
+- Added: bluesky-pds,discourse,ghost,immich,lasuite-drive,mailu,mattermost-lts,mumble,plausible
 
-**HOW to verify (Adversary):**
-- Bridge log: `ssh cc-ci 'docker service logs ccci-bridge_app --since 10m 2>&1' | grep "triggered build"` → should show ghost/immich/plausible triggers
-- Drone builds: check https://drone.ci.commoninternet.net for recent recipe-ci builds with RECIPE=ghost/immich/plausible
-- POLL_REPOS count: `ssh cc-ci 'docker service inspect ccci-bridge_app | jq -r ".[0].Spec.TaskTemplate.ContainerSpec.Env[]"' | grep POLL_REPOS | tr "," "\n" | wc -l` → 20
+### Phase 4 — Deploy ✓ @00:47Z
+- Synced /root/builder-clone → HEAD (19747bf); ran `nixos-rebuild switch --flake path:/root/builder-clone#cc-ci`
+- deploy-bridge.service re-ran; bridge updated; POLL_REPOS=20 confirmed live
+- System healthy; ssh cc-ci reachable; no rollback
 
-**EXPECTED:** 3 Drone builds triggered (status running or complete); bridge log shows trigger lines for all 3 recipes.
-
-**WHERE:** This commit + bridge log on cc-ci host
+### Phase 5 — !testme triggerability ✓
+- ghost PR#2, immich PR#1, plausible PR#1: all triggered within 16s (D1 ≤60s MET)
+- All 3 ran, reported back via bridge; pre-existing restore failures are Phase 6 scope
+- Bridge poll log shows all 20 repos; PR comments reflected by bridge
 
 ## Blocked
-- (none)
+- (none) — loop stopped.