journal(2w): record docker-prune WC8 fix

machine-docs/JOURNAL-2w.md

@@ -175,3 +175,16 @@ archive to seen/) is still to wire (flagged for when nightly WC6 lands / a real
 
 Remaining for the WC1 gate: W0.7 (lasuite-docs in-place chaos-redeploy nginx race) + W0.8 (headline
 dependent-SSO-green e2e vs warm keycloak + concurrent distinct realms + reaping).
+
+## 2026-05-29 — Fixed daily-failing docker-prune (WC8 landmine)
+
+While checking state I found the system `degraded`: `docker-prune.service` had been FAILING every day
+(May 27/28/29) with `The "until" filter is not supported with "--volumes"`. Root: swarm.nix autoPrune
+flags `[--all --volumes --filter until=24h]` — docker rejects `--volumes` + `--filter until`, so the
+daily prune never ran (a cause of disk creeping to 96%). Worse: `--volumes` prunes any volume with no
+running container → it would DELETE Phase-2w DATA-WARM canonical volumes (undeployed by design) the
+moment it started working. Fixed: dropped `--volumes` (prune images/containers/networks/build-cache
+≤24h only). Warm volumes survive and are pruned deliberately by the warm reconcilers (WC8). Verified:
+rebuild → docker-prune.service runs clean, system `running` (0 failed), keycloak 200. Note for WC8:
+the warm-volume/snapshot prune policy + nix-generation GC should be folded into the maintenance
+story.