diff --git a/BACKLOG.md b/BACKLOG.md
index 7fbc451..0f84174 100644
--- a/BACKLOG.md
+++ b/BACKLOG.md
@@ -78,7 +78,15 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
       build #39 success (~31m): install 2✓ (realm health + Playwright admin login), upgrade 1✓
       (`test_upgrade_preserves_realm` — DB data survives), backup 1✓ (`test_backup_mutate_restore`).
       Clean teardown (0 keyc services/volumes). Proves DB-backed data survival + integration path.
-- [ ] Enroll recipes 3–6 covering remaining D10 categories, no harness surgery
+- [x] cryptpad (stateful/no-DB, recipe #3) full 3-stage green on host (cc-ci-run): install 2✓
+      (http + Playwright), upgrade 1✓ (marker in cryptpad_data survives), backup 1✓
+      (`test_backup_mutate_restore`). No harness surgery — added generic per-recipe EXTRA_ENV
+      (handles cryptpad's SANDBOX_DOMAIN). Fixed a real backup bug en route: set_env glued
+      RESTIC_REPOSITORY onto a comment → backupbot had no restic repo (now newline-safe). Drone
+      canonical run = build #46 (in flight).
+- [ ] Enroll recipes 4–6 covering remaining D10 categories (multi-service+S3, large-volume,
+      TLS-passthrough), no harness surgery
+- [ ] Re-verify keycloak backup post set_env fix (build #39 ran off an earlier backupbot deploy)
 - [ ] Gate: M6.5 — recipes 3–6 three-stage green
 
 ### M7 — Secrets hardening (D6)
diff --git a/JOURNAL.md b/JOURNAL.md
index c01f131..8019b86 100644
--- a/JOURNAL.md
+++ b/JOURNAL.md
@@ -544,3 +544,30 @@ the 60m build timeout; that's why the run took ~31m. No harness surgery (D5): ke
 This both advances M6.5 (first DB-backed recipe full 3-stage) and confirms the recipe-ci integration
 works on a heavy DB-backed recipe (Drone→harness→3 stages→teardown). Next M6.5: enroll recipes 3–6
 covering the remaining D10 categories (stateful-no-DB, multi-service+S3, large-volume, etc.).
+
+---
+## 2026-05-27 — M6.5: cryptpad (recipe #3) enrolled + full 3-stage green; fixed a real backup bug
+
+Enrolled **cryptpad** (stateful, no external DB — the D10 "stateful/no-DB" category). No shared-harness
+surgery beyond a *generic* feature: added per-recipe **EXTRA_ENV** (recipe_meta.py dict or
+domain-callable) applied in `deploy_app` at every deploy path. cryptpad uses it for its required
+distinct `SANDBOX_DOMAIN` (a sibling subdomain under the wildcard, so no cert work). Data-survival
+tests write a marker into the backed-up `cryptpad_data` volume and read it via `exec_in_app`
+(cryptpad's datastore isn't HTTP-served like custom-html).
+
+Host runs (HOME=/root, cc-ci-run): install **2 passed** (~2m; http 200 + Playwright loads cryptpad),
+upgrade **1 passed** (~1m; marker survives previous→current), backup **1 passed** after a fix
+(below). Clean teardown (0 cryp services/volumes).
+
+**Real bug found+fixed — backups were silently mis-wired (set_env newline).** cryptpad backup first
+failed: `abra app backup create` → backup-bot-two's `/usr/bin/backup` raised
+`KeyError: 'RESTIC_REPOSITORY'`. Root cause: backup-bot-two's `.env.sample` ends with a *newline-less*
+comment line, and the reconcile's `set_env` did a bare `printf >> .env`, gluing
+`RESTIC_REPOSITORY=/backups/restic` onto that comment → commented out. abra `--debug` confirmed the
+backupbot env map lacked `RESTIC_REPOSITORY`, and `docker exec backupbot printenv RESTIC_REPOSITORY`
+was empty. Fix: `set_env` now ensures a trailing newline before appending (modules/backupbot.nix +
+modules/drone.nix, same latent bug). After rebuild: `.env` has a clean `RESTIC_REPOSITORY=` line, the
+backupbot container has `RESTIC_REPOSITORY=/backups/restic`, and cryptpad backup→mutate→restore
+passes. NOTE: keycloak backup (build #39) passed off an *earlier, non-corrupted* backupbot deploy;
+worth a re-verify, but the mechanism is now correct/reproducible. Triggered Drone build #46 (cryptpad)
+as the canonical recipe-ci run.
diff --git a/STATUS.md b/STATUS.md
index ce236dc..59f13ae 100644
--- a/STATUS.md
+++ b/STATUS.md
@@ -3,12 +3,12 @@
 **Phase:** M0/M1/M2/M4/M5 PASS; M3 PASS (Adversary-verified); M6 CLAIMED (awaiting Adversary).
 Bridge→Drone→harness integration DONE (recipe-ci pipeline). M6.5 underway: keycloak full 3-stage
 GREEN through Drone (build #39). Next: enroll recipes 3–6 (remaining D10 categories), M7, M8.
-**In-flight:** M6.5 breadth — recipe #3 = **cryptpad** (stateful/no-DB category, mirrored). Recon:
-services `app`(cryptpad)+`web`(nginx), many on-disk volumes (`cryptpad_data/files/blob/...`), no DB;
-health likely on `/`. Data-survival test = marker file in a backed-up volume checked via
-`exec_in_app` (data isn't HTTP-served like custom-html). Then recipes 4–6 (multi-service+S3,
-large-volume, TLS-passthrough). Also pending: full single-`!testme`-on-a-recipe-PR E2E.
-**Last updated:** 2026-05-27 (M6.5: keycloak full 3-stage green via build #39; cryptpad next)
+**In-flight:** M6.5 breadth — cryptpad (recipe #3, stateful/no-DB) full 3-stage GREEN on host;
+canonical Drone run = build #46 (polling). Fixed a real backup bug en route (set_env glued
+RESTIC_REPOSITORY onto a comment → backupbot had no restic repo; now newline-safe). Next: recipes
+4–6 (multi-service+S3 e.g. lasuite-docs, large-volume e.g. matrix/immich, TLS-passthrough e.g.
+bluesky-pds). Pending: re-verify keycloak backup post-fix; full single-`!testme`-on-a-recipe-PR E2E.
+**Last updated:** 2026-05-27 (M6.5: cryptpad 3-stage green on host; set_env/RESTIC backup fix)
 
 ## Gates
 - **Gate: M0 — CLAIMED, awaiting Adversary** (2026-05-26). Evidence: flake rebuilds cc-ci from repo