claim(2w): W0.10a traefik WC1.1 migrated onto shared health-gated reconciler — no-op converge proven; destructive rollback = Adversary cold proof

warm_reconcile.py: per-spec setup hook + health_domain; SPECS[traefik]
(stateful=False, version-rollback-only, _traefik_setup preserves wildcard-cert/
file-provider config, health on routed dashboard host). keycloak path unchanged.
proxy.nix: deploy-proxy.service now execs warm_reconcile.py traefik. ZERO-disruption
migration (traefik already at latest 5.1.1+v3.6.15; pre-seeded TYPE+last_good →
clean no-op converge; traefik 200 + keycloak-through-traefik 200 + 0 failed).
65 unit pass. Per operator out: code+converge delivered; destructive rollback
(brief TLS blip) = Adversary's required cold proof. Closes the W0.10a tracked-open.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/unit/test_warm_reconcile.py

@@ -54,6 +54,19 @@ def test_app_major_bump_held_even_if_no_plus_on_current():
     assert wr.is_major_bump("0", "11.0.0+1.0.0") is True
 
 
+def test_traefik_spec_is_stateless_with_setup():
+    # WC1.1 traefik = stateless (version-rollback-only, NO snapshot) + its own cert/file-provider
+    # setup + health probed on a ROUTED host (the dashboard), not traefik's own domain.
+    t = wr.SPECS["traefik"]
+    assert t["stateful"] is False
+    assert callable(t.get("setup"))
+    assert t["health_domain"] == "ci.commoninternet.net"
+    assert t["domain"] == "traefik.ci.commoninternet.net"
+    # keycloak stays stateful with no custom setup (default path)
+    assert wr.SPECS["keycloak"]["stateful"] is True
+    assert "setup" not in wr.SPECS["keycloak"]
+
+
 def test_manual_migration_markers():
     assert wr.notes_flag_manual_migration("This release requires a MANUAL MIGRATION of the DB.")
     assert wr.notes_flag_manual_migration("Breaking change: action required before upgrade.")