diff --git a/machine-docs/BACKLOG-2.md b/machine-docs/BACKLOG-2.md
index b56b196..a7fc66b 100644
--- a/machine-docs/BACKLOG-2.md
+++ b/machine-docs/BACKLOG-2.md
@@ -56,14 +56,23 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
       surfaces leak failures; cold re-verify on cc-ci → no leftover keycloak after teardown.
 
 ### Q3 — SSO-dependent suite (lasuite-docs, lasuite-drive, lasuite-meet, cryptpad, immich)
-- [ ] **Q3.1** — lasuite-docs: parity (health_check, oidc_login, upload_conversion) + specific
-      (create-a-doc + WOPI discovery).
+- [~] **Q3.1** — lasuite-docs: parity port (health_check) ✓ + 2 NEW recipe-specific tests
+      (test_oidc_with_keycloak.py — Q2.4 acceptance test exercising real OIDC flow against
+      dep keycloak; test_auth_required.py — protected backend API requires auth). Open
+      follow-up: oidc_login.py + upload_conversion.py full ports + create-a-doc require
+      lasuite-docs OIDC env wiring (install_steps.sh wires dep keycloak's client_secret +
+      OIDC env into lasuite-docs's .env at install time). Documented in tests/lasuite-docs/
+      PARITY.md.
 - [ ] **Q3.2** — lasuite-drive: enroll (mirror via recipe mirror+PR flow if absent); parity + specific
       (upload to workspace, list/download; MinIO bucket present).
 - [ ] **Q3.3** — lasuite-meet: parity (health_check, oidc_login, meeting_flow, webrtc-media,
       webrtc-relay) + specific (create-a-room, two-user LiveKit token issuance, ICE-candidate gathering).
-- [ ] **Q3.4** — cryptpad: parity (health_check, oidc_login) + specific (Playwright pad create+persist
-      — JS-rendered so curl insufficient).
+- [~] **Q3.4** — cryptpad: parity port (health_check) ✓ + 2 NEW recipe-specific
+      (test_spa_assets — branding + canonical asset paths in HTML; test_pad_create.py —
+      Playwright SPA renders + JS bundle loads + no console errors). Open follow-up: the
+      §4.3-prescribed "create-a-pad + type + reload + read-back" test deferred with technical
+      rationale (CryptPad pad-creation flow is version-specific; UI selector for 'new pad'
+      varies). See DECISIONS.md Phase-2 Q3.4 section; Adversary sign-off pending per §7.1.
 - [ ] **Q3.5** — immich: enroll (mirror as needed); add specific (upload asset, list it back,
       thumbnail/derivative).
 - [ ] **Q3.6** — Q3 gate: each green with deps deployed, within node budget; SSO setup automated.