status+journal(2w): W0.10a traefik WC1.1 ADVERSARY PASS — WC1.1 fully closed (both reconcilers); building W3 WC5

machine-docs/STATUS-2w.md

@@ -18,7 +18,9 @@ nightly full-cold sweep. Definition of Done = WC1–WC9 (plan §1), each Adversa
       @2026-05-29** (marquee). **traefik (stateless, version-rollback-only) — reconciler MIGRATED
       (W0.10a): proxy.nix now drives `warm_reconcile.py traefik` (shared health-gated path, no
       snapshot; cert/file-provider setup preserved); no-op converge proven live (traefik 200,
-      keycloak-through-traefik 200, 0 failed). CLAIMED — destructive rollback = Adversary cold proof.**
+      keycloak-through-traefik 200, 0 failed). **Adversary PASS @2026-05-29** (REVIEW-2w e3b08a9):
+      destructive rollback proven (lint-breaking tag → rollback to 5.1.1, NO TLS outage). **WC1.1
+      FULLY CLOSED (keycloak stateful + traefik stateless).**
 - [x] **WC1.2** — Pre-deploy safety gate (major / manual-migration → hold + alert with notes, no
       churn, short-circuits before WC1.1). **Adversary PASS @2026-05-29**.
 - [x] **WC2** — Data-warm canonical model: per-recipe canonical at stable domain `warm-<recipe>`,
@@ -126,7 +128,12 @@ headline e2e is green (below). No recipe/harness change needed.
 
 ## Gate
 
-### Gate: W0.10a traefik WC1.1 — CLAIMED, awaiting Adversary  (@2026-05-29)
+### Gate: W0.10a traefik WC1.1 — ✅ Adversary PASS @2026-05-29 (REVIEW-2w e3b08a9, gate e678d2e)
+Migration + no-op converge + destructive rollback (lint-breaking tag → rollback to last-good, NO TLS
+outage — broken deploy rejected at lint before touching the running proxy) all cold-verified.
+**WC1.1 now FULLY closed (keycloak + traefik).** (claim detail retained below.)
+
+### (claimed, now PASS) Gate: W0.10a traefik WC1.1 — CLAIMED detail
 
 **WHAT.** traefik migrated onto the shared health-gated reconciler (WC1.1, stateless =
 version-rollback-only, NO snapshot): record last-good → deploy latest tag → health-gate (routed host