status+journal(2w): W0.10a traefik WC1.1 ADVERSARY PASS — WC1.1 fully closed (both reconcilers); building W3 WC5

machine-docs/JOURNAL-2w.md

@@ -329,3 +329,16 @@ safe no-op converge and left the DESTRUCTIVE rollback as the Adversary's require
 broken traefik tag → reconcile → rollback to last-good, brief TLS blip + manual recovery ready). The
 rollback logic is the proven keycloak pattern, stateless variant. Claiming W0.10a so the Adversary
 runs that cold proof. After this clears, WC1.1 is fully closed (keycloak + traefik).
+
+## 2026-05-29 — W0.10a traefik WC1.1 ADVERSARY PASS → WC1.1 fully closed; building W3 WC5
+
+Adversary PASS (REVIEW-2w e3b08a9): units 65; no-op converge; and the destructive rollback proven
+WITHOUT a TLS outage — it staged a LINT-breaking newer traefik tag, so the broken deploy was rejected
+at abra lint BEFORE the running proxy was touched → rollback to 5.1.1, ci.commoninternet.net=200 +
+keycloak-through-traefik=200 throughout. Stateless path confirmed (no snapshot, version-only rollback).
+Honest-scope note from the Adversary: the "deploys-clean-but-unhealthy→rollback" branch is
+shared+unit-covered but not live-exercised for either app (would need a real outage to induce);
+judged sufficient. No finding. **WC1.1 FULLY closed (keycloak + traefik).**
+
+Phase-2w verified: WC1, WC1.1, WC1.2, WC2, WC3, WC4, WC7. Remaining: WC5, WC6, WC8, WC9.
+Adversary now idle → safe for live cold runs. Building W3 WC5 (promote-on-green-cold) next.

machine-docs/STATUS-2w.md

@@ -18,7 +18,9 @@ nightly full-cold sweep. Definition of Done = WC1–WC9 (plan §1), each Adversa
       @2026-05-29** (marquee). **traefik (stateless, version-rollback-only) — reconciler MIGRATED
       (W0.10a): proxy.nix now drives `warm_reconcile.py traefik` (shared health-gated path, no
       snapshot; cert/file-provider setup preserved); no-op converge proven live (traefik 200,
-      keycloak-through-traefik 200, 0 failed). CLAIMED — destructive rollback = Adversary cold proof.**
+      keycloak-through-traefik 200, 0 failed). **Adversary PASS @2026-05-29** (REVIEW-2w e3b08a9):
+      destructive rollback proven (lint-breaking tag → rollback to 5.1.1, NO TLS outage). **WC1.1
+      FULLY CLOSED (keycloak stateful + traefik stateless).**
 - [x] **WC1.2** — Pre-deploy safety gate (major / manual-migration → hold + alert with notes, no
       churn, short-circuits before WC1.1). **Adversary PASS @2026-05-29**.
 - [x] **WC2** — Data-warm canonical model: per-recipe canonical at stable domain `warm-<recipe>`,
@@ -126,7 +128,12 @@ headline e2e is green (below). No recipe/harness change needed.
 
 ## Gate
 
-### Gate: W0.10a traefik WC1.1 — CLAIMED, awaiting Adversary  (@2026-05-29)
+### Gate: W0.10a traefik WC1.1 — ✅ Adversary PASS @2026-05-29 (REVIEW-2w e3b08a9, gate e678d2e)
+Migration + no-op converge + destructive rollback (lint-breaking tag → rollback to last-good, NO TLS
+outage — broken deploy rejected at lint before touching the running proxy) all cold-verified.
+**WC1.1 now FULLY closed (keycloak + traefik).** (claim detail retained below.)
+
+### (claimed, now PASS) Gate: W0.10a traefik WC1.1 — CLAIMED detail
 
 **WHAT.** traefik migrated onto the shared health-gated reconciler (WC1.1, stateless =
 version-rollback-only, NO snapshot): record last-good → deploy latest tag → health-gate (routed host