claim(M2-nixenv): live parity proven on BOTH paths — gitea test_lfs_roundtrip green under the real timer fire (@17:57:54Z, git-lfs from cc-ci-run runtimeInputs; unit PATH has no git-lfs) AND the Drone path (build #871, RECIPE=gitea REF=357926f2 PR=1). Deploy d11f8f5 healthy post-sweep (systemctl --failed empty, timer+oneshots active, endpoints 200). No regression: sweep SKIPs/promotes correct; gitea promote-fail + discourse/mattermost reds all pre-existing (identical pre-deploy, runner/ unchanged since canon f94de22). Awaiting Adversary.

machine-docs/BACKLOG-nixenv.md

@@ -10,10 +10,10 @@
 - [x] M1: grep proof — exactly one `withPackages`/`pytest playwright` in nix/ (packages.nix); no module declares its own harness tool list.
 - [x] M1: `nixos-rebuild build` succeeds for both `#cc-ci` and `#cc-ci-hetzner`.
 - [x] M1: CLAIM, await Adversary PASS.
-- [ ] M2: deploy via `nixos-rebuild switch`; verify host health (systemctl --failed, oneshots, timer, endpoints).
+- [x] M2: deploy via `nixos-rebuild switch`; verify host health (systemctl --failed, oneshots, timer, endpoints).
-- [ ] M2: live parity — gitea `test_lfs_roundtrip` green under BOTH Drone path and a real timer fire from the unified env.
+- [x] M2: live parity — gitea `test_lfs_roundtrip` green under BOTH Drone path (build #871) and a real timer fire from the unified env.
-- [ ] M2: canon-style sweep still promotes/SKIPs correctly (no regression).
+- [x] M2: canon-style sweep still promotes/SKIPs correctly (no regression; gitea promote-fail + discourse/mattermost red all pre-existing, identical pre-deploy).
-- [ ] M2: CLAIM, await Adversary PASS → `## DONE`.
+- [x] M2: CLAIM @ 2026-06-17T18:17Z (this commit). Await Adversary PASS → `## DONE`.
 
 ## Adversary findings
 <!-- Adversary-owned section. Builder does not edit. -->

machine-docs/JOURNAL-nixenv.md

@@ -57,3 +57,32 @@ additions override cleanly. Both `#cc-ci` and `#cc-ci-hetzner` built with no col
 - sweep wrapper `gh02w1kc…` execs the SAME `zxlx9j…/bin/cc-ci-run`.
 - cc-ci host sw/bin now lists git-lfs + openssl (was missing git-lfs pre-refactor).
 - `grep -rn withPackages nix/` → 1 hit (packages.nix:17).
+
+## 2026-06-17T18:17Z — M2 claim (both live parity witnesses green)
+
+### Drone-path witness (build #871)
+Why REF=357926f2 PR=1 SRC=recipe-maintainers/gitea: this is the lfs-plain-gitea capstone ref (the
+gtea-phase Build #685 ref). PR #1 is now merged so compose.lfs.yml is also on main, but pinning the
+PR head guarantees `_lfs_enabled()` is true (compose.lfs.yml in checkout + RECIPE=gitea) so the LFS
+test RUNS rather than skips. fetch_recipe takes the SRC+REF mirror-clone path; EXTRA_ENV adds
+compose.lfs.yml to install+custom tiers so the deployed gitea has LFS on for the round-trip. Triggered
+via the Drone API with the bridge's drone token (kept on-host). Build went green in ~3 min;
+test_lfs_roundtrip PASSED. This is the SAME cc-ci-run store path the timer sweep execs, so the two
+witnesses prove parity by both construction (M1) and observation (M2).
+
+### Why the timer fire is the harder witness
+The systemd unit PATH is systemd-minimal (coreutils/findutils/gnugrep/gnused/systemd) — NO git-lfs,
+NO /run/current-system/sw/bin. So a green LFS test there can ONLY come from cc-ci-run's runtimeInputs
+prepending git-lfs-3.6.1 to PATH. Confirmed by reading /proc/<run_recipe_ci pid>/environ live: PATH
+starts with the cc-ci-run tool prefix incl git-lfs. This is exactly the DEFECT-3 condition the phase
+set out to make structurally impossible.
+
+### GREEN-BUT-PROMOTE-FAILED is not mine
+Spent effort confirming the gitea promote-fail (`abra app deploy warm-gitea -o -n` → "already
+deployed") is pre-existing: it appears identically in the two pre-deploy sweep fires (14:28Z, 15:56Z,
+OLD env) and the promote path (runner/nightly_sweep.py) is unchanged by nixenv (last touched canon
+f94de22). It's an abra deploy-idempotency limitation on the persistent warm canonical (warm-gitea up
+since 08:39Z), non-fatal, known-good unchanged. discourse/mattermost-lts reds are likewise recipe-level
+and pre-existing (mattermost: postgres restore marker assertion; docker resolved fine → not a dropped
+tool). nixenv changes only WHICH tools are on PATH; it dropped nothing (M1 superset proof), so it
+cannot have caused an app-level red.

machine-docs/STATUS-nixenv.md

@@ -9,7 +9,47 @@ timer, and host `systemPackages` share ONE declaration (no duplicate `pyEnv`, no
 
 ## M1 — PASS @ 2026-06-17T17:40Z (REVIEW-nixenv.md, claim 8b8fc1f). No VETO.
 
-## Gate: M2 — IN FLIGHT (deploy + live parity witness)
+## Gate: M2 — CLAIMED @ 2026-06-17T18:17Z, awaiting Adversary (claim commit below)
+
+**WHAT (M2 DoD).** (1) Deployed via `nixos-rebuild switch`, host verified healthy. (2) Live parity:
+gitea `test_lfs_roundtrip` GREEN under BOTH a real timer fire AND the Drone path, from the shared
+env (git-lfs resolves on both — DEFECT-3 condition met live). (3) A canon-style sweep still
+promotes/SKIPs correctly under the unified env — no regression to canon's result.
+
+**WHERE (inputs).** Deployed system from `/etc/cc-ci` @ d11f8f5 (= M1-reviewed tree). nixenv diff
+`dd6712c..d11f8f5` = nix/ modules + machine-docs ONLY; **zero `runner/`/`tests/` changes** (verify:
+`git diff --name-only dd6712c..d11f8f5 | grep -E 'runner/|tests/'` → empty). `runner/nightly_sweep.py`
+(the promote path) last touched by canon commit `f94de22` — byte-identical to canon.
+
+### M2 result summary (both witnesses PASS, host healthy, no regression)
+- **(2a) Drone-path witness — PASS.** Drone build **#871** (event=custom, RECIPE=gitea REF=357926f2
+  PR=1 SRC=recipe-maintainers/gitea), status=success, 18:11→18:14Z. The Drone exec pipeline runs
+  `cc-ci-run runner/run_recipe_ci.py` (`.drone.yml:83`). compose.lfs.yml present at that ref →
+  `_lfs_enabled()` true → LFS test RAN (not skipped): `tests/gitea/custom/test_lfs_roundtrip.py::
+  test_lfs_roundtrip PASSED`; all install/upgrade/backup/restore/custom tiers PASSED.
+  - HOW (Adversary re-run): `ssh cc-ci 'TOK=$(cat /run/secrets/bridge_drone_token); curl -s -H
+    "Authorization: Bearer $TOK" https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/871/logs/1/2 | jq -r ".[].out"' | grep test_lfs_roundtrip`.
+    EXPECTED: `test_lfs_roundtrip PASSED`. (Or trigger your OWN build with the same params and re-run.)
+- **(2b) Real timer fire witness — PASS** (details retained in the block below): `test_lfs_roundtrip
+  PASSED` @17:57:54Z under `systemctl start nightly-sweep.service`, git-lfs resolved from cc-ci-run's
+  runtimeInputs while the systemd unit PATH has NO git-lfs / no /run/current-system/sw/bin.
+- **(3) No regression.** Sweep (PID 2743890, 17:35→18:0xZ) completed all 20 enrolled recipes; SKIPs
+  all correct (cryptpad/ghost/drone/hedgedoc/immich/lasuite-*/mailu/matrix-synapse/n8n/plausible/
+  uptime-kuma no-new-version SKIP), promotes correct (custom-html→1.13.0+1.31.1, mumble→1.0.0+v1.6.870-0).
+  Three results need explicit non-regression context, ALL pre-existing (identical in the pre-deploy
+  fires PID 2149231@14:xx / 2248547@15:xx, OLD env):
+  - gitea `rc=0 GREEN-BUT-PROMOTE-FAILED` — tests green; WC5 promote fails `FATA warm-gitea… is
+    already deployed` (abra deploy-idempotency on the persistent warm canonical, up since 08:39Z;
+    non-fatal). promote path = canon `nightly_sweep.py` f94de22, unchanged by nixenv.
+  - discourse `rc=1` and mattermost-lts `rc=1` — recipe-level red (mattermost: `test_restore_returns_state`
+    → `docker exec … postgres … relation "ci_marker" does not exist`; docker resolved fine → NOT a
+    missing-tool/dropped-dep failure). Both failed identically pre-deploy → not caused by the env change.
+- **Host health (re-verified post-sweep @18:16Z).** `systemctl --failed` empty; `nightly-sweep.timer`
+  + deploy-proxy/deploy-drone/deploy-bridge/drone-runner-exec/swarm-init/warm-keycloak all active;
+  drone `/healthz` 200, ci.commoninternet.net 200; live `cc-ci-run` = `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd`
+  (M1-reviewed path).
+
+### M2 deploy + timer-fire details (retained for the record)
 
 **Deploy DONE** @ 2026-06-17T17:34Z. `nixos-rebuild switch --flake 'git+file:///etc/cc-ci?submodules=1#cc-ci-hetzner'`
 (live host = hetzner; `/etc/cc-ci` @ d11f8f5). Deployed system `/nix/store/dhmpm232r6m0sq3s7y5r5jpyv5kxgzwi-nixos-system-…`
@@ -18,7 +58,7 @@ warm-keycloak / swarm-init / drone-runner-exec all active; `nightly-sweep.timer`
 drone healthz + ci.commoninternet.net → 200. Live `cc-ci-run` = `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd`
 (the M1-reviewed path); git-lfs/openssl/script/bash resolve on host PATH (openssl was MISSING pre-deploy).
 
-**Live parity witness — timer fire GREEN; Drone path pending.** Diff scope: ONLY nix/ changed
+**Live parity witness — BOTH paths GREEN** (Drone #871 + timer fire; summarised above). Diff scope: ONLY nix/ changed
 (dd6712c..d11f8f5: 5 nix files, zero runner/tests) → sweep SKIP/promote logic byte-identical to
 canon's PASSed sweep.
 - **Real timer fire — PASS** @ 2026-06-17T17:57:54Z. `systemctl start nightly-sweep.service` @
@@ -39,7 +79,7 @@ canon's PASSed sweep.
     (PID 2149231 @ 14:28Z, PID 2248547 @ 15:56Z) — orthogonal to the runtime-env refactor (abra is on
     PATH unchanged in both). SKIPs in this fire are all correct (cryptpad/ghost/drone/hedgedoc/immich
     no-new-version SKIP; custom-html RUN→promoted 1.13.0+1.31.1).
-- Drone-path gitea witness: pending (trigger after the sweep completes, to avoid run-active contention).
+- Drone-path gitea witness: DONE — build #871 PASS (see "(2a)" above).
 
 ### (prior M1 claim block retained below for the record)
 ## M1 details — PASS