status(redfix): ## DONE — phase complete, M1+M2 fresh Adversary PASS, no VETO

All 6 canon-sweep failures fixed + cold-verified green (mattermost-lts, discourse, keycloak, mumble, gitea, bluesky-pds). No standing exceptions. Nothing merged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Bacy8SJhBebNAGoYsi1Fxt
review(redfix-M2): PASS 6/6 — discourse re-verified level=5 (F-redfix-1 CLOSED); all 6 canon-sweep fixes cold-verified; node clean; no VETO; Builder cleared to DONE
2026-06-18 07:07:14 +00:00 · 2026-06-18 07:06:27 +00:00 · 2026-06-18 06:55:28 +00:00 · 2026-06-18 06:47:33 +00:00 · 2026-06-18 06:46:59 +00:00 · 2026-06-18 06:45:46 +00:00
386 changed files with 27825 additions and 2383 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -35,10 +35,12 @@ steps:
 # the comment-bridge). Deploys the recipe at the PR head, runs install/upgrade/backup + any
 # recipe-local tests via the shared harness, then guarantees teardown (plan §4.2/§4.3).
 #
-# Resource safety (plan §4.2/§4.3): MAX_TESTS=DRONE_RUNNER_CAPACITY=1 (nix/modules/drone-runner.nix) is
+# Resource safety (plan §4.2/§4.3): DRONE_RUNNER_CAPACITY=2 (nix/modules/drone-runner.nix, the
-# the primary concurrency cap; concurrency.limit below is a redundant belt. CCCI_JANITOR_MAX_AGE=0
+# single concurrency knob) allows two recipe runs in parallel. Concurrent-run safety is enforced by
-# makes the run-start janitor reap ANY orphaned run app before deploying — safe because capacity=1
+# the harness, not by serialisation: every run holds an exclusive flock on its app domain
-# means no concurrent run exists (a SIGKILL'd/timed-out build leaves an orphan with no teardown).
+# (/run/lock/cc-ci-app-<domain>.lock) for its whole process lifetime, the run-start janitor probes
 # that lock to reap only orphans (held lock = live run, never touched), and recipe working trees
 # are per-run ($ABRA_DIR/recipes — no shared checkout, no recipe lock). See docs/concurrency.md.
 kind: pipeline
 type: exec
 name: recipe-ci
@ -51,21 +53,37 @@ trigger:
  event:
    - custom
-concurrency:
+# NB deliberately NO `concurrency.limit` here: DRONE_RUNNER_CAPACITY (nix/modules/drone-runner.nix
-  limit: 1
+# maxTests) is the single concurrency knob (P4 — two knobs in two files drifted).
 steps:
  - name: ci
    environment:
      STAGES: install,upgrade,backup,restore,custom
-      CCCI_JANITOR_MAX_AGE: "0"
+      # The exec runner points HOME at a per-build workspace; force it to /root so abra's server
-      # The exec runner points HOME at a per-build workspace; force it to /root so abra finds its
+      # config is found via the per-run ABRA_DIR's servers/ symlink -> /root/.abra/servers.
-      # server config + recipes under /root/.abra (as the manual M4/M5 runs did). Safe: capacity=1
+      # Recipe trees are PER-RUN ($ABRA_DIR/recipes, exported by run_recipe_ci before any abra
-      # means no concurrent build shares /root/.abra.
+      # call), so concurrent builds never share a recipe checkout; app .env files are per-domain
      # in the shared canonical servers/ path, guarded by the app-domain flock.
      HOME: /root
    commands:
      # RECIPE/REF/PR/SRC (+ CCCI_QUICK for `!testme --quick`) are injected as env vars from the
      # build's custom params. CCCI_QUICK=1 makes run_recipe_ci take the opt-in fast lane (WC7);
      # absent => full cold (default). run_quick ignores STAGES (always upgrade+custom).
      - 'echo "recipe-ci: RECIPE=$RECIPE REF=$REF PR=$PR SRC=$SRC stages=$STAGES quick=${CCCI_QUICK:-0}"'
-      - cc-ci-run runner/run_recipe_ci.py
+      # P1 lock-lifetime hardening: run the harness in its own session/process group (setsid) and
      # forward a drone cancel (TERM to this step shell) to the WHOLE group, so the harness's
      # SIGTERM handler runs its teardown funnel instead of being leaked (the exec runner kills
      # only the step shell, not the tree). PDEATHSIG inside the harness backstops the case where
      # this shell dies without the trap firing. The harness exit code is captured explicitly and
      # the traps cleared before exiting: the runner shell is `set -e`, and an EXIT-trap kill of
      # the already-gone process group returns ESRCH, which otherwise poisons a GREEN run's exit
      # status to 1 (observed live, build 269: all tiers pass, step exit 1).
      - |
        setsid cc-ci-run runner/run_recipe_ci.py &
        PID=$!
        trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
        rc=0
        wait "$PID" || rc=$?
        trap - TERM EXIT
        exit "$rc"
--- a/AGENTS.md
+++ b/AGENTS.md
@ -3,6 +3,14 @@
 Working notes for agents (and humans) modifying the cc-ci server. See `README.md` for what the server
 does and `machine-docs/` for the build's living state (`DECISIONS.md`, `DEFERRED.md`, `STATUS-*.md`).
 ## File-location rule (mandatory)
 ALL coordination / loop-state files live under **`machine-docs/`**, NEVER the repo root. That means
 the phase-namespaced `STATUS-*.md`, `BACKLOG-*.md`, `REVIEW-*.md`, `JOURNAL-*.md`, the shared
 `DECISIONS.md` / `DEFERRED.md`, and the `ADVERSARY-INBOX.md` / `BUILDER-INBOX.md` side-channels.
 Create `machine-docs/` if missing; if you ever find one of these at the root, `git mv` it into
 `machine-docs/`. (The repo root is for actual server code/config — `runner/`, `tests/`, `nix/`, etc.)
 ## Testing cadence
 Two kinds of tests live here — run them on **different** cadences:
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@ secrets/               sops-encrypted infra secrets (cc-ci-secrets submodule)
 bridge/                !testme webhook listener source
 runner/                run_recipe_ci.py + shared pytest harness
 dashboard/             results overview generator
-tests/<recipe>/        per-recipe install/upgrade/backup tests + playwright/
+tests/<recipe>/        per-recipe install/upgrade/backup tests + custom/
 docs/                  install, enroll-recipe, secrets, architecture, runbook, baseline
 ```
--- a/bridge/bridge.py
+++ b/bridge/bridge.py
@ -37,6 +37,7 @@ import time
 import urllib.error
 import urllib.parse
 import urllib.request
 from datetime import UTC, datetime
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 GITEA_API = os.environ.get("GITEA_API", "https://git.autonomic.zone/api/v1")
@ -64,6 +65,8 @@ def parse_trigger(body):
    if s == f"{TRIGGER} --quick":
        return True, True
    return False, False
 ALLOWLIST = {u.strip() for u in os.environ.get("AUTH_ALLOWLIST", "").split(",") if u.strip()}
@ -79,6 +82,7 @@ GITEA_TOKEN = _read(os.environ["GITEA_TOKEN_FILE"])
 # Shared dedup across the poll + webhook paths: a comment id triggers at most one run.
 _PROCESSED: set = set()
 _PROCESSED_LOCK = threading.Lock()
 _PROCESS_STARTED_AT = datetime.now(UTC)
 def log(*a):
@ -167,8 +171,12 @@ def post_commit_status(owner, repo, sha, state, target_url, description=""):
        f"{GITEA_API}/repos/{owner}/{repo}/statuses/{sha}",
        GITEA_TOKEN,
        method="POST",
-        data={"state": state, "target_url": target_url,
+        data={
-              "description": description, "context": "cc-ci/testme"},
+            "state": state,
            "target_url": target_url,
            "description": description,
            "context": "cc-ci/testme",
        },
    )
@ -217,7 +225,9 @@ def result_comment_body(recipe, sha, num, run_url, status):
        if artifact_available(badge_url):
            body += f"\n\n[![level]({badge_url})]({run_url})"
        return f"{body}\n\n{links}"
-    return f"{header} → {run_url}\n\n_(summary card unavailable — see the run for details.)_ {links}"
+    return (
        f"{header} → {run_url}\n\n_(summary card unavailable — see the run for details.)_ {links}"
    )
 def watch_and_reflect(owner, name, number, num, recipe, sha, comment_id, run_url):
@ -269,6 +279,23 @@ def _claim(comment_id) -> bool:
        return True
 def _is_preexisting_comment(comment) -> bool:
    """Treat trigger comments older than this bridge process as already-seen.
    This closes the reopened-PR hole where a PR was CLOSED during bridge startup, so its old
    `!testme` comments were never marked seen by the first poll pass; when that PR is later reopened,
    the poller must not replay those historical comments as fresh triggers.
    """
    created = (comment or {}).get("created_at")
    if not created:
        return False
    try:
        created_at = datetime.fromisoformat(created.replace("Z", "+00:00"))
    except ValueError:
        return False
    return created_at <= _PROCESS_STARTED_AT
 def process_testme(full_name, owner, name, number, user, comment_id, source, quick=False):
    """Shared by both paths. Dedupes by comment id, checks authorization, resolves the PR head,
    triggers the build, comments the run link. Returns (run_url|None, reason)."""
@ -381,7 +408,7 @@ def poll_loop():
                    if not is_trigger:
                        continue
                    cid = c.get("id")
-                    if first:
+                    if first or _is_preexisting_comment(c):
                        _claim(cid)  # mark pre-existing comments seen; don't fire on startup
                        continue
                    user = (c.get("user") or {}).get("login", "")
--- a/dashboard/dashboard.py
+++ b/dashboard/dashboard.py
@ -25,6 +25,9 @@ from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 DRONE_URL = os.environ.get("DRONE_URL", "https://drone.ci.commoninternet.net")
 CI_REPO = os.environ.get("CI_REPO", "recipe-maintainers/cc-ci")
 CACHE_TTL = int(os.environ.get("CACHE_TTL", "30"))
 # Per-recipe history display cap (phase dash): a long-lived recipe (plausible/custom-html have 30+
 # runs) stays bounded; newest runs are kept (the list is sorted newest-first before the slice).
 HISTORY_CAP = int(os.environ.get("HISTORY_CAP", "30"))
 # Phase 3 (R3/R6/U2.3): per-run artifacts (results.json, summary card PNG, app screenshot, level
 # badge) written by run_recipe_ci.py under this host dir, bind-mounted read-only into the dashboard
@ -38,6 +41,7 @@ _RUN_FILES = {
    "screenshot.png": "image/png",
    "badge.svg": "image/svg+xml",
    "summary.html": "text/html; charset=utf-8",
    "lint.txt": "text/plain; charset=utf-8",
 }
 _RUN_ID_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")
@ -50,9 +54,14 @@ def _read(path):
 DRONE_TOKEN = _read(os.environ["DRONE_TOKEN_FILE"])
 _CACHE = {"ts": 0.0, "recipes": []}
-# Raw custom builds (newest-first), cached so the overview AND the per-recipe history page share one
+# Raw custom builds (newest-first), cached within CACHE_TTL. Feeds the OVERVIEW (latest-per-recipe).
-# Drone fetch within CACHE_TTL (U4 history reads the same list latest_per_recipe groups from).
+# The per-recipe HISTORY page no longer reads this slice — it sources the full history from the local
 # run artifacts instead (see _local_history / phase dash), because this Drone slice is capped at the
 # latest 100 builds and drops a recipe's older runs out of view.
 _BUILDS = {"ts": 0.0, "builds": []}
 # Per-recipe history sourced from the LOCAL run artifacts under CCCI_RUNS_DIR (complete: 300+ runs,
 # durable, independent of Drone's 100-build window). Whole-dir scan grouped by recipe, cached CACHE_TTL.
 _LOCAL = {"ts": 0.0, "by_recipe": {}}
 _COLORS = {
    "success": "#3fb950",
@ -66,8 +75,12 @@ _COLORS = {
 # Level → colour ramp, kept in sync with runner/harness/card.py LEVEL_COLOR (the dashboard is a
 # standalone stdlib service that doesn't import the runner harness, so the small map is duplicated).
 _LEVEL_COLOR = {
-    0: "#e5534b", 1: "#e0823d", 2: "#e0823d", 3: "#d9b343",
+    0: "#e5534b",
-    4: "#a0b93f", 5: "#57ab5a", 6: "#3fb950",
+    1: "#e0823d",
    2: "#e0823d",
    3: "#d9b343",
    4: "#a0b93f",
    5: "#3fb950",  # bright green — full 5-rung climb incl. lint (phase lvl5)
 }
@ -147,7 +160,6 @@ def _build_row(b):
        "ref": ref[:8],
        "version": res.get("version") or ref[:12] or "—",
        "level": res.get("level"),
        "level_cap_reason": res.get("level_cap_reason") or "",
        "has_screenshot": bool(res.get("screenshot")),
        "flags": res.get("flags") or {},
        "finished": b.get("finished") or 0,
@ -168,13 +180,80 @@ def latest_per_recipe():
    return [_build_row(latest[r]) for r in sorted(latest)]
 def _numeric_id(n):
    """run dir name as int for sort tiebreak; -1 for named ids (m2r-*, ab-*) so the PRIMARY sort key
    (finished timestamp) decides their position, never int() on a non-numeric id (would crash)."""
    try:
        return int(n)
    except (TypeError, ValueError):
        return -1
 def _run_status(res):
    """Overall pass/fail for a finished run, derived from its per-stage results map (results.json has
    no single top-level status field). Any failed/errored stage → failure; all pass/skip → success;
    empty/unknown → unknown. A skip alone is not a failure."""
    vals = list((res.get("results") or {}).values())
    if any(v in ("fail", "error") for v in vals):
        return "failure"
    if vals and all(v in ("pass", "skip") for v in vals):
        return "success"
    return "unknown"
 def _local_history_row(run_id, res):
    """Project a local run artifact (results.json) into the same display-row shape _build_row emits,
    so render_history is unchanged. `number` is the run dir name (the /runs/<id>/ path + _results_for
    key); link to the Drone build when the id is numeric, else to the local summary card."""
    ref = res.get("ref") or ""
    url = f"{DRONE_URL}/{CI_REPO}/{run_id}" if str(run_id).isdigit() else f"/runs/{run_id}/summary.html"
    return {
        "recipe": res.get("recipe"),
        "status": _run_status(res),
        "number": run_id,
        "ref": ref[:8],
        "version": res.get("version") or ref[:12] or "—",
        "level": res.get("level"),
        "has_screenshot": bool(res.get("screenshot")),
        "flags": res.get("flags") or {},
        "finished": res.get("finished") or 0,
        "url": url,
    }
 def _local_history():
    """Scan CCCI_RUNS_DIR once (cached CACHE_TTL), group runs by recipe sorted newest-first by the
    `finished` timestamp. Run dirs with no/malformed results.json (in-flight / failed-early) are
    skipped via _results_for ({} on miss) — never raises, never emits a garbage row. {recipe: [row]}."""
    now = time.time()
    if now - _LOCAL["ts"] <= CACHE_TTL and _LOCAL["by_recipe"]:
        return _LOCAL["by_recipe"]
    by_recipe = {}
    try:
        names = os.listdir(CCCI_RUNS_DIR)
    except OSError as e:
        log("local runs scan failed", e)
        return _LOCAL["by_recipe"]
    for name in names:
        res = _results_for(name)  # traversal-guarded read; {} on miss / malformed / non-dir
        recipe = res.get("recipe")
        if not recipe:
            continue
        by_recipe.setdefault(recipe, []).append(_local_history_row(name, res))
    # Sort newest-first by finished timestamp (ids are MIXED numeric + named, so a numeric/lexical id
    # sort would misorder — timestamp is the only correct key); numeric id is a stable tiebreak only.
    for rows in by_recipe.values():
        rows.sort(key=lambda r: (r["finished"], _numeric_id(r["number"])), reverse=True)
    _LOCAL["by_recipe"] = by_recipe
    _LOCAL["ts"] = now
    return by_recipe
 def history_for(recipe):
-    """All runs for one recipe (newest first), augmented from results.json — the per-recipe history
+    """All runs for one recipe (newest first, display-capped at HISTORY_CAP), sourced from the LOCAL
-    page (R5 'link to history'). [] if none / None on fetch error."""
+    run artifacts under CCCI_RUNS_DIR — complete + durable, independent of Drone's 100-build window
-    builds = _custom_recipe_builds()
+    (phase dash root cause). [] when the recipe has no local runs."""
-    if builds is None:
+    return _local_history().get(recipe, [])[:HISTORY_CAP]
        return None
    return [_build_row(b) for b in builds if (b.get("params") or {}).get("RECIPE") == recipe]
 def recipes_cached():
@ -215,7 +294,6 @@ a{color:#58a6ff;text-decoration:none} a:hover{text-decoration:underline}
 .name{font-weight:700;font-size:1.05rem;color:#e6edf3}
 .row{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap;font-size:.82rem}
 .pill{color:#fff;padding:.08rem .5rem;border-radius:.5rem;font-size:.75rem;font-weight:600}
 .cap{color:#8b949e;font-size:.75rem}
 code{background:#0d1117;border:1px solid #21262d;border-radius:.3rem;padding:0 .3rem;font-size:.78rem;color:#c9d1d9}
 .flags{display:flex;gap:.4rem;font-size:.72rem;color:#8b949e}
 .foot{margin-top:auto;display:flex;justify-content:space-between;font-size:.8rem;padding-top:.3rem;border-top:1px solid #21262d}
@ -269,13 +347,12 @@ def _card(r):
            f'<a class="shot" href="{run_url}" title="open run">'
            f'<span class="ph">no screenshot</span>{_level_pill(r["level"])}</a>'
        )
    cap = f'<div class="cap">{html.escape(r["level_cap_reason"])}</div>' if r["level_cap_reason"] else ""
    return (
        f'<div class="card">{shot}<div class="body">'
        f'<div class="name">{html.escape(r["recipe"])}</div>'
        f'<div class="row"><span class="pill" style="background:{color}">{html.escape(r["status"])}</span>'
        f'<code>{html.escape(r["version"])}</code></div>'
-        f"{cap}{_flags_html(r['flags'])}"
+        f"{_flags_html(r['flags'])}"
        f'<div class="foot"><a href="{run_url}">run #{num} · {_ago(r["finished"])}</a>'
        f'<a href="/recipe/{html.escape(r["recipe"])}">history →</a></div>'
        f"</div></div>"
@ -307,7 +384,11 @@ def render_history(recipe, rows):
    trs = []
    for r in rows:
        color = _COLORS.get(r["status"], "#8b949e")
-        lvl = "—" if r["level"] is None else f'<b style="color:{level_color(r["level"])}">L{int(r["level"])}</b>'
+        lvl = (
            "—"
            if r["level"] is None
            else f'<b style="color:{level_color(r["level"])}">L{int(r["level"])}</b>'
        )
        shot = f'<a href="/runs/{r["number"]}/summary.png">card</a>' if r["has_screenshot"] else "—"
        trs.append(
            f'<tr><td><a href="{html.escape(r["url"])}">#{r["number"]}</a></td>'
@ -317,7 +398,7 @@ def render_history(recipe, rows):
        )
    body = "\n".join(trs) or '<tr><td colspan="6">no runs for this recipe yet</td></tr>'
    inner = (
-        f'<h1>{_FLOWER} {html.escape(recipe)} — run history</h1>'
+        f"<h1>{_FLOWER} {html.escape(recipe)} — run history</h1>"
        '<p class="sub"><a href="/">← all recipes</a> · every <code>!testme</code> run, newest first.</p>'
        "<table><thead><tr><th>Run</th><th>Status</th><th>Level</th><th>Version</th>"
        "<th>When</th><th>Card</th></tr></thead><tbody>"
--- a/docs/concurrency.md
+++ b/docs/concurrency.md
@ -0,0 +1,236 @@
 # Concurrency: how parallel recipe CI runs stay safe
 Spec of the concurrent-run system after the 2026-06-10 restructure (branch
 `restructure/concurrency`; plan: cc-ci-plan `concurrency-restructure-full-plan.md`). The previous
 registry + per-recipe-flock model is documented in this file's git history (`5b65c6c`).
 ## 1. Goal and design summary
 Two recipe CI builds may run **at the same time** on the single cc-ci host. Safety is enforced by
 the **harness**, not by serialising everything, and rests on ONE locking mechanism plus ONE
 structural isolation:
 | Rule | Mechanism |
 |---|---|
 | Different recipes run in parallel | nothing blocks them (isolation, §3) |
 | Same-RECIPE runs run in parallel too | per-run `ABRA_DIR` recipe trees (§4) — no shared tree, no lock |
 | Same-DOMAIN runs (double-`!testme` of one PR) serialise | per-app-domain `flock` (§5) |
 | A starting run never reaps a live concurrent run's app | janitor probes the app lock; held = live (§6) |
 | A crashed/canceled/rebooted run's leftovers get reaped | lock auto-released by the kernel → probe acquires → reap (§6) |
 The invariant chain that makes "held lock = live owner" sound:
 ```
 lock lifetime ⊆ harness process lifetime ⊆ drone step lifetime ⊆ 60-min hard deadline
 ```
 - **lock ⊆ process**: locks are kernel flocks on fds the process holds (and PEP 446 makes those
  fds non-inheritable, so abra/docker/pytest children never carry them). The kernel releases them
  on process death, however it dies. There is no unlock code path and no stale-lock failure mode.
 - **process ⊆ step**: `PR_SET_PDEATHSIG(SIGTERM)` + the `.drone.yml` setsid/trap wrap (§2) — a
  dead or canceled build cannot leak a running harness.
 - **step ⊆ 60 min**: `signal.alarm(3600)` self-deadline (§2).
 Never steal a held lock; manage the holder's lifetime. There is **no daemon and no shared state
 service** — everything is kernel/file primitives under `/run/lock` and per-run directories.
 ## 2. Mechanism 0: run-lifetime hardening (`runner/harness/lifetime.py`)
 `run_recipe_ci.main()` calls `lifetime.install_lifetime_guards()` before ANY abra call or lock
 acquisition:
 1. **`PR_SET_PDEATHSIG(SIGTERM)`** (ctypes prctl, return code checked): if the parent — the drone
   step shell — dies, the kernel TERMs the harness. A post-prctl `ppid == 1` re-check closes the
   start race: a harness whose parent died *before* the prctl armed would never get the signal,
   so it refuses to run orphaned.
 2. **SIGTERM handler**: logs, then raises `SystemExit(143)` so the run's `finally:` teardown
   funnel executes and the process exits non-zero. Re-entrant signals during teardown are logged
   and IGNORED (`lifetime.begin_teardown()`, also set at the top of the run's `finally:` blocks)
   so a second signal can't abort the cleanup the first one asked for.
 3. **`signal.alarm(3600)` hard deadline**: SIGALRM funnels into the same teardown path with a
   distinct log line (`== run exceeded 60-minute hard deadline — tearing down ==`), exit 142.
   Recipes keep their own smaller per-tier timeouts; this bounds the whole run. Teardown time
   after the deadline is deliberately not alarm-bounded — the janitor is the backstop if a
   teardown wedges and the process is killed harder.
 The `.drone.yml` recipe-ci step runs the harness as `setsid cc-ci-run … &` with a
 `trap 'kill -TERM -- "-$PID"' TERM EXIT; wait "$PID"` — a drone **cancel** (TERM to the step
 shell) is forwarded to the harness's whole process group instead of leaking it (the exec runner
 only kills the step shell). PDEATHSIG backstops the no-trap paths.
 ## 3. Isolation model: what is shared, what is per-run
 Per-run (no conflict possible):
 - **App + stack + volumes + secrets.** Run app domain = `naming.app_domain()` →
  `<recipe[:4]>-<sha1(recipe|pr|ref)[:6]>.ci.commoninternet.net`, unique per (recipe, pr, ref);
  everything abra creates is namespaced by it. Run apps are recognised by
  `RUN_APP_RE = ^[a-z0-9]{1,4}-[0-9a-f]{6}\.ci\.commoninternet\.net$`; warm/canonical apps
  (e.g. `warm-keycloak...`) deliberately do NOT match → the janitor never probes them.
 - **Recipe working trees** — `$ABRA_DIR/recipes/<recipe>`, per run (§4). NEW in the restructure.
 - **Drone build workspace** (`/var/lib/drone-runner/drone-<id>/`) and **run artifacts**
  (`/var/lib/cc-ci-runs/<run-id>/`).
 - **Run-scoped state files** (`/tmp/ccci-{deploys,opstate,deps,depskip}-<run-id>-<pid>…`) —
  keyed by run id + harness pid via `run_recipe_ci._run_state_path()`, NEVER by app domain.
  A second run of the same domain executes its `main()` preamble before blocking at the app
  lock (§5), so domain-keyed files would be reset/removed underneath the live first run
  (live finding, M2(c) double-`!testme`: false DG4.1 deploy-count in run 1, countfile
  `FileNotFoundError` in run 2). Tier/hook children get the exact paths via the
  `CCCI_*_FILE` env vars; removed on normal run exit.
 Shared (by design, conflict-free):
 - **`/root/.abra/servers`** — app `.env` files, one per domain. The per-run `ABRA_DIR` symlinks
  `servers/` here, so .env files land in the canonical path: janitor discovery (`abra app ls`)
  and out-of-run tooling see every app. Per-domain filenames + the app-domain lock prevent write
  conflicts.
 - **`/root/.abra/catalogue`** — read-mostly, symlinked into each per-run dir.
 - **`HOME=/root`** (forced in `.drone.yml`) — safe: nothing recipe-mutable lives under `~/.abra`
  for a run anymore except through the two symlinks above.
 ## 4. Mechanism 1: per-run `ABRA_DIR` (replaces the per-recipe flock)
 `run_recipe_ci.setup_run_abra_dir()` — called first thing in `main()`, before any abra call —
 builds `<runs_dir>/<run-id>/abra/` (run-id = Drone build number; `manual-<pid>` for hand runs):
 ```
 abra/
  servers/    -> /root/.abra/servers     (symlink; canonical shared .env path)
  catalogue/  -> /root/.abra/catalogue   (symlink; read-mostly)
  recipes/    fresh, empty               (THE isolation that matters)
 ```
 and exports it as `$ABRA_DIR` — honored by the abra CLI itself and by every harness path helper
 (`abra.abra_dir()` / `abra.recipe_dir()`; `generic._recipe_dir`, `prepull_images`,
 `snapshot_recipe_tests`, `warm_reconcile._recipe_dir` all route through the same rule:
 `$ABRA_DIR` if set, else `~/.abra`).
 - `fetch_recipe()` is now a plain clone into `$ABRA_DIR/recipes/<recipe>` (PR-head clone+checkout
  or `abra recipe fetch`); the upgrade tier's mid-run `git checkout`s happen in the run's own
  tree. Two same-recipe runs can no longer corrupt each other — structurally, with no lock. The
  old observed failure (immich builds 229/230 deploying a tree missing its config) is impossible.
 - `CCCI_SKIP_FETCH=1` (test/Adversary staging) copies the canonically-staged
  `~/.abra/recipes/<recipe>` clone into the per-run tree.
 - Out-of-run flows (warm_reconcile's systemd timer, manual abra) set no `ABRA_DIR` and keep using
  the canonical `/root/.abra` unchanged. In-run flows that touch canonical state on purpose
  (warm/canonical .env files) go through `servers/` and are unaffected.
 - The per-run dir rides along the existing `/var/lib/cc-ci-runs/<run-id>/` retention. abra
  auto-clones any recipe it needs to resolve (e.g. during `app ls`) into the per-run `recipes/` —
  a few seconds of git per run, gone with the run dir.
 ## 5. Mechanism 2: per-app-domain flock (`lifecycle.acquire_app_lock`)
 - Lock file: `/run/lock/cc-ci-app-<domain>.lock` (dir overridable via `CCCI_APP_LOCK_DIR` for the
  test suite), exclusive `fcntl.flock`, taken in `deploy_app()` **before the app is created** — a
  concurrent janitor can never see a run app without its held lock.
 - Blocks (with a log line: `== app lock: another run of <domain> is in flight — waiting ==`) when
  another run of the SAME domain is in flight — the double-`!testme` serialisation point; the
  waiting run is visibly parked at that line in its drone log, by design.
 - The returned file object is ALSO retained in module-level `_held_app_locks` — if a caller
  dropped it, GC would close the fd and silently release the lock.
 - mtime is touched at acquisition: lock age feeds the janitor's long-held flag (§6).
 - **Unlink/recreate race guard**: the janitor unlinks reaped lockfiles, so after EVERY
  acquisition the locked fd is verified to still be the inode the path names
  (`fstat().st_ino == stat().st_ino`); a waiter that won a just-unlinked inode closes it and
  retries on the live path. (A lock on an unlinked inode protects nothing: a later opener gets a
  fresh inode and would acquire "the same" lock.)
 - Release is implicit: process exit (any kind). `teardown_app()` does NOT release or unlink —
  a clean run's leftover lockfile is unheld and is unlinked on sight by the next janitor sweep.
 ## 6. The flock-probe janitor (`lifecycle.janitor`)
 Runs at every run start (cold + quick paths) and in the warm/upgrade sweeps. Candidate discovery
 is unchanged from the old model: `abra app ls` + a docker-service sweep (catches stacks whose
 `.env` is already gone), both matched against `RUN_APP_RE` — warm/canonical apps never match and
 are never probed.
 Decision table (per candidate domain, `_probe_and_reap`):
 | Probe (`LOCK_EX\|LOCK_NB`) | Meaning | Action |
 |---|---|---|
 | acquires (+ inode identity OK) | nobody holds it → owner died (kernel-guaranteed) | **reap**: `teardown_app(verify=False)` WHILE HOLDING the probe lock, then unlink the lockfile, then release |
 | acquires, inode stale | another janitor reaped + unlinked while we raced | skip (reap already done; unlinking now would hit a newer run's file) |
 | `BlockingIOError` (held) | live concurrent run | leave it; if lockfile mtime > 120 min (2× the hard deadline): `!! lock for <domain> held >120min — possible leaked run; inspect with lslocks` — flag, **never steal** |
 | `open()` fails (`OSError`) | garbled/unopenable lockfile | skip + log, never crash |
 - Reaping under the probe lock closes the janitor-vs-new-run race: a new run of that domain
  blocks in `acquire_app_lock` until the reap finishes — no window where a fresh app coexists
  with a half-reaped one.
 - Two racing janitors arbitrate on the flock: one reaps, the other sees "held" and leaves; reaps
  are idempotent (`teardown_app(verify=False)` tolerates half-gone stacks).
 - After the candidates, a tidy sweep unlinks stale **unheld** `cc-ci-app-*.lock` files with no
  app behind them (under their own probe lock + identity check), keeping `/run/lock` clean.
 - **Post-reboot**: `/run/lock` is tmpfs → lockfiles gone → every surviving app probes as an
  orphan → reaped immediately. (Improvement over the old 2-hour age fallback; there IS no age
  logic anymore.)
 ## 7. Failure-mode guarantees
 | Event | Outcome |
 |---|---|
 | Run crashes / SIGKILL mid-run | flock auto-released by kernel → next janitor probe reaps app + lockfile |
 | Drone build canceled via API | step trap TERMs the harness process group → SIGTERM funnel runs the run's own teardown (exit 143); if anything still leaks, PDEATHSIG + janitor reap (the old "cancel leaks the harness" gap is CLOSED) |
 | Run exceeds 60 min | SIGALRM → distinct log line → own teardown → exit 142 |
 | Host reboot | locks and lockfiles vanish (tmpfs, correct: no owners survived) → all surviving run apps reaped at the next run start, immediately |
 | Two same-recipe `!testme`s (different PRs) | run in parallel — separate domains, separate per-run recipe trees |
 | Double-`!testme` (same PR → same domain) | second blocks on the app lock before creating anything, visibly in its drone log, runs after the first finishes |
 | Janitor vs. app being created | impossible to mis-reap: the lock is held before `app new`, and a held lock is never touched |
 | Janitor unlink vs. blocked waiter | inode identity re-check on every acquisition → waiter retries on the live path |
 | Lock held implausibly long (>120 min) | flagged loudly for a human (`lslocks`), never stolen |
 ## 8. Where convergence fits (adjacent; unchanged by the restructure)
 Two swarm-convergence behaviors in `services_converged()` look like concurrency bugs but aren't —
 any future work must keep them fixed:
 - **N/N replicas ≠ converged** during a stop-first rolling update — `UpdateStatus.State` is also
  inspected (build 238: backupbot exec'd into a container killed seconds later).
 - **`paused` persists forever** (swarm's default `update-failure-action`) — only `updating` and
  `rollback_started` block convergence; `paused`/`rollback_paused` are settled (build 241).
 - `backup_app()` additionally waits (bounded 300s) for convergence before `backup create`.
 ## 9. Configuration knobs
 | Knob | Where | Current | Meaning |
 |---|---|---|---|
 | `DRONE_RUNNER_CAPACITY` (aka `MAX_TESTS`) | `nix/modules/drone-runner.nix` (`maxTests`) | `2` | **THE single concurrency knob.** Max builds the exec runner executes at once; Drone queues the rest. (The `.drone.yml` `concurrency.limit` duplicate was removed.) Change requires `nixos-rebuild switch`. |
 | `CCCI_APP_LOCK_DIR` | env, read at call time | unset → `/run/lock` | App-domain lockfile dir override — used by `tests/concurrency` to sandbox locks. Never set in production. |
 | hard deadline | `lifetime.HARD_DEADLINE_SECONDS` | 3600 s | the whole-run alarm; long-held flag threshold is 2× this (`LONG_HELD_LOCK_SECONDS`) |
 ## 10. Testing: `tests/concurrency/`
 Real-kernel suite (19 planned cases + companions): helper subprocesses hold REAL flocks and
 install the REAL prctl/signal/alarm guards — flock itself is never mocked; the janitor runs with
 injected candidates + stubbed teardown but probes real locks. **Not part of the default
 `pytest tests/unit` gate** (it spawns processes and sleeps); run it explicitly:
 ```
 cc-ci-run -m pytest tests/concurrency -q
 ```
 Covers: kernel auto-release on SIGKILL; LOCK_NB probe semantics; PEP 446 fd non-inheritance;
 same-domain serialisation; orphan reap + unlink; live-run protection; reap-under-probe-lock
 blocking; two-janitor arbitration; reboot-immediate reap; long-held flag; RUN_APP_RE allowlist;
 degrade-on-garbage; PDEATHSIG; ppid start race; deadline + SIGTERM funnels; per-run ABRA_DIR
 construction/export; concurrent same-recipe fetch isolation; symlinked-servers .env canonicality;
 run-keyed (never domain-keyed) run-scoped state files (M2(c) regression, `test_run_state.py`).
 ## 11. File / symbol index
 | What | Where |
 |---|---|
 | lifetime guards (PDEATHSIG, signal funnels, deadline) | `runner/harness/lifetime.py`; installed in `run_recipe_ci.main()` |
 | setsid/trap cancel forwarding | `.drone.yml` (`recipe-ci` step) |
 | `acquire_app_lock`, `_held_app_locks`, `_app_lock_path` | `runner/harness/lifecycle.py` |
 | `acquire_app_lock` call site | `lifecycle.deploy_app()` (before app creation) |
 | janitor + probe (`janitor`, `_probe_and_reap`, `LONG_HELD_LOCK_SECONDS`) | `runner/harness/lifecycle.py` |
 | per-run ABRA_DIR (`setup_run_abra_dir`, `fetch_recipe`) | `runner/run_recipe_ci.py` |
 | path resolution (`abra_dir`, `recipe_dir`) | `runner/harness/abra.py` (used by `generic`, `lifecycle.prepull_images`, `warm_reconcile`) |
 | run-app naming | `runner/harness/naming.py` (`app_domain`), `RUN_APP_RE` in `lifecycle.py` |
 | capacity knob | `nix/modules/drone-runner.nix` (`maxTests`) |
 | convergence (adjacent) | `lifecycle.services_converged()`, `lifecycle.backup_app()` |
 | the test suite | `tests/concurrency/` (`helpers.py` subprocess entrypoints, `concutil.py` probes) |
 Deleted in the restructure (grep should find NOTHING): `register_run_app`, `unregister_run_app`,
 `_run_owner_state`, `ACTIVE_RUN_DIR`, `CCCI_JANITOR_MAX_AGE`, `_stack_age_seconds`,
 `acquire_recipe_lock`, `RECIPE_LOCK_DIR`.
--- a/docs/enroll-recipe.md
+++ b/docs/enroll-recipe.md
@ -14,19 +14,19 @@ those are discovered and run against the live app (D4 — see below).
 ```
 tests/<recipe>/
 ├── recipe_meta.py      # optional per-recipe harness config (see below)
-├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup)
+├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup + deps env wiring)
-├── ops.py              # optional pre-op seed hooks (pre_install/pre_upgrade/pre_backup/pre_restore)
+├── compose.ccci.yml    # optional CI-only compose overlay (harness-copied, auto-chaos base deploy)
 ├── ops.py              # optional pre_<op>(ctx) seed hooks (install/upgrade/backup/restore)
 ├── test_install.py     # optional install overlay  (runs ADDITIVELY alongside generic)
 ├── test_upgrade.py     # optional upgrade overlay   (runs ADDITIVELY alongside generic)
 ├── test_backup.py      # optional backup overlay    (runs ADDITIVELY alongside generic)
 ├── test_restore.py     # optional restore overlay   (runs ADDITIVELY alongside generic)
 ├── PARITY.md           # Phase 2 P2: mapping table (recipe-maintainer tests → cc-ci tests)
-├── functional/         # Phase 2 P3: parity ports + ≥2 NEW recipe-specific tests
+└── custom/             # custom tier: parity ports + recipe-specific tests + browser flows
-│   ├── test_health_check.py    # parity port of recipe-info/<recipe>/tests/health_check.py
+    ├── test_health_check.py    # parity port of recipe-info/<recipe>/tests/health_check.py
-│   ├── test_<behavior>.py      # ≥2 NEW recipe-specific functional tests
+    ├── test_<behavior>.py      # ≥2 NEW recipe-specific tests
-│   └── …
+    ├── test_<flow>.py          # browser/UI flows where relevant
-└── playwright/         # Phase 2 P6: browser flows where the app's core UX is a UI
+    └── …
    └── test_<flow>.py
 ```
 **A recipe is testable with ZERO config:** with no overlay files, the **generic lifecycle suite**
@ -39,11 +39,14 @@ To add recipe-specific coverage, drop a `tests/<recipe>/test_<op>.py` **overlay*
 **ALONGSIDE** the generic for that op (HC3 additive, Phase 1e); the generic floor is never silently
 dropped. Overlays are **assertion-only** against the shared live deployment (the `live_app` fixture;
 they never perform the op or deploy/teardown — the orchestrator owns those). If the overlay needs to
-SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(domain,
+SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(ctx)`
-meta)` callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op. Copy an
+callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op (`ctx` is the
 uniform `HookCtx` every hook receives — `docs/recipe-customization.md` §4.1). Copy an
 existing recipe (`tests/custom-html/` simple/volume marker; `tests/keycloak/` admin-API; `tests/
 matrix-synapse/` `db`-service psql marker). **Do not edit the shared `tests/conftest.py` /
-`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py`:
+`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py` (the COMPLETE key
 reference is the generated table in `docs/recipe-customization.md` §4; unknown ALL-CAPS keys are
 hard errors, recipe-private constants are underscore-prefixed `_FOO`):
 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@ -51,9 +54,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detect (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 SKIP_GENERIC = ["upgrade"]       # per-recipe opt-out from the generic floor for the listed ops
                                 #  ("all"/"*" = every op); rarely needed — generic is the floor
 ```
 Useful `harness.lifecycle` helpers for overlays: `http_get`, `http_fetch`, `http_body`,
@ -66,19 +67,20 @@ ops themselves are orchestrator-owned (you never call them from an overlay). The
 Beyond the lifecycle overlays, each recipe carries (plan §4.1):
 - **`PARITY.md`** — a mapping table from every `references/recipe-maintainer/recipe-info/<recipe>/
-  tests/*.py` to a comparable cc-ci test under `tests/<recipe>/functional/`, asserting the
+  tests/*.py` to a comparable cc-ci test under `tests/<recipe>/custom/`, asserting the
  *same thing* (not a renamed file). A deliberate non-port is documented in `DECISIONS.md` with
  a technical reason — never a silent omission.
- **`functional/`** — parity-port tests + **≥2 NEW recipe-specific functional tests** that
+- **`custom/`** — parity-port tests + **≥2 NEW recipe-specific tests** that exercise the app's
-  exercise the app's characteristic behavior (per plan §4.3 — e.g. "create-an-object +
+  characteristic behavior (per plan §4.3 — e.g. "create-an-object + read-it-back, and one more
-  read-it-back, and one more that touches a distinctive feature"). Each parity-port file carries
+  that touches a distinctive feature"). Browser/UI flows live in the same folder too. Each
-  a `SOURCE = "recipe-info/<recipe>/tests/<file>"` comment near the top so audit is in-file.
+  parity-port file carries a `SOURCE = "recipe-info/<recipe>/tests/<file>"` comment near the top
- **`playwright/`** — browser flows where the recipe's core UX is a UI (P6).
+  so audit is in-file.
-The orchestrator's **custom** tier discovers `test_*.py` in `tests/<recipe>/{functional,playwright}/`
+The orchestrator's **custom** tier discovers `test_*.py` in canonical `tests/<recipe>/custom/`
-(recursive, via `runner/harness/discovery.custom_tests`) and runs each as its own pytest against
+(plus deprecated `functional/` / `playwright/` aliases during migration; discovery warns when it
-the same `live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are
+uses them) and runs each as its own pytest against the same
-**excluded** from the custom tier — they live at the top level and run as lifecycle overlays.
+`live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are **excluded**
 from the custom tier even inside those subdirs (safety net against double-running).
 ### 2.2 Recipe-test dependencies — DEPS = [...] (Phase 2 Q2.3)
@ -89,23 +91,28 @@ them in `recipe_meta.py`:
 DEPS = ["keycloak"]  # one entry per dep recipe name (cc-ci tests/<dep>/ must exist + work)
 ```
-The orchestrator (plan §4.2):
+The orchestrator (plan §4.2; install-time provisioning is the ONLY mode):
-1. Reads `DEPS` BEFORE deploying the recipe under test.
+1. Reads `DEPS` and provisions every dep **BEFORE the single deploy** of the recipe under test —
-2. Deploys each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is
+   each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is hashed from
-   hashed from `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do
+   `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do not collide on
-   not collide on a single node).
+   a single node), waited healthy using the dep's own `recipe_meta.py`.
-3. Waits each dep healthy using its own `recipe_meta.py` (HEALTH_PATH/HEALTH_OK/timeouts).
+2. Persists the full per-dep identity + SSO creds dict to `$CCCI_DEPS_FILE` (jq-readable JSON,
-4. Persists `[{"recipe": "<dep>", "domain": "<dep-domain>"}, ...]` to `$CCCI_DEPS_FILE`.
+   `{"<dep>": {"domain": ..., "realm": ..., "client_secret": ..., ...}}`).
-5. Deploys + tests the recipe under test as usual.
+3. Deploys the recipe under test — its `install_steps.sh` reads `$CCCI_DEPS_FILE` and wires
-6. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
+   OIDC env into that ONE deploy (no post-deploy redeploy). A dep-provisioning failure does NOT
   block the run: the recipe deploys alone, generic tiers run, and `requires_deps` tests skip
   with a counted reason (F2-11).
 4. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
   deps fail the run loudly per §9 teardown sacred / F2-5 fix).
-Tests access dep domains via the **`deps_apps` pytest fixture** (`tests/conftest.py`):
+Tests access deps via the **`deps` pytest fixture** (`tests/conftest.py`) — entries expose
 `.domain` plus the full creds dict (attribute or dict-style):
 ```python
-def test_my_recipe_uses_keycloak(live_app, deps_apps):
+@pytest.mark.requires_deps
-    assert "keycloak" in deps_apps, f"keycloak dep not deployed; {deps_apps}"
+def test_my_recipe_uses_keycloak(live_app, deps):
-    kc_domain = deps_apps["keycloak"]
+    assert "keycloak" in deps, f"keycloak dep not deployed; {deps}"
    kc_domain = deps["keycloak"].domain
    …
 ```
@ -120,7 +127,7 @@ For OIDC-dependent recipes, the shared `runner/harness/sso.py` provides:
 from harness import sso
 creds = sso.setup_keycloak_realm(
-    kc_domain,                   # = deps_apps["keycloak"]
+    kc_domain,                   # = deps["keycloak"].domain
    realm="my-realm",
    client_id="my-client",
    redirect_uris=[f"https://{live_app}/*"],
@ -144,10 +151,10 @@ ARE provider-pluggable.
 Not every recipe is a single HTTP app. `recipe_meta.py` + a few harness mechanisms cover the harder
 shapes (proven on mumble, mailu, and the SSO-dependent suite):
- **`EXTRA_ENV`** — a dict **or** a `callable(domain) -> dict`. The callable form derives values from
+- **`EXTRA_ENV`** — a dict **or** a `callable(ctx) -> dict`. The callable form derives values from
-  the per-run domain (e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for cryptpad). Applied
+  the per-run domain (`ctx.domain` — e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for
-  at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
+  cryptpad). Applied at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
- **`READY_PROBE(domain) -> [...]`** — readiness signals beyond replica-convergence + the app's
+- **`READY_PROBE(ctx) -> [...]`** — readiness signals beyond replica-convergence + the app's
  `HEALTH_PATH`. Two probe shapes:
  - HTTP: `{"host": "...", "path": "/...", "ok": (200,)}` (e.g. lasuite-drive collabora WOPI discovery).
  - **TCP**: `{"tcp_host": "127.0.0.1", "tcp_port": 64738, "stable": 3}` — polls a socket connect N
@ -155,20 +162,20 @@ shapes (proven on mumble, mailu, and the SSO-dependent suite):
    service (mumble: the mumble-web sidecar serves HTTP 200 while the voice server on 64738 is still
    rebinding after an upgrade redeploy — the TCP probe gates the backup tier until the voice server is
    actually up). Runs after install AND after the upgrade chaos redeploy.
- **`CHAOS_BASE_DEPLOY = True`** — make the pinned base deploy use `--chaos` (skips abra's clean-tree +
+- **`compose.ccci.yml`** (first-class at `tests/<recipe>/compose.ccci.yml`) — a CI-only compose
-  lint gates, still deploys the explicitly-checked-out pinned version, NOT latest). Needed when an
+  overlay the harness itself copies into the recipe checkout before the base deploy, automatically
-  `install_steps.sh` adds an UNTRACKED file to the recipe checkout (e.g. mumble copies a
+  using `--chaos` for that deploy (the untracked file would otherwise trip abra's pinned-deploy
-  `compose.host-ports.yml` into versions that predate it) — abra's pinned-deploy clean-tree check would
+  clean-tree check). Reference it from `EXTRA_ENV`'s `COMPOSE_FILE`. Minimal, justified fallback
-  otherwise FATA. `abra.recipe_checkout` force-checks-out (`-f`) so the upgrade tier's re-checkout to
+  only (e.g. ghost's 15m `start_period` grace). `abra.recipe_checkout` force-checks-out (`-f`) so
-  PR-head overwrites such overlays cleanly.
+  the upgrade tier's re-checkout to PR-head overwrites such overlays cleanly.
 - **`install_steps.sh`** (auto-discovered at `tests/<recipe>/install_steps.sh`) — runs after
  `abra app new` + EXTRA_ENV + secret-generate, BEFORE the single deploy, with `CCCI_APP_DOMAIN` /
-  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when DEPS are provisioned at install). Use it to
+  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when the recipe declares DEPS — deps are
-  drop a cc-ci-owned compose overlay into the checkout, wire dep-derived env/secrets, etc.
+  always provisioned before the deploy). Use it to wire dep-derived env/secrets, seed config, etc.
 **Non-HTTP protocol tests (mumble).** Reach a TCP service published `mode: host` (via a host-ports
 overlay) at `127.0.0.1:<port>` — cc-ci runs tests on-host (cc-ci-run). mumble ships a stdlib protocol
-client (`tests/mumble/functional/_mumble_proto.py`) doing the real TLS handshake → ServerSync; the
+client (`tests/mumble/custom/_mumble_proto.py`) doing the real TLS handshake → ServerSync; the
 recipe-specific tests assert channel presence and config round-trips (a deploy-set `WELCOME_TEXT`/
 `USERS` value surfaces over the protocol — version-independent, non-vacuous).
@ -227,26 +234,29 @@ RECIPE=<recipe> PR=<n> REF=<sha-or-branch> SRC=recipe-maintainers/<recipe> \
 ```
 tests/lasuite-docs/
-├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(domain) for cold-pull,
+├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(ctx) for cold-pull,
 │                             # DEPS=["keycloak"]  ← Phase 2 dep declaration
-├── ops.py                    # pre_<op> seed hooks (volume marker for backup/restore data-integrity)
+├── install_steps.sh          # wires OIDC env from $CCCI_DEPS_FILE into the single deploy
 ├── ops.py                    # pre_<op>(ctx) seed hooks (volume marker for backup/restore data-integrity)
 ├── test_install.py           # lifecycle install overlay (Playwright frontend SPA load)
 ├── test_upgrade.py           # lifecycle upgrade overlay (marker survives chaos redeploy)
 ├── test_backup.py            # lifecycle backup overlay (marker captured)
 ├── test_restore.py           # lifecycle restore overlay (marker restored to pre-mutation)
 ├── PARITY.md                 # parity-port mapping (P2)
-└── functional/
+└── custom/
    ├── test_health_check.py        # parity port (SOURCE comment cites recipe-info file)
    ├── test_auth_required.py       # specific: /api/v1.0/users/me/ → 401 without auth
    └── test_oidc_with_keycloak.py  # specific: full OIDC flow against the dep keycloak (uses
-                                    # harness.sso primitives + deps_apps["keycloak"])
+                                    # harness.sso primitives + the `deps` fixture)
 ```
 `!testme` on a lasuite-docs PR drives the orchestrator to:
-1. Deploy the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`) and wait healthy.
+1. Provision the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`), wait healthy, write
-2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`).
+   creds to `$CCCI_DEPS_FILE` — BEFORE the recipe deploy.
-3. Run install / upgrade / backup / restore + the 3 functional tests against the shared
+2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`); `install_steps.sh` wires the OIDC
-   deployment (custom tier).
+   env into that one deploy.
 3. Run install / upgrade / backup / restore + the 3 custom tests against the shared
    deployment (custom tier).
 4. Teardown lasuite-docs, then the keycloak dep (LAST), both with verify=True.
 5. Print the run summary; non-zero exit code on any failure (DG4.1 deploy-count mismatch, tier
   FAIL, dep teardown leak — all surfaced).
@ -254,12 +264,13 @@ tests/lasuite-docs/
 ### Other shapes (concrete references)
 - **TCP / voice recipe — `tests/mumble/`**: `recipe_meta.py` (EXTRA_ENV sets
-  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml:compose.host-ports.yml`, `WELCOME_TEXT`/`USERS`
+  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml` for the base; `UPGRADE_EXTRA_ENV` adds the
-  markers, `CHAOS_BASE_DEPLOY=True`, `READY_PROBE` TCP 64738), `install_steps.sh` (provides the
+  native `compose.host-ports.yml` at PR-head so 64738 is host-published on latest; private
-  host-ports overlay to older versions), `functional/_mumble_proto.py` + the protocol/config-round-trip
+  `_WELCOME_TEXT_MARKER`/`_MAX_USERS` constants; `READY_PROBE(ctx)` TCP 64738 — phase-aware via
  the live COMPOSE_FILE), `custom/_mumble_proto.py` + the protocol/config-round-trip
  tests, `ops.py`/`test_backup.py`/`test_restore.py` (sqlite P4). See §2.4.
 - **Multi-service, dep-less, in-container functional — `tests/mailu/`**: `recipe_meta.py`
-  (`EXTRA_ENV(domain)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
+  (`EXTRA_ENV(ctx)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
-  `functional/_mailu.py` (flask-CLI helpers), `test_mailbox.py` (create→config-export read-back),
+  `custom/_mailu.py` (flask-CLI helpers), `test_mailbox.py` (create→config-export read-back),
  `test_mail_flow.py` (in-container sendmail→doveadm delivery). No backupbot → P4 N/A (PARITY.md +
  DEFERRED.md). See §2.4.
--- a/docs/recipe-customization.md
+++ b/docs/recipe-customization.md
@ -0,0 +1,396 @@
 # Recipe customization — reference
 Status: REFERENCE — describes the customization system as restructured on branch
 `restructure/recipe-custom` (the "rcust" restructure). The pre-restructure system and its defects
 are documented in this file's history (commit `76a4b6b`, the review spec whose §8 R1–R9 drove the
 restructure); §8 below records how each was resolved.
 Companion docs: `docs/testing.md` (test architecture / tier semantics), `docs/enroll-recipe.md`
 (step-by-step enrollment). This doc is the **complete reference** for the two questions those docs
 answer only partially:
 1. How are custom tests written for a particular recipe?
 2. What are ALL the per-recipe CI settings, where do they live, and who reads them?
 ---
 ## 1. The three customization surfaces
 A recipe customizes its CI through **three distinct mechanisms**:
 | Surface | Form | Examples |
 |---|---|---|
 | **Declarative settings** | Python assignments in `tests/<recipe>/recipe_meta.py` | `DEPLOY_TIMEOUT = 1500`, `HEALTH_PATH = "/api/health"` |
 | **Code hooks** | Callables in `recipe_meta.py`, `ops.py` functions, one shell hook | `def READY_PROBE(ctx): ...`, `pre_upgrade(ctx)`, `install_steps.sh` |
 | **File presence** | A file existing at a discovered path changes behavior | `test_upgrade.py` overlay, `custom/test_*.py`, `compose.ccci.yml` |
 There is additionally a fourth, **operator-facing, local-dev-only** surface: environment variables
 (`CCCI_SKIP_GENERIC*`) that suppress the generic floor at run time (§7). Whatever a run resolves
 from all four surfaces is printed at run start as the **customization manifest** and embedded in
 `results.json` under `"customization"` (§7) — one block answers "what does this recipe customize?".
 ## 2. Zero-config baseline
 A recipe with **no `tests/<recipe>/` directory at all** still gets the full generic floor:
 - deploy base version → INSTALL (generic `assert_serving`: HTTP on `/`, expect 200/301/302)
 - chaos-upgrade to PR head → UPGRADE (generic `assert_upgraded`: version label matches head, converged, serving)
 - BACKUP (generic `assert_backup_artifact`) — iff the recipe's compose files carry
  `backupbot.backup` labels (auto-detected), else N/A
 - RESTORE (generic `assert_restore_healthy`)
 - CUSTOM tier: empty (no custom tests discovered)
 - teardown
 Defaults: `HEALTH_PATH="/"`, `HEALTH_OK=(200,301,302)`, `DEPLOY_TIMEOUT=600`, `HTTP_TIMEOUT=300`.
 Everything in this doc is opt-in deviation from that floor. The cardinal invariant
 (docs/testing.md §1): the generic floor is **always on** and never depends on custom code;
 custom is **additive** by default.
 ## 3. The per-recipe tree — every file that can exist
 Two locations, with precedence and a security gate between them:
 - **cc-ci-owned**: `tests/<recipe>/` in this repo (trusted, maintainer-reviewed)
 - **repo-local**: the recipe repo's own `tests/` dir (PR-author-controlled → **default-deny**,
  consulted only when the recipe is listed in `tests/repo-local-approved.txt` — gate HC2,
  centralized in `runner/harness/discovery.py`)
 ```
 tests/<recipe>/                      # cc-ci side (repo-local mirrors the same shape)
 ├── recipe_meta.py                   # THE config file: registry-validated keys + ctx-hooks (§4)
 ├── test_<op>.py                     # lifecycle overlay assertions, op ∈ install|upgrade|backup|restore (§5.1)
 ├── ops.py                           # pre_<op>(ctx) seed hooks                    (§5.2)
 ├── custom/test_*.py                 # custom tier: parity ports + recipe-specific + UI flows (§5.3)
 ├── install_steps.sh                 # pre-deploy shell hook (the ONLY shell hook) (§5.4)
 ├── compose.ccci.yml                 # CI-only ENVIRONMENTAL compose overlay (all deploys) (§5.5)
 ├── previous/                        # version-specific base-only repair (optional)  (§5.5b)
 │   ├── compose.previous.yml         #   minimal compose to deploy the previous version
 │   └── VERSION                      #   the published version it targets (version-guard)
 └── PARITY.md                        # enrollment contract doc (human-read only)
 ```
 **Placement rule (custom tests):** ALL custom-tier tests live under canonical `custom/`.
 Deprecated `functional/` and `playwright/` aliases are still discovered with a loud warning so
 coverage is not silently lost while recipe trees migrate. A top-level `test_*.py` is a lifecycle overlay (`test_<op>.py`) and nothing else —
 top-level non-lifecycle files are NOT discovered (`discovery.custom_tests`; the lifecycle-name
 exclusion stays as a safety net so a misfiled `test_<op>.py` can never double-run).
 Precedence (machine-docs/DECISIONS.md, implemented in `discovery.py`):
 - lifecycle overlay `test_<op>.py`: repo-local **wins** over cc-ci (same-name collision); the
  generic floor still runs additively alongside.
 - custom tier (`custom/`, plus deprecated alias dirs during migration): **ALL** run, from both
  locations (no collision
  concept).
 - `install_steps.sh`: repo-local > cc-ci, or none.
 - `ops.py` pre-op hook: cc-ci wins; repo-local consulted only if approved.
 - `recipe_meta.py` and `compose.ccci.yml`: cc-ci only — repo-local recipes cannot set CI settings
  or compose overlays (by design; those surfaces stay maintainer-controlled).
 ## 4. `recipe_meta.py` — complete settings reference
 The single settings file. Plain Python, `exec()`d by the harness in exactly ONE place: the
 registry-backed loader `runner/harness/meta.py::load(recipe) -> RecipeMeta`. Every consumer — the
 orchestrator (which loads once and passes the object down), the pytest `meta` fixture, lifecycle,
 deps, canonical, screenshot — reads from that one loaded object.
 **Validation (hard errors at load, before any deploy):**
 - A key is "set" by a top-level ALL-CAPS assignment or `def`. Unknown ALL-CAPS top-level names
  raise `MetaError` listing the unknown name and the nearest registered key (typo gate —
  misspelling `READY_PROBE` can no longer silently disable the probe).
 - Type mismatches raise `MetaError`; callables are accepted only for hook-typed keys.
 - **Underscore-prefixed names (`_FOO`) are recipe-private and exempt** — that's where private
  constants live (e.g. mumble's `_WELCOME_TEXT_MARKER`). Lowercase names (helpers/imports) are
  ignored.
 - Hook callables must have the registered signature (below); a legacy-signature hook raises a
  `MetaError` naming the migration, never a silent `TypeError` mid-run.
 A unit test (`tests/unit/test_meta.py`) loads every `tests/*/recipe_meta.py` through the registry,
 so a typo'd key fails at PR time, not at run time.
 <!-- META-TABLE-START -->
 _This table is GENERATED from the `runner/harness/meta.py` KEYS registry by `scripts/gen-meta-docs.py` — do not edit by hand (a unit test pins the sync)._
 | Key | Type | Default | Meaning |
 |---|---|---|---|
 | `HEALTH_PATH` | `str` | `'/'` | Path probed for serving/health checks (deploy wait + generic `assert_serving`). |
 | `HEALTH_OK` | `tuple[int]` | `(200, 301, 302)` | Acceptable HTTP status codes for health. |
 | `DEPLOY_TIMEOUT` | `int` | `600` | Max seconds to wait for swarm convergence per deploy. |
 | `HTTP_TIMEOUT` | `int` | `300` | Max seconds to wait for HTTP health after convergence. |
 | `BACKUP_CAPABLE` | `bool` | `None` | Override the backup-tier capability auto-detect (compose `backupbot.backup` labels). `False` forces an intentional skip of the backup/restore rung; `True` forces the tier on; unset = auto-detect. |
 | `EXPECTED_NA` | `dict` | `None` | Declare a non-run rung an INTENTIONAL skip: `{rung: reason}` — the level climbs past it; an undeclared non-run rung is *unverified* and blocks the level above it (classification table: machine-docs/DECISIONS.md phase lvl5). Never overrides an exercised pass/fail; the `lint` rung has no escape hatch. Declaring `upgrade` also suppresses the upgrade-tier BASE deploy — the single deploy is the PR head itself — for recipes whose published versions exist but are genuinely undeployable (phase bsky). |
 | `READY_PROBE` | `hook` | `None` | Callable `(ctx) -> [probe, ...]` returning extra readiness probes, run after install AND after upgrade: HTTP `{host, path, ok}` or TCP `{tcp_host, tcp_port, stable}`. |
 | `BACKUP_VERIFY` | `hook` | `None` | Callable `(ctx) -> bool` post-backup data-capture check; `False` re-runs the backup (truncated-dump race guard), retried up to 3 attempts. |
 | `UPGRADE_EXTRA_ENV` | `dict_or_hook` | `None` | Extra `.env` keys applied after the PR-head checkout, before the chaos redeploy (env that exists only at head). Dict, or callable `(ctx) -> dict`. |
 | `EXTRA_ENV` | `dict_or_hook` | `{}` | Extra `.env` keys applied at EVERY deploy (base install AND upgrade old-app). Dict, or callable `(ctx) -> dict` deriving values from the per-run domain (`ctx.domain`). |
 | `DEPS` | `list[str]` | `[]` | Dep recipes deployed/provisioned alongside (e.g. `["keycloak"]`); creds land in `$CCCI_DEPS_FILE`. |
 | `WARM_CANONICAL` | `bool` | `False` | Enroll the recipe in the warm/canonical app system (docs/warm.md): green cold runs on LATEST advance the canonical snapshot. |
 | `SCREENSHOT` | `hook` | `None` | Callable `(page, ctx)` driving Playwright to a safe, credential-free post-login view for the results-card screenshot (default: landing page). |
 | `UPGRADE_SECRET_PREP` | `hook` | `None` | Callable `(ctx)` invoked after UPGRADE_EXTRA_ENV env_set but before `abra secret generate --all` in the upgrade path. Use to pre-insert secrets that `generate --all` would produce with wrong format (e.g. when the .env.sample spec is commented out). |
 <!-- META-TABLE-END -->
 ### 4.1 The uniform hook convention — `HookCtx`
 Every recipe callable takes a single `ctx` argument (`harness/meta.py::HookCtx`, frozen):
 | Field | Meaning |
 |---|---|
 | `ctx.domain` | the app's per-run domain |
 | `ctx.base_url` | `https://<domain>` |
 | `ctx.meta` | the recipe's full `RecipeMeta` |
 | `ctx.deps` | provisioned dep creds (`{dep_recipe: entry}`) or `None` |
 | `ctx.op` | current lifecycle op (`install`/`upgrade`/`backup`/`restore`) or `None` |
 Signatures: `EXTRA_ENV(ctx)`, `UPGRADE_EXTRA_ENV(ctx)`, `READY_PROBE(ctx)`, `BACKUP_VERIFY(ctx)`,
 `SCREENSHOT(page, ctx)`, ops.py `pre_<op>(ctx)`. Dict-valued `EXTRA_ENV`/`UPGRADE_EXTRA_ENV`
 (non-callable) are still fine — only the callable form takes ctx. The loader enforces the
 parameter names at load time (a pre-restructure `(domain)`/`(domain, meta)` hook gets a pointed
 `MetaError`, not a mid-run crash).
 Worked hook examples: cryptpad (`EXTRA_ENV(ctx)` derives `SANDBOX_DOMAIN` from `ctx.domain`),
 mumble (`READY_PROBE(ctx)` TCP voice-port probe, `UPGRADE_EXTRA_ENV(ctx)` adds a head-only compose
 overlay), ghost/discourse (`BACKUP_VERIFY(ctx)` dump-capture check).
 ## 5. Writing custom tests & hooks
 ### 5.1 Lifecycle overlay assertions — `test_<op>.py`
 One pytest file per lifecycle op (`install` / `upgrade` / `backup` / `restore`). The
 **orchestrator performs the op exactly once**; the overlay only *asserts* on the resulting state
 (HC3 op/assertion split — overlays never deploy, never restore, never mutate). The generic floor
 test runs additively against the same state.
 Conventions (see `tests/immich/test_backup.py` etc.):
 - use the `live_app` fixture (asserts `CCCI_APP_DOMAIN` is set, yields the domain)
 - use the `meta` fixture — the recipe's FULL validated `RecipeMeta` (attribute access)
 - use the `op_state` fixture for op context (versions, `snapshot_id`, artifact paths — the
  orchestrator's run-scoped op record; skips with a clear reason outside an orchestrator run)
 - execute in-container checks via `harness.lifecycle.exec_in_app(domain, service, cmd)`
 ### 5.2 Pre-op seed hooks — `ops.py`
 `def pre_<op>(ctx)` callables, imported and called by the orchestrator **before** performing the
 op. This is where data gets seeded so the post-op overlay can assert on it:
 ```python
 # tests/immich/ops.py (pattern)
 def pre_upgrade(ctx):  _psql(ctx.domain, "INSERT ... 'upgrade-survives'")
 def pre_backup(ctx):   _psql(ctx.domain, "INSERT ... 'original'")
 def pre_restore(ctx):  _psql(ctx.domain, "DROP TABLE ci_marker")  # damage, restore must undo
 ```
 Seed → op → assert is the whole pattern: `pre_backup` writes a marker, the orchestrator backs up,
 `pre_restore` destroys it, the orchestrator restores, `test_restore.py` asserts the marker is back.
 ### 5.3 Custom tier — canonical `custom/`
 All custom-tier tests live under `tests/<recipe>/custom/` (discovery: `discovery.custom_tests`;
 the placement rule, §3). Deprecated `functional/` and `playwright/` dirs are still recognized
 with a warning during the migration window. Custom tests run in the CUSTOM tier, after
 restore, against the post-upgrade (PR-head) app. ALL discovered files run — cc-ci's and (if
 HC2-approved) repo-local's, additively.
 Enrollment contract (`docs/enroll-recipe.md`): ≥2 NEW custom tests beyond ports of existing
 upstream checks; ported tests carry `SOURCE:` comments. Browser-driven custom tests get the shared
 browser/harness helpers (`harness.browser`); SSO recipes get `harness.sso`
 (`setup_keycloak_realm` — idempotent, `oidc_password_grant` — provider-pluggable). The documented
 import toolbox for custom tests is `from harness import lifecycle, sso, browser`.
 Tests needing deps use the `deps` fixture (entries expose `.domain` plus the full creds dict) and
 carry `@pytest.mark.requires_deps` — when dep provisioning failed they skip with reason
 `deps-not-ready` and the skip count is reported and FAILS a declared-deps run (F2-11; a green exit
 must not mask an unrun SSO test). Fixtures replace direct `os.environ` reads — after the
 restructure no recipe test parses env by hand.
 ### 5.4 Pre-deploy shell hook — `install_steps.sh`
 The ONLY shell hook. Runs after `abra app new` + `EXTRA_ENV` application + secret generation,
 **before** the single base deploy. For setup that must precede the first deploy: writing extra
 config files into the recipe checkout, editing `.env` beyond simple key=val, and — for recipes
 with `DEPS` — wiring dep-derived OIDC env into the deploy (deps are always provisioned BEFORE the
 deploy; install-time wiring is the only mode, so there is exactly one deploy and no post-deploy
 redeploy hook).
 Env contract: `CCCI_APP_DOMAIN`, `CCCI_RECIPE`, `CCCI_APP_ENV` (path to the app's `.env`), and —
 when `DEPS` is declared — `CCCI_DEPS_FILE` (jq-readable JSON of dep creds/URLs; see
 lasuite-drive/-meet/-docs for the pattern). Must locate the recipe checkout ABRA_DIR-aware:
 `RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (per-run `ABRA_DIR` since the
 concurrency restructure — a hardcoded `~/.abra` writes to the wrong tree).
 Graceful-generic rule: a recipe needing a hook but not shipping one simply fails the generic
 install — a correct reported outcome, not a harness error.
 ### 5.5 CI-only compose overlay — `compose.ccci.yml`
 **First-class:** if `tests/<recipe>/compose.ccci.yml` exists, the harness itself copies it into
 the recipe checkout (ABRA_DIR-aware) before the base deploy and automatically uses `--chaos` for
 that deploy (the untracked file would otherwise trip abra's clean-tree gate). No
 `install_steps.sh` copy boilerplate, no flag to remember (the old `CHAOS_BASE_DEPLOY` ⇄ overlay
 coupling is gone). The overlay is cc-ci-owned only.
 Policy (phase prevb): `compose.ccci.yml` is **ENVIRONMENTAL-only** — node-reality tweaks that must
 apply to EVERY deploy including the PR head (e.g. ghost's 15m `start_period` grace — a literal,
 because abra validates `start_period` before env substitution; discourse's `order: stop-first` for
 the memory-tight upgrade crossover). It MUST NOT carry version-specific image pins or service
 add/drop — those leak onto the head and mask the change under test. Version-specific base repairs go
 in `previous/` (§5.5b). Reference the overlay from `EXTRA_ENV`'s `COMPOSE_FILE` as usual.
 ### 5.5b Previous-version base repair — `tests/<recipe>/previous/`
 > **Prefer NOT to use this — it is a last resort.** The mechanism exists so that, when updating a
 > recipe's tests, you *can* bring up a previous base that won't deploy as-published. But reach for it
 > only after the dynamic base (last-green → main-tip) has genuinely failed to come up. Every `previous/`
 > you add re-introduces the per-version patching treadmill the dynamic base was designed to remove, so
 > the bar is **"the base will not deploy any other way."** Most recipes — including discourse, the case
 > that motivated this — need NONE. When in doubt, don't add one.
 Optional. The MINIMAL config to deploy the *previous (last-green) version* when it can't deploy
 as-published (e.g. an image relocation `bitnami/* → bitnamilegacy/*`, or an era-specific
 service/env). Applied to the **base deploy ONLY** and stripped before the head redeploy, so the PR
 head runs UNMODIFIED.
 - Layout: `tests/<recipe>/previous/compose.previous.yml` (+ a one-line `previous/VERSION` marker
  declaring the published version it targets). Appended to the base deploy's `COMPOSE_FILE`.
 - **Version-guarded:** applied only when the resolved base equals `previous/VERSION`. On a main-tip
  (ref) base or a version mismatch it is **skipped and flagged stale** (`previous/ targets X, base is
  Y — remove it`). After an upgrade PR merges (new last-green), remove the now-stale folder — keep it
  to ~one version, never an accumulating pile.
 - Keep it minimal and add one only where necessary. Most recipes (incl. discourse) need NONE — the
  dynamic base (last-green/main-tip) deploys clean. Symbols: `lifecycle.previous_status` /
  `provide_previous_overlay` / `remove_previous_overlay`.
 ### 5.6 Environment & fixture contract (what custom code can read)
 Pytest fixtures (`tests/conftest.py` — the single fixture file):
 | Fixture | Yields |
 |---|---|
 | `recipe` | the recipe name (`$RECIPE`) |
 | `meta` | the FULL validated `RecipeMeta` (single loader) |
 | `live_app` | the shared deployment's domain (asserts it exists) |
 | `op_state` | the orchestrator's op-context dict (skips cleanly outside a run) |
 | `deps` | `{dep_recipe: entry}` — entries expose `.domain` + full SSO creds |
 Environment (hooks/shell, and approved repo-local code):
 | Var | Set for | Meaning |
 |---|---|---|
 | `CCCI_APP_DOMAIN` | all tests + hooks | the app's per-run domain |
 | `CCCI_BASE_URL` | approved repo-local code | `https://<domain>` |
 | `CCCI_RECIPE`, `CCCI_APP_ENV` | `install_steps.sh` | recipe name, app `.env` path |
 | `CCCI_OP_STATE_FILE` | overlay tests (via `op_state`) | JSON op context (versions, artifacts) |
 | `CCCI_DEPS_FILE` | `install_steps.sh` + harness | JSON dep creds dict |
 | `CCCI_DEPS_READY` / `CCCI_DEPS_NOT_READY_REASON` | custom tier (via `requires_deps`) | gate SSO tests, skip-with-reason |
 ## 6. Run-model context (what the settings plug into)
 One deploy chain per run (full detail: `docs/testing.md` §2):
 ```
 [DEPS? provision deps FIRST → $CCCI_DEPS_FILE]
 deploy BASE (dynamic: last-green → same-version step-back → main-tip → skip; EXTRA_ENV;
             install_steps.sh; compose.ccci.yml [environmental] auto-copied + auto-chaos;
             tests/<recipe>/previous/ [version-specific, base-ONLY] applied if it matches the base)
  → INSTALL tier   (READY_PROBE; generic + overlay asserts)
  → pre_upgrade(ctx) → strip previous/ + chaos-deploy PR HEAD (UPGRADE_EXTRA_ENV)
                       → reconcile stack to head compose (prune services the head dropped)
  → UPGRADE tier   (READY_PROBE; version-label == head_ref)
  → pre_backup(ctx) → backup       (BACKUP_CAPABLE; BACKUP_VERIFY)
  → BACKUP tier
  → pre_restore(ctx) → restore
  → RESTORE tier
  → CUSTOM tier    (custom/; deps via the `deps` fixture)
  → SCREENSHOT (best-effort, never affects the verdict)
  → teardown (deps LAST)
 ```
 Deploy-count guard (DG4.1): exactly `1 + len(DEPS)` deploys per run (chaos redeploys don't
 count); the per-run counter file is keyed by run since the concurrency restructure.
 ## 7. Local iteration, the manifest, and the dev-only escape hatch
 ```
 RECIPE=<recipe> PR=<n> REF=<sha> SRC=recipe-maintainers/<recipe> \
  STAGES=install,upgrade,backup,restore,custom \
  cc-ci-run runner/run_recipe_ci.py
 ```
 (`docs/enroll-recipe.md` §5 for the full loop, including dep teardown caveats.)
 **Customization manifest.** Every run prints, right after meta load + discovery, one block:
 ```
 ===== customization manifest: <recipe> =====
 meta (non-default): DEPLOY_TIMEOUT=1500 DEPS=['keycloak'] EXTRA_ENV='<hook>'
 hooks: ops.py[pre_backup,pre_upgrade](cc-ci) install_steps.sh(cc-ci) compose.ccci.yml(cc-ci)
 overlays: test_backup.py(cc-ci) test_restore.py(repo-local)
 custom tests: custom/=7 (cc-ci)
 env overrides: (none)
 ```
 The same dict is embedded in `results.json` under `"customization"`. It is pure presentation —
 built from the SAME discovery/meta calls the run uses (so it cannot disagree with what executes,
 and it honors the HC2 gate) — and never influences a verdict.
 **Dev-only generic skip.** `CCCI_SKIP_GENERIC=1` (all ops) / `CCCI_SKIP_GENERIC_<OP>=1` (one op)
 suppress the generic floor — a LOCAL-DEV-ONLY escape hatch for iterating on one tier. There is no
 declarative equivalent (the old `SKIP_GENERIC` meta key is deleted). If the env form is active in
 a CI (drone) run, the run prints a loud `!!` warning and the manifest records it.
 ## 8. Restructure outcomes (the review spec's R1–R9)
 How each defect identified in the review spec (commit `76a4b6b` §8) was resolved:
 - **R1 — six divergent meta loaders → RESOLVED.** One registry-backed loader
  (`harness/meta.py::load`), the only `exec()` of `recipe_meta.py`. The orchestrator loads once
  and passes the `RecipeMeta` down; conftest/lifecycle/deps/canonical all read the one object.
 - **R2 — dead `SCREENSHOT` knob → RESOLVED (kept + fixed).** The registry replaced the allowlist
  that orphaned it; the orchestrator path now delivers the hook to `screenshot.py`
  (proven end-to-end by `tests/unit/test_screenshot.py::test_screenshot_reachable_through_real_load_path`).
 - **R3 — 4-key pytest `meta` fixture → RESOLVED.** The fixture returns the full validated
  `RecipeMeta`.
 - **R4 — three config languages → MITIGATED by the manifest** (§7): the surfaces stay (they serve
  different actors), but every run resolves them into one visible block + results key.
 - **R5 — reference-doc drift → RESOLVED.** §4's key table is generated from the registry
  (`scripts/gen-meta-docs.py`); a unit test fails CI on drift; `testing.md`/`enroll-recipe.md`
  point here instead of keeping partial lists.
 - **R6 — silent typos → RESOLVED.** Unknown ALL-CAPS keys and type mismatches are hard
  `MetaError`s; private constants are underscore-prefixed (exempt).
 - **R7 — `compose.ccci.yml` ⇄ `CHAOS_BASE_DEPLOY` coupling → RESOLVED.** The overlay is
  first-class: harness-copied, auto-chaos. The flag is deleted.
 - **R8 — zero-user `SKIP_GENERIC` meta key → RESOLVED (deleted).** Env form remains, documented
  dev-only, loudly flagged in CI runs (§7).
 - **R9 — `recipe_meta.py` is code, not config → REJECTED by decision.** No data/hooks file split:
  registry validation gets the value (typed, validated keys) at lower cost; one file per recipe
  remains the single config place. The expressiveness need is real (cryptpad derives env from the
  per-run domain).
 Also settled in the restructure: install-time deps provisioning is the ONLY mode (the legacy
 post-deploy `setup_custom_tests.sh` machinery and its extra redeploy are deleted); the custom-test
 placement rule (§3); the uniform ctx hook convention (§4.1); the consolidated fixture surface
 (§5.6 — `deps` replaces `deps_apps`+`deps_creds`; dead `deployed`/`deployed_app`/`app_domain`
 fixtures deleted).
 ## 9. File / symbol index
 | Concern | Where |
 |---|---|
 | THE meta loader + key registry + `HookCtx` + `MetaError` | `runner/harness/meta.py` (`load`, `KEYS`, `check_hook_signature`) |
 | Generated key table | `scripts/gen-meta-docs.py` → §4 above (sync pinned by `tests/unit/test_meta.py`) |
 | Customization manifest | `runner/harness/manifest.py` (`build`, `render`), printed by `runner/run_recipe_ci.py` |
 | Overlay/custom/hook discovery + HC2 gate + placement rule | `runner/harness/discovery.py` |
 | HC2 allowlist | `tests/repo-local-approved.txt` |
 | Generic assertions + `BACKUP_CAPABLE` detect | `runner/harness/generic.py` |
 | `compose.ccci.yml` auto-copy + auto-chaos | `runner/harness/lifecycle.py` (`provide_ccci_overlay`, `deploy_app`) |
 | Dynamic upgrade base (last-green → main-tip → skip) | `runner/run_recipe_ci.py` (`resolve_upgrade_base`, `BasePlan`); `runner/harness/lifecycle.py` (`recipe_branch_commit`) |
 | `previous/` discovery + version-guard + base-only apply + head strip | `runner/harness/lifecycle.py` (`previous_status`, `provide/remove_previous_overlay`); `tests/unit/test_previous.py` |
 | `READY_PROBE` consumption | `runner/harness/lifecycle.py` (`wait_ready_probes`) |
 | `EXPECTED_NA` reporting | `runner/harness/results.py` |
 | `SCREENSHOT` consumer | `runner/harness/screenshot.py` |
 | Fixtures (`recipe`/`meta`/`live_app`/`op_state`/`deps`) + F2-11 skip-report | `tests/conftest.py` |
 | Skip-generic env logic (dev-only) | `runner/run_recipe_ci.py` (`_skip_generic`) |
 | Unit tests pinning all of the above | `tests/unit/test_meta.py`, `test_manifest.py`, `test_discovery*.py` |
 | Worked examples | `tests/ghost/` (overlay+compose.ccci.yml), `tests/mumble/` (TCP probe, UPGRADE_EXTRA_ENV, private `_` constants), `tests/lasuite-drive/` (DEPS + install-time OIDC wiring), `tests/immich/` (ops.py seed pattern) |
--- a/docs/results-ux.md
+++ b/docs/results-ux.md
@ -10,12 +10,9 @@ It is the R8 reference for Phase 3 (`plan-phase3-results-ux.md`).
 ---
-## 1. The level ladder (R1)
+## 1. The level ladder (phase lvl5 semantics, operator-decided 2026-06-11)
-Every run earns a single integer **level 0–6**. The ladder is cumulative with **YunoHost
+Every run earns a single integer **level 0–5** over the FIVE essential rungs:
 gap-caps-the-level** semantics: you earn level `L` only if **every rung 1..L was a clean PASS**. The
 first rung that is not a clean PASS — a real **FAIL** *or* genuinely **N/A** for this recipe — stops
 the climb, and `level_cap_reason` records which rung and why.
 | Level | Rung | Earned when |
 |------:|------|-------------|
@ -24,42 +21,52 @@ the climb, and `level_cap_reason` records which rung and why.
 | **L2** | upgrade | previous published version → PR/latest, stays healthy, data intact. |
 | **L3** | backup/restore | seeded data survives backup → wipe → restore. |
 | **L4** | functional | the recipe-specific functional tests pass. |
-| **L5** | integration | SSO/OIDC + cross-app integration tests pass. |
+| **L5** | lint | `abra recipe lint` passes against the exact ref under test. |
 | **L6** | recipe-local | the recipe repo's own `tests/` (D4) pass and are merged. |
-**N/A caps, fairly.** A rung that does not apply to a recipe (only one published version → no
+Each rung has one of FOUR statuses, and the level is:
 upgrade; not backup-capable; no SSO/integration surface; no recipe-local tests) is **N/A**, which
 caps the climb at the rung below it with a recorded reason — it is *not* counted as a failure. This is
 the only fair reading of "a missing lower rung caps the level": e.g. a recipe with **no integration
 surface caps at L4 by definition**, shown as `level_cap_reason = "L5 integration … N/A"`. A stateless
 app whose functional tests pass but which cannot be backed up is honestly capped at **L2** (`"L3
 backup/restore … N/A"`) rather than shown as L4 — understating is safe; overstating is forbidden.
-Worked examples (real runs):
+    level = the highest rung that PASSED, where every rung below it is "pass" or an intentional skip
- `uptime-kuma` — install+upgrade+backup+restore+functional all pass, no SSO surface → **L4**
+
-  (`cap = "L5 integration (SSO/OIDC + cross-app) N/A"`).
+- **pass / fail** — the rung was exercised. A FAIL blocks: no rung above it counts, however green.
- `custom-html-tiny` — stateless, not backup-capable: install+upgrade pass, backup/restore N/A →
+- **skip (intentional)** — the rung *genuinely does not apply*, from a declared or structural fact:
-  **L2** (`cap = "L3 backup/restore (data integrity) N/A"`).
+  not backup-capable (declared), only one published version (no upgrade target), or a declared
  `EXPECTED_NA`. Intentional skips are **climbed past** — a stateless recipe with passing
  functional tests and a clean lint reaches **L5**, not the old "capped at 2".
 - **unver (unverified)** — the rung *should* have run but didn't: infra error, missing tool,
  harness exception, prior-stage abort, timeout. **The level cannot rise above an unverified
  rung** — it blocks exactly like a fail (we never claim what we didn't check). Anything
  unclassifiable defaults to unver (conservative).
 There is **no capping concept** (no `cap_reason`, no `capped`): the per-rung table
 (✔ / ✘ / intentional-skip / unverified) on the card and in `results.json.rungs` is the sole
 carrier of "why isn't this level higher". Worked examples:
 - install ✔, upgrade ✘, backup ✔, functional ✔, lint ✔ → **level 1** (fail blocks).
 - install ✔, upgrade ✔, backup skip (not capable), functional ✔, lint ✔ → **level 5**.
 - install ✔, upgrade ✔, backup unver (harness error), functional ✔, lint ✔ → **level 2**.
 - all four ✔, lint unver (abra missing) → **level 4** (an unverified top rung isn't earned).
 Integration (SSO/OIDC + cross-app) and recipe-local tests are **optional capabilities**, not
 rungs — they never affect the level (SSO remains enforced for the run VERDICT).
 ### How tiers map to rungs (the translation layer)
 `run_recipe_ci.py` holds the run's per-tier results (`install/upgrade/backup/restore/custom`) +
-deps/SSO signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict that
+structural signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict
-`runner/harness/level.py::compute_level` scores. The mapping (also in `DECISIONS.md`, Phase 3):
+that `runner/harness/level.py::compute_level` scores. The full intentional-vs-unintentional
 classification table for every N/A source is in `machine-docs/DECISIONS.md` (phase lvl5). Summary:
- **install** ← install tier (pass/fail).
+- **install** ← install tier (pass/fail; a non-run is unver — install always applies).
- **upgrade** ← upgrade tier; `skip` → **na** (only one published version).
+- **upgrade** ← upgrade tier; tier skipped with no upgrade target (single published version,
  structural) → skip; declared `EXPECTED_NA` → skip; otherwise unver.
 - **backup_restore** ← backup AND restore tiers both pass → pass; either fail → fail; not
-  backup-capable → **na**.
+  backup-capable (structural/declared) → skip; unverified-while-capable → unver.
- **functional** ← the custom tier minus its SSO tests; a custom failure conservatively fails this
+- **functional** ← the custom tier; a custom failure conservatively fails this rung; no custom
-  rung (we don't split functional-vs-SSO failure → never inflate); no custom tests → **na**.
+  tests is a coverage GAP → unver, unless declared `EXPECTED_NA["functional"]` → skip.
- **integration** ← applies only if the recipe declares deps; pass iff deps wired and SSO verified and
+- **lint** ← the lint executor (`runner/harness/lint.py`): `abra recipe lint` on a pristine
-  custom didn't fail; recipes with no declared deps → **na** (the "caps at L4" rule).
+  scratch clone of the run's recipe tree at the exact tested sha, 60s hard budget, full output in
- **recipe_local** ← the recipe repo's own `tests/` (discovery source `repo-local`) ran and passed;
+  the run artifact `lint.txt`. pass/fail only — when lint can't run the rung is **unver** (never
-  none present → **na**.
+  a silent pass, never an intentional skip). Lint never changes the run verdict.
 The pure scorer is exhaustively unit-tested + fuzz-verified (all 729 rung combinations: level ==
 count of leading consecutive passes, zero inflation).
 ### Invariant flags (shown, not climbed)
@ -77,19 +84,29 @@ build number, or the run's unique app domain for a hand-run). Schema:
 ```json
 {
-  "schema": 1, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
+  "schema": 2, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
  "finished": 0.0,
-  "level": 4, "level_cap_reason": "L5 integration (SSO/OIDC + cross-app) N/A",
+  "level": 5,
-  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"pass","functional":"pass",
+  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"skip","functional":"pass",
-            "integration":"na","recipe_local":"na"},
+            "lint":"pass"},
  "lint": {"status":"pass","detail":"","rules_failed":[]},
  "skips": {"intentional": {"backup_restore": "not backup-capable (no backupbot labels / declared)"},
            "unintentional": []},
  "stages": [{"name":"install","status":"pass",
              "tests":[{"name":"test_serving","status":"pass","ms":168,"source":"generic"}]}],
-  "results": {"install":"pass","upgrade":"pass","backup":"pass","restore":"pass","custom":"pass"},
+  "results": {"install":"pass","upgrade":"pass","backup":"skip","restore":"skip","custom":"pass"},
  "flags": {"clean_teardown": true, "no_secret_leak": true},
  "screenshot": "screenshot.png", "summary_card": "summary.png"
 }
 ```
 `rungs` carries the four-status vocabulary above; `skips.intentional` maps each intentionally
 skipped rung to its (declared or structural) reason and `skips.unintentional` lists the
 unverified rungs. `lint` carries the L5 rung outcome + failing rule ids; the full
 `abra recipe lint` output is served at `/runs/<run_id>/lint.txt`. Pre-lvl5 artifacts
 (`"schema": 1`, 4-rung ladder, `level_cap_reason`/`level_cap_rung` present, `"na"` statuses)
 are still rendered as-is by the dashboard/card — their stored level is never recomputed.
 Assembly is **best-effort**: a failure to build/write `results.json` is logged but never changes the
 run's exit code (cosmetics never block the pipeline, R7).
--- a/docs/runbook.md
+++ b/docs/runbook.md
@ -32,9 +32,11 @@ curl -s -H "Authorization: Bearer $DT" --proxy socks5h://localhost:1055 \
  from the private mirror origin. All recipe-touching harness calls pass `-C -o` (chaos+offline);
  `recipe_versions`/upgrade use the upstream tags fetched read-only at clone time. If you see this,
  a new abra call is missing `-o`.
- **upgrade stage SKIPPED ("no previous published version"):** the recipe clone has no version tags.
+- **upgrade stage SKIPPED:** the dynamic base resolved to `skip` (phase prevb) — no last-green warm
-  `fetch_recipe` read-only-fetches them from the public upstream (`git.coopcloud.tech/coop-cloud/<r>`);
+  canonical AND no resolvable `main` tip, or `head == main tip` (no predecessor delta), or a declared
-  confirm the upstream has ≥2 tags (`git ls-remote --tags`).
+  `EXPECTED_NA[upgrade]`. The run log prints the exact reason (`upgrade base: kind=skip … SKIP: <reason>`).
  For a recipe that should upgrade from `main`, confirm the per-run clone has `origin/main` (or
  `origin/master`) and that it differs from the PR head (`resolve_upgrade_base` in `run_recipe_ci.py`).
 - **health wait hangs / 502:** the app isn't answering `HEALTH_PATH` yet. Slow apps (keycloak JVM +
  Liquibase, lasuite 9-service) just need time; raise `DEPLOY_TIMEOUT`/`HTTP_TIMEOUT` in
  `recipe_meta.py`. A persistent 502 with services 1/1 = wrong `HEALTH_PATH` (e.g. keycloak needs
--- a/docs/testing.md
+++ b/docs/testing.md
@ -16,12 +16,13 @@ year from now, this is the one rule that should still hold.
  ship as the floor for every recipe. No SSO provider, no external deps, no per-recipe state
  scaffolding — just "does this recipe deploy and lifecycle work?"
 - **Generic must not depend on custom.** A custom test or a custom-tests setup (e.g. SSO/OIDC dep
-  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: the
+  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: deps are
-  orchestrator runs all generic tiers (install → upgrade → backup → restore) against the recipe
+  provisioned BEFORE the single deploy (so `install_steps.sh` can wire OIDC env into that one
-  **alone, with no deps deployed**, then runs the `setup_custom_tests` step (deps + post-deps
+  deploy), but a dep-provisioning failure is **isolated** to the custom tier — the recipe still
-  wiring) only after — and a failure there is **isolated** to the custom tier (tests tagged
+  deploys alone, every generic tier (install → upgrade → backup → restore) runs normally, and
-  `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"`; generic tier reports
+  tests tagged `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"` (a counted,
-  normally). See `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
+  reported skip — F2-11). A deps failure can never fail or block a generic tier. See
  `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
 - **Custom tests are the thoroughness layer — and they cost more to maintain.** They're more
  thorough (authenticated APIs, multi-app flows, version-specific browser selectors, helper
  scripts, state-management) and *therefore* take more maintenance: an SSO provider's admin API
@ -47,8 +48,9 @@ once**; the assertion files (generic and overlay) evaluate the *post-op* state a
 op themselves. Asserted every run: **`deploy-count = 1`** (one `abra app new`).
 ```
-deploy ONCE  (base version: the previous published version when an upgrade tier will run and one
+deploy ONCE  (base version, resolved DYNAMICALLY when the upgrade tier runs: last-green (warm
-              exists — so upgrade is a real previous→PR-head; else the target / current PR head)
+              canonical) → target-branch `main` tip → else skip — so upgrade is a real
              predecessor→PR-head; else the target / current PR head. phase prevb)
  → INSTALL    [optional pre_install seed]   then  generic + overlay assertions   (no op)
  → UPGRADE    [optional pre_upgrade seed]   then  abra app deploy --chaos to PR-head      (op once)
                                             then  generic + overlay assertions
@ -113,9 +115,12 @@ repo-local  <recipe-repo>/tests/test_<op>.py     (upstream-authoritative; gated
 Only ONE overlay source wins for a given op (repo-local > cc-ci); the generic floor runs **in
 addition** unless explicitly opted out.
-**Custom (non-lifecycle) `test_*.py`** — any other `test_*.py` (e.g. `test_sso.py`) is **opt-in and
+**Custom (non-lifecycle) tests** — e.g. `custom/test_sso.py` — are **opt-in and additive**:
-additive**: it has no generic equivalent and runs only when present, discovered from both locations
+they have no generic equivalent and run only when present, discovered from both locations
-(repo-local gated by the HC2 allowlist).
+(repo-local gated by the HC2 allowlist). Placement rule: custom tests live under canonical
 `custom/`; deprecated `functional/` and `playwright/` aliases are still discovered with a loud
 warning so old recipe trees are not silently dropped. A top-level `test_*.py` is a lifecycle
 overlay and nothing else (top-level non-lifecycle files are not discovered).
 ### Pre-op seed hooks (per-recipe `ops.py`)
@ -127,35 +132,38 @@ etc.). Since the orchestrator owns the op, overlays place their seed in an optio
 # tests/<recipe>/ops.py
 from harness import lifecycle
-def pre_upgrade(domain, meta):
+def pre_upgrade(ctx):
    # seed a marker before the harness performs the upgrade
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])
-def pre_backup(domain, meta):
+def pre_backup(ctx):
    # establish a known "original" state before the backup op captures it
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo original > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo original > /path/marker"])
-def pre_restore(domain, meta):
+def pre_restore(ctx):
    # diverge from the backed-up state so a successful restore is observable
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo mutated > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo mutated > /path/marker"])
 ```
 The orchestrator imports `ops.py` in-process (with the recipe dir on `sys.path`, so it can import
-sibling helpers like `kc_admin.py`) and calls `pre_<op>(domain, meta)` immediately before performing
+sibling helpers like `kc_admin.py`) and calls `pre_<op>(ctx)` immediately before performing the
-the op. Then `test_<op>.py` asserts the post-op state. See `tests/custom-html/` (volume marker),
+op — `ctx` is the uniform `HookCtx` every recipe hook receives (`.domain`, `.base_url`, `.meta`,
 `.deps`, `.op` — `docs/recipe-customization.md` §4.1). Then `test_<op>.py` asserts the post-op
 state. See `tests/custom-html/` (volume marker),
 `tests/keycloak/` (admin-API/realm), `tests/matrix-synapse/`, `tests/lasuite-docs/` (psql in the `db`
 service) for worked examples.
-### Opting out of the generic floor
+### Opting out of the generic floor (LOCAL-DEV-ONLY)
-The generic runs additively by default. To skip it (e.g. when an overlay's recipe-specific check
+The generic runs additively by default and there is **no declarative opt-out** — no recipe can
-fully replaces the generic's mechanism check) set, in increasing specificity:
+ship without the floor. For local iteration only (e.g. re-running one tier while developing an
 overlay), two env escape hatches exist:
 - **env `CCCI_SKIP_GENERIC=1`** — skip generic for ALL ops (run-wide).
 - **env `CCCI_SKIP_GENERIC_<OP>=1`** — e.g. `CCCI_SKIP_GENERIC_UPGRADE=1` — skip generic for that one op.
 - **declarative in `recipe_meta.py`** — `SKIP_GENERIC = ["upgrade"]` (per-op) or `SKIP_GENERIC = ["all"]`.
-Opting out is per-recipe and visible in git — not a hidden global. Truthy = `1`/`true`/`yes`/`on`.
+Truthy = `1`/`true`/`yes`/`on`. If either is active in a CI (drone) run, the run prints a loud
 `!!` warning and the customization manifest records it (`docs/recipe-customization.md` §7).
 ## Repo-local trust gate (HC2) — default-deny
@ -194,7 +202,12 @@ server's content volume — without it the generic install fails 404, with it it
 Concretely, the upgrade tier:
-1. base deployment is the **previous published version** (a clean pinned-tag deploy).
+1. base deployment is the **dynamically-resolved predecessor** (phase prevb): last-green (warm
   canonical, pinned-tag deploy) → else the target-branch `main` tip (chaos deploy of the branch
   HEAD — the real predecessor the PR merges onto) → else the upgrade tier is skipped. An optional
   `tests/<recipe>/previous/` supplies version-specific repair to the base ONLY (stripped before the
   head redeploy). (The old explicit `UPGRADE_BASE_VERSION` pin was removed in phase canon §2.G — the
   dynamic last-green/step-back resolution makes it redundant.)
 2. orchestrator captures `head_ref` (preferring `$REF` — the PR head sha; falls back to the recipe
   checkout HEAD for non-PR `!testme`).
 3. on the upgrade tier: re-checkout the recipe to `head_ref` (the prev-tag base deploy reset the
@ -215,12 +228,14 @@ installs and stays 1.
   `tests/custom-html/test_upgrade.py`). Assert the POST-op state — reading app state through
   `lifecycle.exec_in_app` (volume/DB) for data checks, not HTTP. Generic + your overlay both run.
 3. If the overlay needs to seed PRE-op state (data-continuity markers, the backup→restore
-   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(domain, meta)`.
+   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(ctx)`.
 4. If the recipe needs install-time setup, add `tests/<recipe>/install_steps.sh`.
-5. Set per-recipe knobs (health path, timeouts, opt-out) in `recipe_meta.py`.
+5. Set per-recipe knobs (health path, timeouts) in `recipe_meta.py`.
 6. **Never weaken or skip an assertion to make a run pass** — a red tier is information.
-Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional):
+Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional — the COMPLETE key reference is
 the generated table in `docs/recipe-customization.md` §4; unknown keys are hard errors, private
 constants are underscore-prefixed):
 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@ -228,8 +243,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detection (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 SKIP_GENERIC = ["upgrade"]       # per-recipe declarative opt-out from generic ops ("all" = every op)
 ```
 The harness self-tests for discovery / precedence / the HC2 allowlist live in `tests/unit/` (run:
--- a/flake.nix
+++ b/flake.nix
@ -31,34 +31,36 @@
      ];
    in
    {
-      # Canonical live host target: the Hetzner cc-ci server.
+      nixosConfigurations = {
-      # Use `.#cc-ci` for the current production host.
+        # Canonical live host target: the Hetzner cc-ci server.
-      nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
+        # Use `.#cc-ci` for the current production host.
-        inherit system;
+        cc-ci = nixpkgs.lib.nixosSystem {
-        modules = [
+          inherit system;
-          sops-nix.nixosModules.sops
+          modules = [
-          ./nix/hosts/cc-ci-hetzner/configuration.nix
+            sops-nix.nixosModules.sops
-        ];
+            ./nix/hosts/cc-ci-hetzner/configuration.nix
-      };
+          ];
        };
-      # Legacy Incus VM host definition retained only for historical comparison and fallback.
+        # Legacy Incus VM host definition retained only for historical comparison and fallback.
-      # Do NOT use this target on the live Hetzner server.
+        # Do NOT use this target on the live Hetzner server.
-      nixosConfigurations.cc-ci-incus = nixpkgs.lib.nixosSystem {
+        cc-ci-incus = nixpkgs.lib.nixosSystem {
-        inherit system;
+          inherit system;
-        modules = [
+          modules = [
-          sops-nix.nixosModules.sops
+            sops-nix.nixosModules.sops
-          ./nix/hosts/cc-ci/configuration.nix
+            ./nix/hosts/cc-ci/configuration.nix
-        ];
+          ];
-      };
+        };
-      # Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host target
+        # Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host
-      # remains obvious in recovery/migration workflows.
+        # target remains obvious in recovery/migration workflows.
-      nixosConfigurations.cc-ci-hetzner = nixpkgs.lib.nixosSystem {
+        cc-ci-hetzner = nixpkgs.lib.nixosSystem {
-        inherit system;
+          inherit system;
-        modules = [
+          modules = [
-          sops-nix.nixosModules.sops
+            sops-nix.nixosModules.sops
-          ./nix/hosts/cc-ci-hetzner/configuration.nix
+            ./nix/hosts/cc-ci-hetzner/configuration.nix
-        ];
+          ];
        };
      };
      devShells.${system} = {
--- a/machine-docs/BACKLOG-aoeng.md
+++ b/machine-docs/BACKLOG-aoeng.md
@ -0,0 +1,9 @@
 # BACKLOG — phase aoeng
 ## Build backlog
 *(Builder-owned section — Adversary reads only)*
 ## Adversary findings
 *(none yet)*
--- a/machine-docs/BACKLOG-aotest.md
+++ b/machine-docs/BACKLOG-aotest.md
@ -0,0 +1,18 @@
 # BACKLOG — phase aotest
 ## Build backlog
 - [x] Unit tests for: config load + defaults merge, kickoff-template assembly, phase machine
      (advance/idempotent-complete/append-resumes), limit reset-banner parsing, WAITING-UNTIL/stall
      parsing, claude+opencode activity detectors. — `tests/test_unit.py` (51 tests)
 - [x] Isolated live claude smoke through the harness (attach + status + down, cleaned up). —
      `tests/smoke_claude.sh`
 - [x] Isolated live opencode smoke through the harness, dedicated non-4096 port, cleaned up. —
      `tests/smoke_opencode.sh`
 - [x] Test runner: unit always + live smokes when backends available; README documented. —
      `tests/run.sh`, README `## Testing`
 - All items complete at deliverable commit `cdcece9`; gate CLAIMED 2026-06-13T18:56Z.
 ## Adversary findings
 *(none yet — awaiting Builder deliverable)*
--- a/machine-docs/BACKLOG-bsky.md
+++ b/machine-docs/BACKLOG-bsky.md
@ -0,0 +1,18 @@
 # BACKLOG — phase bsky
 ## Build backlog
 - [x] B1: Root-cause diagnosis — inspect recipe compose/entrypoint + actual `:0.4` image vs exact tags on cc-ci (2026-06-11)
 - [x] B2: Upstream research persisted to cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247)
 - [x] B3: DECISIONS.md entry — pin choice (exact 0.4.219 over 0.5.1-main / digest pin), version label bump
 - [x] B4: Mirror PR branch `upgrade-0.3.0+v0.4.219` — compose.yml re-pin + label bump; open PR on recipe-maintainers/bluesky-pds
 - [x] B5: `!testme` on the PR → full lifecycle green (install/health, upgrade-path status justified, backup/restore, functional, L5 lint); record level under de-capped semantics + reconcile expected baseline
 - [x] B6: Screenshot on the green PR run — verify PNG real/representative/credential-free (Read it); SCREENSHOT hook only if needed
 - [x] B7: Claim M1 (root cause + green fix PR + screenshot verified)
 - [ ] B8: Close DEFERRED bluesky entries with pointers; JOURNAL note updating shot-phase N/A disposition
 - [ ] B9: Operator handoff summary in STATUS-bsky.md (what was wrong, what the PR changes, post-merge expectations incl. canonical/warm reseed)
 - [x] B10: Claim M2
 ## Adversary findings
 (Adversary-owned)
--- a/machine-docs/BACKLOG-canon.md
+++ b/machine-docs/BACKLOG-canon.md
@ -0,0 +1,102 @@
 # BACKLOG — phase `canon`
 ## Build backlog (Builder-owned)
 Milestone map → Definition of Done (§5). M1 = machinery + unit tests (Adversary cold-verifies the
 pieces). M2 = proven end-to-end in real CI.
 ### M1 — machinery works locally, each piece proven
 - [x] **M1.1 Tagged-promote gate (§2.A).** Extend `should_promote_canonical` to ALSO require the
      tested head version corresponds to a published release tag. Add a `tagged: bool` param computed
      at the call site (`head_version in recipe_tags(recipe)`); keep the function pure. Untagged head
      → no promote. Unit tests: enrolled+green+cold+not-ref+tagged → True; each missing condition
      (incl. untagged) → False.
 - [x] **M1.2 Release-tag trigger + mirror-sync in the sweep (§2.C/§2.D).** New pure helper
      `sweep_decision(recipe, latest_tag, canon_version)` → `run` | `skip:no-new-version` |
      `skip:never-released`, keyed on `version_key` (NOT commit). Wire `nightly_sweep.sweep()` to, per
      enrolled recipe: (1) faithful mirror-sync main+tags to upstream (reuse open-recipe-pr.sh
      `--reconcile-only`, vendored into the repo for reproducibility); (2) compute latest release tag
      vs canonical; (3) skip or run cold ON THE TAG (checkout tag + `CCCI_SKIP_FETCH=1`). Unit tests
      for `sweep_decision` (new tag → run; equal → skip; older/no tag → skip).
 - [x] **M1.3 Enroll all recipes (§2.B).** Set `WARM_CANONICAL = True` in each of the 21 used-recipes
      `tests/<r>/recipe_meta.py`. Leave fixtures (custom-html-*-bad, concurrency, regression) alone.
 - [x] **M1.4 Hollow-sweep fix (root cause).** Make the deployed sweep read the REAL tests/ + run
      current code: set `CCCI_REPO=/etc/cc-ci` in the sweep service and run `nightly_sweep.py` from
      the checkout (not the store copy). Deploy procedure pulls `/etc/cc-ci` before nixos-rebuild.
 - [x] **M1.5 Weekly timer (§2.F).** `nightly-sweep.nix` `OnCalendar` daily → weekly (one line),
      `Persistent=true` (already set). Low-traffic slot.
 ### M2 — proven end-to-end in real CI
 - [ ] **M2.1 Deploy** the M1 changes: `git -C /etc/cc-ci pull` + `nixos-rebuild switch`; verify host
      health after.
 - [ ] **M2.2 Full sweep run** across the enrolled set on cc-ci: mirrors synced, canonicals promoted
      for green recipes (records with correct version+commit), red recipes left intact, no-new-tag
      recipes skipped. Per-recipe results log captured.
 - [ ] **M2.3 Determinism proof:** run the sweep a SECOND time immediately → every recipe SKIPS
      (latest tag == canonical for all) = clean no-op, no CI rerun.
 - [ ] **M2.4 Tagged-promote proof:** a green run on an UNTAGGED state does NOT promote; a green run
      on a TAGGED release DOES. Construct if the live set doesn't cover it.
 - [ ] **M2.5 Real (non-hollow) timer fire:** after a timer fire, canonicals have ADVANCED (evidence),
      not exit-0 on an empty set.
 - [ ] **M2.6 samever orthogonality:** (a) no new tag (even with untagged commits on main) → SKIP, no
      upgrade-tier run, no promote; (b) new tag → cold-test new tag, canonical(older)→new, promote.
      Show step-back never fires inside the sweep.
 - [ ] **M2.7 Disk budget recorded;** all recipes enrolled (or documented exception in DECISIONS).
 - [ ] **M2.8 §2.G UPGRADE_BASE_VERSION retirement** — after plausible's canonical lands at 3.0.1:
      remove the pin, confirm dynamic base resolves 3.0.1 + passes; if it holds, strip the key
      (meta KEYS, resolver branch, docs, unit tests) + update bluesky-pds comment. Else KEEP with a
      recorded reason in DECISIONS.
 ## Notes
 - Order within M1: M1.1 → M1.2 (depend on version helpers) → M1.3/M1.4/M1.5 (config). Claim M1 only
  when all unit tests green + tree clean + pushed.
 ## Adversary findings
 - [x] **DEFECT-1 [adversary] (M2.2 results-label untrustworthy)** — CLOSED @16:14Z (M2 PASS). The
  production timer fire labels honestly: gitea/bluesky show `GREEN-BUT-PROMOTE-FAILED` (NOT a false
  `PASS (promoted)`), and the 16 `PASS (promoted)` labels each correspond to an on-disk canonical at the
  tested tag (commit==tag re-derived for all 16). Label now derives from the registry, not rc. ↓ orig:
  `nightly_sweep.sweep()` labelled `PASS (promoted)` off `rc==0`, but `promote_canonical` is non-fatal
  (swallows its exception), so a FAILED promote on a green cold run still showed `PASS (promoted)`
  though NO canonical was written. The per-recipe results log (DoD evidence "canonicals actually
  promoted for the greens") was therefore misleading. Repro (run-1 evidence captured): `grep "WC5
  promote failed" _sweep.log` vs `grep "PASS (promoted)" _sweep.log` — failed promotes appeared in
  BOTH. Builder fix f94de22 derives the label from `canonical.read_registry(r).version == latest`
  (PASS / GREEN-BUT-PROMOTE-FAILED / FAIL). **Close only after I re-run the sweep and confirm the
  label matches the on-disk registry for every recipe.**
 - [x] **DEFECT-2 [adversary] (M2.2 promote path failing broadly)** — CLOSED @16:14Z (M2 PASS). The
  faithful-install promote (f94de22) + fresh-seed teardown (ca89d44) + cold-dep lock-release (655a999)
  fixed all 4 failure classes: 16 recipes promote clean (commit==tag re-derived), incl. ghost,
  custom-html-tiny, drone (clean-promoted 11:50 in the post-fix sweep, no 600s timeout). Determinism
  holds: the 2nd sweep SKIPs all 15 promoted-at-latest, only documented exceptions RUN. ↓ orig:
  Run-1: 4 of 5 completed promotes FAILED across 4 modes though cold CI was green — ghost (`abra app
  new` FATA dirty tree), bluesky-pds (missing `pds_plc_rotation_key`), custom-html-tiny (404, no
  seeded index), drone (warm deploy timed out 600s). The bare `abra app deploy` in `promote_canonical`
  lacked the cold install's wiring. Net-new canonical run-1 = 1 (cryptpad). Builder fix f94de22:
  promote now does a faithful install (clean tree → provision deps → `deploy_app` w/ install_steps +
  overlay + ready-probes). **Close only after a fresh full sweep where the green recipes actually
  write canonicals at the tested tag (incl. the 4 failure classes), AND determinism (M2.3) holds
  (run-twice → skip-all).** Note the drone 600s timeout may be node-contention, not wiring — watch it.
 - [x] **DEFECT-3 [adversary] (deployed nightly-sweep.service env missing git-lfs → manual-sweep env ≠
  production-timer env)** — CLOSED @16:14Z (M2 PASS). Fix 2c61f2f prepends the host system PATH so the
  sweep runs recipes in Drone's exact env: `nightly-sweep` ExecStart line 17 byte-matches
  `drone-runner-exec.service` PATH; git-lfs present at `/run/current-system/sw/bin`. Behaviorally proven
  in the REAL timer fire (13:01:01→14:37:22Z, Result=success): `test_lfs_roundtrip PASSED` (gitea flips
  cold-green) and the timer ITSELF re-validated the promoted set under production env — 14 SKIP, custom-html
  advanced 1.11→1.13, no NEW promote failures the manual env hid. Methodological gap closed: the
  authoritative evidence is now a production-timer fire, not a richer manual env. ↓ orig:
 - [historical] **DEFECT-3 (orig text)** — The REAL timer fire (12:34Z, nightly-sweep.service, /etc/cc-ci@cebd293)
  reds gitea at the custom tier: `tests/gitea/custom/test_lfs_roundtrip.py` → `git: 'lfs' is not a git
  command` → level 3/5 → rc=1. Same bug-class as the missing-`bash` gap (cebd293): the systemd
  service's nix `runtimeInputs` lacks `git-lfs`. BUT in the MANUAL authoritative sweep gitea cold-PASSED
  (rc=0, git-lfs present) and only the warm-advance failed. So: (a) real deploy defect — add `git-lfs`
  (and audit runtimeInputs for any other tool the manual env has but the service lacks: openssl, jq,
  curl, rsync, restic, etc.); (b) METHODOLOGICAL — the manual M2.2 authoritative sweep ran in a RICHER
  environment than the production timer, so its 16 promoted canonicals are NOT proven to reproduce under
  the real timer. The DoD is "proven end-to-end in REAL CI (the timer)". Repro: `journalctl -u
  nightly-sweep.service | grep -A40 "sweep: gitea RUN"`. **Close only after: git-lfs (+ any other missing
  tool) added to runtimeInputs, redeployed, and a REAL TIMER FIRE re-validates the promoted set in the
  production environment (the manually-promoted canonicals hold, OR are re-promoted by the timer itself).**
--- a/machine-docs/BACKLOG-cf48.md
+++ b/machine-docs/BACKLOG-cf48.md
@ -0,0 +1,21 @@
 # BACKLOG — phase cf48
 ## Build backlog
 - [x] Confirm session model is `claude-opus-4-8` on the `claude` backend (phase Model Requirement)
 - [x] Read inputs: cfold plan, STATUS-cfold/REVIEW-cfold, STATUS-cf55/REVIEW-cf55
 - [x] Cat 1 — Diff review of `44e0242` line-by-line for coverage loss
 - [x] Cat 2 — Discovery parity: recompute custom-test inventory + cardinal coverage diff vs pre-cfold
 - [x] Cat 3 — Assertion preservation: confirm no weakened/removed/skipped assertions
 - [x] Cat 4 — Old-folder behavior: deprecated-alias + loud-warning live probe
 - [x] Cat 5 — Lifecycle-overlay separation: 0 in custom/, overlays top-level, RUNG name intact
 - [x] Cat 6 — Evidence audit: cfold M2 full-sweep all-20-recipes L5, zero leaks
 - [x] Cat 7 — Cleanliness: clean tree, no stray root/temp files
 - [x] cf55-vs-cf48 agreement note (incl. keycloak sys.path discrepancy cf48 caught)
 - [x] Write review matrix to STATUS-cf48.md + claim M1
 - [ ] Await Adversary M1 + M2 PASS in REVIEW-cf48.md
 - [ ] On M1+M2 PASS with no VETO → write `## DONE` to STATUS-cf48.md
 ## Adversary findings
 _(Adversary-owned — do not edit)_
--- a/machine-docs/BACKLOG-cf55.md
+++ b/machine-docs/BACKLOG-cf55.md
@ -0,0 +1,12 @@
 # BACKLOG — phase cf55
 ## Build backlog
 (Builder-only section — read-only to Adversary)
 - [x] Seed `STATUS-cf55.md` + `JOURNAL-cf55.md`
 - [x] Produce cf55 review matrix and claim M1 (2026-06-13T05:11Z)
 - [x] Await Adversary M1+M2 PASS (2026-06-13T05:13:45Z) — DONE
 ## Adversary findings
 No findings yet.
--- a/machine-docs/BACKLOG-cfold.md
+++ b/machine-docs/BACKLOG-cfold.md
@ -0,0 +1,141 @@
 # BACKLOG — phase cfold
 ## Build backlog
 (Builder-only section — read-only to Adversary)
 - [x] Seed `STATUS-cfold.md` + `JOURNAL-cfold.md`; consume Adversary inbox
 - [x] Record deprecated-folder policy in `DECISIONS.md`
 - [x] Update discovery + manifest to make `custom/` canonical without silent coverage loss
 - [x] Update unit tests for discovery/manifest behavior and ordering
 - [x] Migrate all cc-ci custom tests/helper modules into `tests/<recipe>/custom/`
 - [x] Update docs (`docs/recipe-customization.md`, `docs/testing.md`, `docs/enroll-recipe.md`)
 - [x] Produce M1 coverage-diff proof: discovered custom-test set identical before/after
 - [x] Claim M1 with WHAT/HOW/EXPECTED/WHERE in `STATUS-cfold.md`
 - [x] Await Adversary M1 verdict
 - [x] Build the pre-sweep recipe baseline matrix for M2
 - [x] Run the full real-CI `!testme` sweep and capture recipe-by-recipe evidence
 - [x] Claim M2 only after the sweep is green and zero leaks are confirmed
 ## Adversary findings
 No findings yet. Pre-migration baseline recorded below for reference during M1 verification.
 ### Baseline inventory (pre-migration, 2026-06-11T22:54Z)
 **64 custom test files** across 20 recipes, all in `functional/` or `playwright/` subdirs:
 | Recipe | functional/ | playwright/ | Helper modules |
 |---|---|---|---|
 | bluesky-pds | 4 | 0 | — |
 | cryptpad | 2 | 2 | — |
 | custom-html | 3 | 1 | — |
 | custom-html-tiny | 1 | 0 | — |
 | discourse | 3 | 0 | _discourse.py |
 | drone | 1 | 0 | __init__.py |
 | ghost | 4 | 0 | _ghost.py |
 | hedgedoc | 2 | 0 | — |
 | immich | 3 | 0 | — |
 | keycloak | 3 | 0 | — |
 | lasuite-docs | 5 | 0 | — |
 | lasuite-drive | 3 | 0 | — |
 | lasuite-meet | 3 | 0 | — |
 | mailu | 3 | 0 | _mailu.py |
 | matrix-synapse | 3 | 0 | — |
 | mattermost-lts | 3 | 0 | _mm.py |
 | mumble | 5 | 0 | _mumble_proto.py |
 | n8n | 4 | 0 | — |
 | plausible | 2 | 0 | — |
 | uptime-kuma | 3 | 1 | — |
 | **TOTAL** | **59** | **5** | **6 helper modules** |
 Full file list (64 test files):
 ```
 tests/bluesky-pds/functional/test_account_and_post.py
 tests/bluesky-pds/functional/test_describe_server.py
 tests/bluesky-pds/functional/test_health_check.py
 tests/bluesky-pds/functional/test_session_auth.py
 tests/cryptpad/functional/test_health_check.py
 tests/cryptpad/functional/test_spa_assets.py
 tests/cryptpad/playwright/test_pad_content_roundtrip.py
 tests/cryptpad/playwright/test_pad_create.py
 tests/custom-html/functional/test_content_roundtrip.py
 tests/custom-html/functional/test_content_type_header.py
 tests/custom-html/functional/test_health_check.py
 tests/custom-html/playwright/test_browser_smoke.py
 tests/custom-html-tiny/functional/test_serves_content.py
 tests/discourse/functional/test_create_topic.py
 tests/discourse/functional/test_health_check.py
 tests/discourse/functional/test_site_basic.py
 tests/drone/functional/test_scm_configured.py
 tests/ghost/functional/test_admin_redirect.py
 tests/ghost/functional/test_content_api.py
 tests/ghost/functional/test_health_check.py
 tests/ghost/functional/test_post_roundtrip.py
 tests/hedgedoc/functional/test_branding.py
 tests/hedgedoc/functional/test_health_check.py
 tests/immich/functional/test_asset_processing.py
 tests/immich/functional/test_asset_upload.py
 tests/immich/functional/test_health_check.py
 tests/keycloak/functional/test_create_client_and_use.py
 tests/keycloak/functional/test_health_check.py
 tests/keycloak/functional/test_password_grant_token.py
 tests/lasuite-docs/functional/test_auth_required.py
 tests/lasuite-docs/functional/test_create_doc.py
 tests/lasuite-docs/functional/test_health_check.py
 tests/lasuite-docs/functional/test_oidc_login.py
 tests/lasuite-docs/functional/test_oidc_with_keycloak.py
 tests/lasuite-drive/functional/test_health_check.py
 tests/lasuite-drive/functional/test_minio_storage.py
 tests/lasuite-drive/functional/test_oidc_with_keycloak.py
 tests/lasuite-meet/functional/test_health_check.py
 tests/lasuite-meet/functional/test_meeting_flow.py
 tests/lasuite-meet/functional/test_oidc_with_keycloak.py
 tests/mailu/functional/test_health_check.py
 tests/mailu/functional/test_mailbox.py
 tests/mailu/functional/test_mail_flow.py
 tests/matrix-synapse/functional/test_federation_version.py
 tests/matrix-synapse/functional/test_health_check.py
 tests/matrix-synapse/functional/test_register_and_message.py
 tests/mattermost-lts/functional/test_create_message.py
 tests/mattermost-lts/functional/test_health_check.py
 tests/mattermost-lts/functional/test_multiuser_message.py
 tests/mumble/functional/test_protocol_handshake.py
 tests/mumble/functional/test_server_config_limits.py
 tests/mumble/functional/test_tcp_health.py
 tests/mumble/functional/test_web_client.py
 tests/mumble/functional/test_welcome_text_roundtrip.py
 tests/n8n/functional/test_health_check.py
 tests/n8n/functional/test_login_state.py
 tests/n8n/functional/test_rest_settings.py
 tests/n8n/functional/test_workflow_roundtrip.py
 tests/plausible/functional/test_health_check.py
 tests/plausible/functional/test_event_tracking.py
 tests/uptime-kuma/functional/test_health_check.py
 tests/uptime-kuma/functional/test_socketio_handshake.py
 tests/uptime-kuma/functional/test_spa_branding.py
 tests/uptime-kuma/playwright/test_monitor_wizard.py
 ```
 Helper modules also in functional/ dirs (must move to custom/ alongside tests):
 - tests/discourse/functional/_discourse.py
 - tests/drone/functional/__init__.py
 - tests/ghost/functional/_ghost.py
 - tests/mailu/functional/_mailu.py
 - tests/mattermost-lts/functional/_mm.py
 - tests/mumble/functional/_mumble_proto.py
 **String literal audit** — all places that name the FOLDER (not the playwright package):
 - runner/harness/discovery.py:113 — `subdirs = ("functional", "playwright")`
 - runner/harness/manifest.py:55 — comment `# functional | playwright`
 - docs/recipe-customization.md — multiple §5.3 references
 - docs/enroll-recipe.md — multiple references
 - docs/testing.md:117,120 — placement rule
 - tests/unit/test_discovery_phase2.py — creates functional/ and playwright/ dirs
 - tests/unit/test_manifest.py — creates functional/ and playwright/ dirs; asserts `{"functional": 2, "playwright": 1}`
 - tests/unit/test_discovery.py:83,84 — creates functional/ dirs
 NOT to touch (playwright package references, not folder):
 - runner/harness/browser.py (playwright package import)
 - runner/harness/screenshot.py (playwright package import)
 - runner/harness/card.py:232 (playwright package import)
 - level.py, results.py (rung name "functional" — NOT a folder name)
--- a/machine-docs/BACKLOG-conc.md
+++ b/machine-docs/BACKLOG-conc.md
@ -0,0 +1,68 @@
 # BACKLOG — sub-phase conc
 ## Build backlog
 - [x] P1 lock-lifetime hardening: prctl PDEATHSIG + ppid race check + SIGTERM handler →
      teardown funnel + signal.alarm(3600) hard deadline; .drone.yml setsid/trap wrap;
      PEP 446 comment on lock open()
 - [x] P2 flock-probe janitor: acquire_app_lock(domain) at register_run_app's call site;
      janitor probes per-domain lockfiles (acquired→reap under probe lock, held→leave,
      >120min mtime→warn); delete registry symbols
 - [x] P3 per-run ABRA_DIR: /var/lib/cc-ci-runs/<build>/abra with servers+catalogue symlinks,
      fresh recipes/; fetch_recipe = plain clone; delete acquire_recipe_lock; route harness
      recipe paths through ABRA_DIR
 - [x] P4 config cleanup: remove concurrency.limit from .drone.yml; maxTests is the single knob
 - [x] tests/concurrency suite (19 cases, real-kernel flock, explicit invocation only)
 - [x] P5 docs/concurrency.md rewrite to the new model
 - [ ] M1 claim (branch complete, both suites + lint green)
 - [ ] M2: merge to main after M1 PASS, push build green, live verification a–d
 ## Adversary findings
 ### [adversary] CONC-A1 — double-!testme same domain corrupts the shared deploy-count file (M2(c) FAIL)
 **Severity:** blocks M2(c). Both runs of a same-domain double-!testme go RED.
 **Root cause (two coupled defects, one shared root):**
 1. The DG4.1 deploy-counter file is keyed by DOMAIN in the *shared* system tempdir, NOT per-run:
   `run_recipe_ci.py:930  countfile = /tmp/ccci-deploys-<domain>`. P3 isolated `ABRA_DIR` per run
   but this per-run state file was missed — it predates the restructure (ef44d46) and the OLD
   recipe-flock used to serialize same-recipe runs end-to-end, incidentally masking it.
 2. `lifecycle.deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE
   `acquire_app_lock(domain)` (lifecycle.py:254, introduced by P2 b302f3a). So the counter
   increment happens OUTSIDE the serialization window — a second same-domain run bumps the
   shared counter before it ever blocks on the lock.
 **Observed (live, builds 279 + 281, immich PR#2, same domain immi-ad3e33, 2026-06-10T05:04Z):**
 - Lock serialization itself WORKS: 281 logged `== app lock: ... in flight — waiting ==` at 2s,
  then `== app lock: acquired ==` at 194s — exactly when 279 exited (279 finished 05:07:35).
 - 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`. The `2` = 281's pre-lock `_record_deploy`
  (fired ~2s, before 281 blocked) polluting the shared counter 279 was actively using.
 - 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33...` at run_recipe_ci.py:1213 —
  279's end-of-run `os.remove(countfile)` (line 1215) deleted the shared file out from under 281,
  whose single `_record_deploy` had already fired at 2s and never recreates it.
 - Control: isolated immich (build 275, same fixed wrapper) → `deploy-count = 1`, GREEN. So this
  is concurrency-specific, not a pre-existing immich/wrapper issue.
 **Repro:** two `!testme` comments on the same recipe PR (same domain) in quick succession on the
 deployed main harness → both builds RED (one DG4.1 false-violation, one FileNotFoundError).
 **Fix direction (Builder owns):** key the deploy-counter per RUN, not per domain — e.g. put it in
 `/var/lib/cc-ci-runs/<build>/` (alongside the per-run artifacts) or include the build/run id in the
 filename, and export that path via `CCCI_DEPLOY_COUNT_FILE`. Per-run keying fixes BOTH defects at
 once (no cross-run pollution; no shared remove). Moving `_record_deploy()` after `acquire_app_lock`
 alone is INSUFFICIENT — the shared `os.remove`/`FileNotFoundError` collision survives. Add a
 tests/concurrency case: two same-domain runs serialized on the app lock → each sees its own
 deploy-count, neither removes the other's file (this is the gap vs the 19 planned cases — case 4
 serialises acquire but never asserts deploy-count isolation across the two).
 **Closure:** adversary-owned. Re-test the (c) double-!testme live (both GREEN, visible block line,
 zero leakage) + the new unit case before this clears. Only I close it.
 **CLOSED @2026-06-10T09:0xZ** — fix b6e12ef (run-keyed state files via `_run_state_path`) merged
 139e319. Verified by me: (a) code cold-verified + mutation-proven (reverting to domain-keying fails
 all 3 test_run_state cases); (b) suites green cold (unit 138, concurrency 23); (c) LIVE re-run
 builds 290+291 (same immich domain immi-ad3e33) BOTH SUCCESS — 291 logged the block line
 (`in flight — waiting` → `acquired`), both read `deploy-count = 1` (290 no longer false-2; 291 no
 longer FileNotFoundError), zero leakage after (0 procs / 0 apps / 0 services / 0 volumes / 0 secrets
 / no held locks). Full evidence in REVIEW-conc M2(c) PASS.
--- a/machine-docs/BACKLOG-dash.md
+++ b/machine-docs/BACKLOG-dash.md
@ -0,0 +1,17 @@
 # BACKLOG — phase `dash`
 ## Build backlog
 - [x] Root-cause confirmed (Drone 100-build window) + host artifact schema inspected.
 - [x] M1: rewrite `history_for` to source from `/var/lib/cc-ci-runs` local artifacts, newest-first by
      `finished`, capped at HISTORY_CAP, malformed/empty dirs skipped, security/other routes unchanged.
 - [x] M1: unit test for local sourcing (count/order/cap/skip) + full-fixture verify vs real data.
 - [ ] M1: awaiting Adversary PASS in REVIEW-dash.md.
 - [x] M2: deployed. Procedure (host flake source = `/etc/cc-ci` git clone):
      `ssh cc-ci 'git -C /etc/cc-ci pull && systemd-run --no-block --unit=ccci-dash-sw --collect
      --property=Type=oneshot nixos-rebuild switch --flake /etc/cc-ci#cc-ci'`. Content-hash image tag
      rolls dashboard.py change: current deployed `15addbc7bf45` → expected new `11ac2a1e6c07`
      (`sha256sum dashboard/dashboard.py | cut -c1-12`). Then verify live on `/recipe/bluesky-pds`
      (8 runs) + ≥2 recipes, overview + badges still 200, deploy-dashboard active, host health after.
 - [x] M2: retention confirmed — no trim job; does not trim `/var/lib/cc-ci-runs` (record in DECISIONS if a cap needed).
 - [x] DONE: both gates Adversary-PASS in REVIEW-dash.md → write `## DONE` in STATUS-dash.md.
--- a/machine-docs/BACKLOG-drone.md
+++ b/machine-docs/BACKLOG-drone.md
@ -0,0 +1,222 @@
 # BACKLOG — phase drone (drone enrollment with gitea SCM dep)
 **Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
 ---
 ## Build backlog
 _(Builder's section — Adversary read-only)_
 ### M1 tasks
 - [x] Read plan + Adversary pre-probes
 - [x] Create phase state files (STATUS/JOURNAL/BACKLOG/REVIEW init)
 - [x] Implement `setup_gitea_oauth()` in `runner/harness/sso.py`
 - [x] Extend `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
 - [x] Create `tests/gitea/recipe_meta.py`
 - [x] Create `tests/drone/recipe_meta.py`
 - [x] Create `tests/drone/install_steps.sh`
 - [x] Create `tests/drone/functional/test_scm_configured.py` (ADV-drone-01 fixed in 7e7e84d)
 - [x] Create `tests/drone/PARITY.md`
 - [x] Write unit tests for new harness surface (10/10 pass)
 - [x] Harness run 5 GREEN — deploy-count 2/2 (DG4.1 PASS), level=5, install+upgrade+custom PASS
 - [x] Claim M1 — Adversary PASS @2026-06-11T22:22Z (commit `3de5925`)
 ### M2 tasks (after M1 PASS)
 - [x] Mirror drone + gitea on git.autonomic.zone (for !testme CI path)
 - [x] Open !testme PR for drone recipe — PR #1 `testme-1.9.0-cc-ci` @ recipe-maintainers/drone
 - [x] CI run via !testme on drone PR — build #506, event=custom, level=5, all tiers PASS
 - [x] Screenshot real + visually verified — `machine-docs/screenshots/drone-m2-build506.png`
 - [x] Level recorded — level=5
 - [x] DEFERRED updated — Adversary §7.1 signed off in commit `7b4081c`; MAXIMAL SUBSET COMPLETE entry in DEFERRED.md
 - [x] Operator summary written — see STATUS-drone.md ## DONE
 - [x] Claim M2 — Adversary M2 PASS @2026-06-11T22:30Z (commit `7b4081c`). Phase drone DONE.
 ---
 ## Adversary findings
 ### ADV-drone-01 [adversary] test_scm_configured follows all redirects — assertion always fails
 **Filed:** 2026-06-11T21:37Z  
 **Severity:** CRITICAL — SCM-configured test is always failing, even for a correctly wired drone
 **Defect:** `tests/drone/functional/test_scm_configured.py::test_login_redirects_to_gitea_dep`
 uses `urllib.request.urlopen(req, context=ctx)` which follows ALL redirect hops. The redirect
 chain for a correctly-wired drone is:
 1. `GET /login` → 303 → `https://<gitea-dep>/login/oauth/authorize?client_id=...&...`
 2. Gitea (unauthenticated user) → 302 → `https://<gitea-dep>/user/login?redirect_to=...`
 3. Final: `https://<gitea-dep>/user/login` (200 OK)
 The test asserts `parsed.path == "/login/oauth/authorize"` but `final_url` is `/user/login`.
 **The assertion ALWAYS fails even when drone is correctly wired.**
 **Verified:** reproduced against the live drone.ci.commoninternet.net:
 ```
 python3 -c "
 import ssl, urllib.request, urllib.parse
 ctx = ssl.create_default_context(); ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE
 req = urllib.request.Request('https://drone.ci.commoninternet.net/login', method='GET')
 with urllib.request.urlopen(req, timeout=30, context=ctx) as resp:
    print(resp.geturl())
 # → https://git.autonomic.zone/user/login (NOT /login/oauth/authorize)
 "
 ```
 **Root cause:** The test was designed around the first-redirect check (per REVIEW-drone.md
 pre-probe) but implemented as a follow-all check. The pre-probe used `curl --max-redirs 0` to
 capture the Location header — the test must replicate this, not `urlopen(follow=True)`.
 **Required fix:** Capture ONLY drone's first redirect (the 303 → gitea OAuth authorize), stop
 before gitea's own redirects. One correct pattern:
 ```python
 class _CaptureOneRedirect(urllib.request.HTTPRedirectHandler):
    def http_error_302(self, req, fp, code, msg, headers):
        raise urllib.error.HTTPError(req.full_url, code, msg, headers, fp)
    http_error_303 = http_error_302
 opener = urllib.request.build_opener(
    _CaptureOneRedirect(),
    urllib.request.HTTPSHandler(context=ctx),
 )
 try:
    opener.open(f"https://{live_app}/login", timeout=30)
    pytest.fail("Expected redirect from /login but got 200")
 except urllib.error.HTTPError as e:
    if e.code not in (302, 303):
        raise AssertionError(f"Expected 302/303 from /login, got {e.code}")
    redirect_url = e.headers.get("Location") or e.headers.get("location", "")
 parsed = urllib.parse.urlparse(redirect_url)
 # now check parsed.netloc == gitea_domain and parsed.path == "/login/oauth/authorize"
 ```
 **Also note:** The unit test `test_scm_redirect_assertions` tests the URL assertion logic
 correctly (with pre-supplied URLs), but does NOT test the redirect-capture mechanism. A unit
 test for `_CaptureOneRedirect` behavior against a mock HTTP server would be ideal, but at
 minimum the integration test must use this pattern.
 **Repro steps:**
 1. Deploy a correctly-wired drone (with gitea dep, compose.gitea.yml, DRONE_GITEA_CLIENT_ID set)
 2. Run `test_login_redirects_to_gitea_dep` 
 3. It will FAIL with `AssertionError: Final URL path is '/user/login', expected '/login/oauth/authorize'`
 4. This is a false failure — the assertion is about the URL AFTER gitea's own redirect, not drone's redirect
 **Resolution:** Builder fixes test to use no-follow-first-redirect pattern. Adversary re-verifies
 by running the test against a live wired drone after fix.
 - [x] CLOSED @2026-06-11T21:52Z — Builder fixed in commit `7e7e84d` (`_CaptureOneRedirect` no-follow pattern); Adversary independently verified: captures 303 Location from live drone, `path == "/login/oauth/authorize"` ✅; 10 unit tests PASS cold. [Note: Builder ticked this — Adversary owns Adversary findings per §6.1; recording explicit Adversary close here.]
 ---
 ### ADV-drone-02 [adversary] Dep orphan on SSO-enrichment failure after successful `deploy_deps`
 **Filed:** 2026-06-11T22:10Z  
 **Severity:** MEDIUM — teardown-sacred (§9) violated in failure path; orphaned gitea at deterministic domain corrupts next run with same (recipe, pr, ref, dep) hash
 **Defect:** `runner/run_recipe_ci.py::main()` initialises `deps_state = {}` (line 1015). Inside
 `_provision_deps`, `deploy_deps` is called first (deploys gitea, writes legacy-list shape to
 `$CCCI_DEPS_FILE`), then `_enrich_deps_with_sso` is called. If `_enrich_deps_with_sso` raises
 (e.g. `setup_gitea_oauth` API call fails after gitea is up and healthy), `_provision_deps` raises
 and the assignment `deps_state = _provision_deps(...)` (line 1034) never completes. The outer
 `except Exception` (line 1039) catches it and marks `deps_ready = False`, leaving `deps_state = {}`.
 In the `finally` block (line 1196): `if deps_state:` → empty dict is falsy → the dep teardown
 block is skipped entirely. **The gitea container and its volumes are orphaned.**
 **Failure path:**
 ```
 deploy_deps(...)         # gitea deployed + healthy; writes [{recipe:gitea, domain:gite-...}] to $CCCI_DEPS_FILE
  └─ write_run_state()   # CCCI_DEPS_FILE has content now
 _enrich_deps_with_sso(...)
  └─ setup_gitea_oauth() # RAISES (API failure, gitea not ready yet, etc.)
 _provision_deps() raises
 deps_state = {}          # assignment never completed
 ...
 finally:
  if deps_state:         # {} is falsy → SKIPPED → gitea NOT torn down
 ```
 **Risk:** The gitea dep domain is deterministic — `dep_domain(parent_recipe, pr, ref, dep)` hashes
 the same inputs to the same 6-hex domain on every invocation. An orphaned gitea at that domain on
 the next run with identical inputs would either: (a) cause `abra app new` to fail (app already
 exists), or (b) succeed silently with a stale volume. `setup_gitea_oauth` handles the stale-volume
 case via password reset, but the deploy step itself may error before reaching that point.
 **Note:** `deploy_deps` (deps.py:104-109) tears down a dep immediately if its readiness check
 fails. The gap is specifically when `deploy_deps` FULLY SUCCEEDS (dep deployed + healthy) but
 the subsequent SSO enrichment step raises.
 **Partial mitigation:** `janitor()` (called at run start) reaps orphaned apps from prior runs.
 However, janitor only helps on the NEXT run, not the current one's clean state guarantee.
 **Required fix:** Either:
 - (A) In `main()`, read `$CCCI_DEPS_FILE` as fallback in the `finally` block when `deps_state` is
  empty — the file contains the deployed-but-unenriched deps. Tear those down via `teardown_deps`.
 - (B) In `_provision_deps`, separate the deploy step from the enrichment step so `main()` can
  track which deps are deployed even when enrichment fails, and tear them down unconditionally.
 - (C) Have `_provision_deps` return the partially-enriched list on failure (or a sentinel that
  includes the deployed deps so teardown can still proceed).
 - [x] CLOSED @2026-06-11T22:22Z — Builder fixed in commit `0aa46db` (Option A: else-branch fallback in main() finally block reads $CCCI_DEPS_FILE via load_run_state() and calls teardown_deps on cold entries). Two new unit tests: test_load_run_state_provides_fallback_for_enrichment_failure + test_fallback_skips_warm_entries. 19/19 PASS. Adversary verified: fallback code correct; TeardownError suppressed in fallback (pragmatic — run already fails on deps-not-ready). Teardown-sacred §9 satisfied. CLOSED.
 ---
 ### ADV-drone-03 [adversary] DG4.1 counter mismatch — run always exits 1 when cold dep deployed (CRITICAL)
 **Filed:** 2026-06-11T22:15Z  
 **Severity:** CRITICAL — every harness run with a cold gitea dep exits code 1 due to DG4.1
 violation, even when all tiers pass and level=5 is achieved.
 **Observed in Builder's run 4 (PID 2105952, /tmp/drone-m1-run4.log):**
 ```
 !! deploy-count 1 != 2 (DG4.1 violation)
 deploy-count = 1 (expect 2)
  deps deployed: ['gitea']
 results.json written: /var/lib/cc-ci-runs/manual/results.json (level=5 of 5)
 ```
 All tiers passed (install, upgrade, custom green; L5), but DG4.1 sets `overall = 1` → exit code 1 → CI FAIL.
 **Root cause:** Internal contradiction between two parts of `deps.py`:
 1. **Module docstring (line 19-20):** `"Dep deploys DO count toward the DG4.1 deploy-count
   invariant. The formula in run_recipe_ci.py is expected_deploy_count = 1 + deps_deployed_count,
   so each dep deploy increments the counter."`
 2. **`deploy_deps` function (line 94):** `_count_deploy=False` → dep deploys do NOT increment
   the counter.
 The formula in `run_recipe_ci.py` (line 1252) uses `expected = 1 + deps_deployed_count = 2`.
 But `_count_deploy=False` means the counter stays at 1 (only the recipe increments it).
 Result: `actual=1 != expected=2` → DG4.1 fires.
 **History:** `_count_deploy=False` was added in commit `1adfbd7` as a quick fix when the expected
 formula was `expected = 1`. Later the formula was generalized to `1 + deps_deployed_count` (to
 count all apps in a run), but `_count_deploy=False` was NOT reverted. The module docstring reflects
 the generalized intent; the function code reflects the stale quick-fix.
 **Required fix:** In `deps.py:deploy_deps` (line 94), remove or revert `_count_deploy=False`:
 ```python
 # Before (wrong):
 lifecycle.deploy_app(dep, domain, ..., _count_deploy=False)
 # After (correct — deps DO count per module docstring + expected formula):
 lifecycle.deploy_app(dep, domain, ...)  # _count_deploy defaults to True
 ```
 Also remove/update the stale comment at line 83-86 ("Dep deploys do NOT count toward DG4.1...").
 **Also fix:** The comment in `deploy_deps` at lines 83-86:
 ```python
 # Dep deploys do NOT count toward the DG4.1 "one deploy per run" invariant — that
 # contract covers the recipe-under-test only; each dep is a supporting service, not the
 # subject of the test. Pass _count_deploy=False so the main recipe's single-deploy
 # assertion isn't distorted by the number of deps declared.
 ```
 This is now wrong. Replace with: "Dep deploys DO count toward DG4.1 (see module docstring);
 `expected_deploy_count = 1 + n_cold_deps`."
 - [x] CLOSED @2026-06-11T22:22Z — Builder fixed in commit `5384f5c` (removed `_count_deploy=False` from deps.py:deploy_deps; dep deploys now count per module docstring + expected formula). Note: Builder fixed this before ADV-drone-03 was formally filed (fix commit 21:59:51 UTC; finding filed later). Run 5 confirms: deploy-count = 2 (expect 2) → no DG4.1 violation. CLOSED.
--- a/machine-docs/BACKLOG-dstamp.md
+++ b/machine-docs/BACKLOG-dstamp.md
@ -0,0 +1,73 @@
 # BACKLOG — phase `dstamp`
 ## Build backlog (Builder-owned)
 - [x] Read phase plan + plan.md §6.1/§7/§9 + Adversary prep notes + stamp-relevant harness code.
 - [x] Establish abra's chaos-version mechanism from abra source @06a57de (= pinned binary).
 - [x] Rule out abra-version drift (constant store path since nixos system-4, 2026-06-01).
 - [x] Minimal reproductions of the git/abra chaos-version path (cp-a; go-git base; mirror-faithful)
      — all stamp the CORRECT head 7ae7b0f7, NO drift in current host state.
 - [x] Timeline: run 184 (06-05, solo) green @7ae7b0f; clustered 06-10/06-11 runs drift @ same ref.
 - [x] Identify shared-stack collision vector (`app_domain` = hash(recipe|pr|ref); upgrade
      chaos_redeploy bypasses app-domain flock).
 - [x] Isolated real runs (repro1–4) + direct UpdateStatus/PreviousSpec capture → root cause attributed.
 - [x] Concurrency REFUTED (solo repro1/4 reproduce). Mechanism = swarm `failure_action:rollback`
      reverts the chaos-version label (direct evidence repro4: Spec=7ae7b0f7+U→PreviousSpec=eb96de9+U).
 - [x] 06-05→06-10 change = rcust-phase heavier resident host load → start-first new task reliably OOMs → rollback every run (solo 06-05 run 184 didn't; my repro2 didn't either).
 - [x] Blast-radius: only discourse affected (keycloak/n8n have the policy but upgrade PASS L4 across runs; drone/traefik infra). General harness guard covers all.
 - [x] Restore discourse to its true level in real CI via the drone `!testme` path (M2): build #450 = LEVEL 5, all tiers PASS (install/upgrade/backup/restore/custom), clean teardown, no leak; PR#2 ✅ passed. fix1+fix2+450 = 3 consecutive green with the fix.
 - [~] HC1 teeth: code unchanged (generic.py:174-175) + assert_upgrade_converged RED on rollback (repro1/4). Live negative test = Adversary's M2 verification.
 - [x] Closed the DEFERRED.md dstamp re-entry with pointers (✅ RESOLVED).
 ## Adversary findings
 <!-- Adversary-owned. Do not edit above this line in this section. -->
 **Root cause independently confirmed @2026-06-11T17:3x (JOURNAL not read, anti-anchoring preserved):**
 Docker Swarm `failure_action: rollback` + `order: start-first` in discourse's `compose.yml` app
 service (BOTH `eb96de94` base AND `7ae7b0f` PR-head). On the upgrade chaos redeploy, `start-first`
 runs OLD + NEW tasks co-resident (~2× memory); the heavy Rails/precompile app fails swarm's 5s
 update monitor under host memory pressure → rollback fires → app service spec reverts to
 PreviousSpec (`chaos-version=eb96de94+U`). Because `start-first` kept the OLD task serving,
 `wait_healthy` passed; `deployed_identity` read the rolled-back spec; HC1 misreported it as
 "stamp mismatch" (the real failure was "new task failed the update monitor").
 `services_converged` blind spot: `"rollback_completed"` not in blocking states → returned True.
 Evidence: `docker service inspect disc-ae10f0_..._app` confirmed `UpdateConfig: {On failure:
 rollback, Order: start-first, Monitoring Period: 5s}`. repro1 (isolated, no concurrency) ALSO
 showed drift → pure-concurrency hypothesis REFUTED independently before reading Builder evidence.
 abra exonerated: abra reads `git HEAD = 7ae7b0f` and stamps `7ae7b0f7+U` CORRECTLY. Three
 bail-at-secrets repros + repro2 debug line confirm. The `+U` comes from `compose.ccci.yml` as
 untracked file in per-run recipe dir (rcust-era overlay absent from run 184's pre-rcust path).
 Fix 0cc31a5 assessed CORRECT: overlay sets `order: stop-first` (eliminates OOM 2×-memory
 trigger); `lifecycle.assert_upgrade_converged` closes the wait_healthy blind spot by catching
 `"rollback_completed"|"rollback_paused"|"paused"` and failing HONESTLY. HC1 unchanged.
 Minor race window in `assert_upgrade_converged` (first poll could see "none" before Docker
 starts the roll) is covered: with stop-first, a post-race rollback also fails `wait_healthy`.
 No blocker. Formal verdict awaits Builder's `claim(dstamp)` commit.
 **Blast-radius sweep @2026-06-11T17:4x:**
 All 24 enrolled recipes swept for `failure_action: rollback` + `order: start-first` in `compose.yml`:
 | Recipe    | failure_action | order       | ccci overlay | upgrade tests | recent upgrade | risk |
 |-----------|---------------|-------------|--------------|---------------|----------------|------|
 | discourse | rollback      | start-first | YES (fixed)  | yes           | FIXED          | fixed |
 | drone     | rollback      | start-first | no           | NO tests      | n/a            | latent, no CI exposure |
 | keycloak  | rollback      | start-first | no           | yes           | PASS L4        | latent, low (JVM, lighter than Rails) |
 | n8n       | rollback      | start-first | no           | yes           | PASS L4        | latent, low (Node.js) |
 | traefik   | rollback      | STOP-first  | no           | no            | n/a            | SAFE |
 | all others | none or absent | —          | —            | —             | —              | not at risk |
 `assert_upgrade_converged` (added in 0cc31a5) provides a general harness backstop: if any
 recipe's rolling update rolls back or pauses, the upgrade is failed HONESTLY for all recipes
 — not just discourse. So keycloak/n8n are already covered by the harness fix even without
 overlay changes.
 Recommended overlay addition for keycloak if/when OOM symptoms appear:
 `deploy.update_config.order: stop-first` (same pattern as discourse). Not urgent — current
 host load shows no rollback symptom for keycloak/n8n and they're lighter apps than discourse.
 drone has no upgrade tier in cc-ci; no action needed there.
--- a/machine-docs/BACKLOG-ghost.md
+++ b/machine-docs/BACKLOG-ghost.md
@ -0,0 +1,18 @@
 # BACKLOG — phase ghost
 ## Build backlog
 - [x] Inventory PR/branch/comment/build state — done (see STATUS-ghost.md)
 - [x] Trigger fresh post-proxy !testme on PR#4 (d88f5801) — triggered 06:12Z, PASSED build #612 level 5/5
 - [x] Watch run, collect logs — all 5 tiers passed
 - [x] Document infra-confounded prior failures; operator comment posted on PR#4
 - [x] Close PR#3 (superseded) — closed with comment
 - [x] Close PR#5 (cfold probe artifact) — closed with comment
 - [x] Claim M1 — CLAIMED 2026-06-13T06:35Z, awaiting Adversary PASS
 - [x] Claim M2 — CLAIMED 2026-06-13T06:35Z, awaiting Adversary PASS
 ## Adversary findings
 - [x] [adversary] **[A1] Build #585 must NOT be used as the "clean post-proxy pass"** — it ran pre-proxy (03:59Z vs proxy fix at 05:38Z) and tested PR#5 (cfold probe), not PR#4. A genuine post-proxy !testme on PR#4 is required for M1. @2026-06-13T06:22Z — **CLOSED: Builder used build #612 (post-proxy, 06:13Z), not #585. M1 PASS @06:38Z**
 - [x] [adversary] **[A2] `update_config.monitor` is likely the root cause of upgrade timing failures** — builds #557 and #578 both failed with `UpdateStatus=paused`, NOT VIP exhaustion. @2026-06-13T06:22Z — **CLOSED: Build #612 passed post-proxy confirming infra-confound. Operator comment explains MySQL timing under load. M1+M2 PASS @06:38Z**
 - [x] [adversary] **[A3] PR#5 (cfold probe) should be closed once PR#4 has its verdict** — not the canonical upgrade. @2026-06-13T06:22Z — **CLOSED: PR#5 closed (verified). M2 PASS @06:38Z**
--- a/machine-docs/BACKLOG-gtea.md
+++ b/machine-docs/BACKLOG-gtea.md
@ -0,0 +1,177 @@
 # BACKLOG — phase gtea (gitea full-test enrollment)
 ## Build backlog
 (Builder-owned — read-only to Adversary)
 - [x] 0. Prerequisites verified (timezone, recipe, backup labels)
 - [x] 1. Write all gitea test files (recipe_meta.py + ops.py + lifecycle overlays + custom + PARITY.md)
 - [x] 2. Run harness locally against cc-ci (install + upgrade + backup + restore + custom) on gitea main
      Run 846690: level=5/5 (all PASS). Fixes: _csrf→user_name selector; cred_url git push;
      auto_init repo; token scopes for gitea 1.22+; NixOS git-lfs deploy.
 - [x] 3. Confirm drone CI stays green (dep path unaffected by recipe_meta.py changes)
      Unit tests pass (10/10 gitea dep + 43/43 meta). Drone dep path byte-for-byte unchanged.
 - [x] 4. Verify LFS test correctly skips on main (compose.lfs.yml absent)
      SKIPPED with expected message in run 846690. PASS.
 - [x] 5. CLAIM M1 — ADVERSARY PASS @2026-06-15T20:32Z (commit a106036)
 - [~] 6. Run full harness via real CI / !testme on gitea recipe
      Builds #674/#675 FAILED (blocker: head_ref="main" fails HC1; stale creds).
      FIXED in commit a121d2c. Retriggered as build #681 (RECIPE=gitea REF=main PR=0) @21:00Z
 - [~] 7. Run harness on lfs-plain-gitea head → LFS test must go green
      Build #676 FAILED (blocker: LFS not enabled in upgrade chaos redeploy).
      FIXED in commit a121d2c. Retriggered as build #682 (PR=1 REF=357926f2) @21:00Z
 - [x] 8. Post !testme on PR #1 so result lands in PR
      DONE (posted 20:34Z, build #676, PENDING; re-triggered as #682)
 - [x] 9. CLAIM M2 — ADVERSARY PASS @2026-06-15T22:10Z (commit 90522ee)
      Build #695 (PR=1 LFS): level=5, test_lfs_roundtrip PASS. Build #692 (drone): level=5.
 - [x] 10. Write ## DONE — STATUS-gtea.md updated; phase complete.
 ## Adversary findings
 (Adversary-owned — only the Adversary writes this section)
 ### [critical — M2 blocker] LFS test fails in run 676 @2026-06-15T20:36Z
 Drone build 676 (RECIPE=gitea, PR=1, REF=357926f2): all lifecycle stages PASS but
 custom FAIL — `test_lfs_roundtrip` fails at `git push` with:
 ```
 batch response: Repository or object not found:
 https://ci_admin:<passwd>@gite-e1cb78.ci.commoninternet.net/ci_admin/ci-lfs-test.git/info/lfs/objects/batch
 ```
 Level=3 (install+upgrade+backup_restore pass, functional FAIL).
 Diagnosis: gitea ran WITHOUT LFS enabled at server level (`LFS_START_SERVER = false` in app.ini).
 `_lfs_available()` returned True (compose.lfs.yml was in the per-run ABRA_DIR at test time —
 recipe reflog confirms checkout to 357926f2 at 20:35:58, 38s before the test at 20:36:36).
 Root cause under investigation: EXTRA_ENV sets COMPOSE_FILE to include compose.lfs.yml when
 `_lfs_enabled()` is True. But the upgrade tier's abra base-deploy internally checks out
 `3.5.2+1.24.2-rootless` tag in the recipe dir (reflog: 20:35:37) removing compose.lfs.yml, then
 harness re-checkouts 357926f2 at 20:35:58. Depending on WHEN the install deploy runs relative to
 these checkouts, COMPOSE_FILE and/or SECRET_LFS_JWT_SECRET_VERSION may not have been correctly
 resolved.
 Most likely cause: compose.lfs.yml was NOT included in the actual `docker stack deploy` command
 (either because EXTRA_ENV was evaluated before compose.lfs.yml existed, or because the lfs_jwt_secret
 Docker secret was not generated since SECRET_LFS_JWT_SECRET_VERSION=v1 only exists in the EXTRA_ENV
 dict, not in the .env FILE that `abra secret generate` reads).
 Builder must: reproduce locally with RECIPE=gitea, PR=1, REF=357926f2; verify compose.lfs.yml is
 in COMPOSE_FILE at deploy time; verify lfs_jwt_secret Docker secret is generated; verify
 LFS_START_SERVER=true and LFS_JWT_SECRET=<value> appear in /etc/gitea/app.ini inside the container.
 ### [critical — M2 blocker] Upgrade fails on main-branch CI run (run 674) @2026-06-15T20:36Z
 Drone build 674 (RECIPE=gitea, PR=0, REF=main): upgrade FAIL with:
 "upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
 to the code under test failed, so the upgrade is not exercised."
 Level=1 (install pass only).
 This is the M2 main-branch CI run that must be level=5. With upgrade failing, M2 cannot pass.
 Builder must investigate why REF=main doesn't work correctly for the upgrade tier.
 ### [non-blocking — concurrency] Run 675 install failure @2026-06-15T20:36Z
 4 !testme comments were posted concurrently → 4 Drone builds triggered simultaneously (674, 675,
 676, +). Builds 674 and 675 both have PR=0/REF=main → same app domain → lock contention.
 Run 675 started while 674 had the lock → found stale state → ci_admin creds cached but user
 gone (409 create path) → 401 on API calls → level=0.
 Not a code bug. Builder should post ONE !testme at a time to avoid concurrency collisions.
 The concurrent lock mechanism should prevent partial-state damage, but the stale cred cache
 (`/tmp/ccci-gitea-admin-<domain>.json`) persists and causes 401s.
 ### [critical — M2 blocker] LFS upgrade rollback in build #685 @2026-06-15T21:10Z
 Build #685 (RECIPE=gitea, PR=1, REF=357926f26e69): upgrade FAIL with rollback_completed.
 Evidence: `abra.secret_generate --all` was called (after UPGRADE_EXTRA_ENV applied
 SECRET_LFS_JWT_SECRET_VERSION=v1). lfs_jwt_secret was created as a Docker secret (rollback_completed
 means container started, not pre-deploy failure). But gitea failed its health check.
 **Root cause hypothesis**: lfs_jwt_secret generated with WRONG FORMAT/LENGTH because the
 `.env.sample` in PR #1 (lfs-plain-gitea branch) has the entry COMMENTED OUT:
 ```
 # SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43   ← COMMENTED = abra may miss the length=43 spec
 ```
 vs active entries (uncommented): `SECRET_JWT_SECRET_VERSION=v1 # length=43`
 gitea's LFS JWT secret must be exactly 43 chars (base64 URL-safe, 32 bytes). If abra uses
 a different default length, gitea fails to parse the JWT secret and crashes on startup → rollback.
 **Fix options** (Builder to choose):
 A. In `ops.py pre_install` (when `_lfs_enabled()`): explicitly generate lfs_jwt_secret with
   correct length: `abra._run(["app", "secret", "generate", domain, "lfs_jwt_secret", "v1", ...])`.
   Do NOT rely on `--all` for this secret because the spec is commented out.
 B. In generic.py `perform_upgrade` after UPGRADE_EXTRA_ENV: targeted secret generate (not --all).
 C. Ask the recipe maintainer to uncomment the `SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43`
   line in PR #1's `.env.sample` (and add a note that it's optional but needed for LFS installs).
 Debug steps before fixing:
 1. After UPGRADE_EXTRA_ENV sets SECRET_LFS_JWT_SECRET_VERSION=v1, run:
   `abra app secret generate <domain> lfs_jwt_secret v1` and inspect the generated Docker secret
   length: `docker secret inspect <stack>_lfs_jwt_secret_v1 --format "{{.Spec.Data}}" | wc -c`
 2. Alternatively: check gitea container logs during the chaos deploy to see the startup error.
 3. A correct 43-char base64 secret should be: `openssl rand -base64 32 | tr -d '='` (43 chars).
 Cascade effects (all from upgrade rollback):
 - pre_backup FAIL (401 on API call — stale creds after upgrade chaos)
 - pre_restore FAIL (ci-marker not in backed-up snapshot since backup was bad)
 - test_restore FAIL (marker not returned — restore didn't revert non-existent change)
 - custom tests: test_admin_api/test_git_push/test_lfs_roundtrip all 401 (stale creds)
 Secondary mystery: WHY is ci_admin password invalid (401) after upgrade rollback? The password
 in the sqlite3 DB should be unchanged. Possible: gitea 3.5.3 briefly started during chaos deploy
 and modified the DB before failing health check. Builder should investigate if this is a separate
 bug or purely cascade from the upgrade failure.
 ### [minor — fix before M2 complete] cc-ci self-test lint failures @2026-06-15T21:10Z
 Push-event CI builds #683/#686/#687 fail at `scripts/lint.sh` (cc-ci repo's own self-test):
 - `ruff format --check` wants to reformat 9 files (all new gtea files + test_discovery.py)
 - `ruff check` has 9 errors (bridge.py UP017 + likely others in gtea files)
 This does NOT block M2 recipe CI runs (which use custom events). But:
 1. The cc-ci repo's self-test should be green (it's the CI server's own code quality check).
 2. `ruff format` violations in the new gtea files are Builder code quality debt.
 Fix: `cd /root/builder-clone && nix develop .#lint --command ruff format tests/gitea/ tests/unit/test_discovery.py && nix develop .#lint --command ruff check --fix tests/gitea/`
 Then commit and push to clear the self-test lint failures.
 ### [pending — verify before M2 DONE] Drone dep path: no live CI since a121d2c
 M2 DoD: "drone CI re-confirmed green (dep path intact)". No RECIPE=drone CI run has run
 since a121d2c modified `runner/harness/generic.py` and `tests/gitea/recipe_meta.py`.
 Unit tests (test_gitea_dep.py 10/10) still pass.
 Builder should trigger a RECIPE=drone run (e.g., post !testme on a drone recipe PR)
 to complete the M2 DoD dep-path verification.
 ### [critical — FIXED] Build #691 STACK_NAME not in .env @2026-06-15T22:05Z
 Build #691 (RECIPE=gitea, PR=1, REF=357926f26e69): FAIL in UPGRADE_SECRET_PREP hook with:
 `RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in /root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
 Root cause: d832b35's UPGRADE_SECRET_PREP read STACK_NAME from the app's .env file. But abra
 does NOT write STACK_NAME to that file — it derives it from the domain at runtime. The .env
 only contains DOMAIN, TYPE, COMPOSE_FILE, and app-specific vars.
 Fix: derive STACK_NAME from domain as fallback — `domain.replace(".", "_")` — matching abra's
 own derivation (dots replaced by underscores). Applied in commit ad53b5a.
 Status: FIXED. Build #695 (retriggered) PASS level=5 with test_lfs_roundtrip PASS. ✓
 ### [non-blocking] Stale screenshot in manual runs @2026-06-15T20:32Z
 `/var/lib/cc-ci-runs/manual/screenshot.png` mtime = June 13, not from today's M1 run.
 Root cause: `screenshot.capture()` (screenshot.py:149) checks `if not os.path.exists(out_path)`
 after the SCREENSHOT hook runs. For run_id="manual", `out_path` reuses the same directory
 (`/var/lib/cc-ci-runs/manual/screenshot.png`), so if a prior manual run left a file there, the
 guard prevents overwriting it. The SCREENSHOT hook (recipe_meta.py) navigates to the login page
 but doesn't call `page.screenshot()` itself — that's the harness's job, blocked by the guard.
 Impact: results.json shows `"screenshot": "screenshot.png"` (file exists, non-empty) but the
 image is from a prior session. Cosmetic only — does not affect verdict (R7).
 M2 runs with DRONE_BUILD_NUMBER → unique dir → no issue.
 Recommendation: `screenshot.capture()` should always overwrite (remove `if not exists` guard),
 or the Builder could add `page.screenshot(path=out_path)` at the end of the SCREENSHOT hook.
 No action required for M1/M2 gates. Pre-existing harness limitation, not Builder error.
--- a/machine-docs/BACKLOG-kuma.md
+++ b/machine-docs/BACKLOG-kuma.md
@ -0,0 +1,28 @@
 # BACKLOG — phase `kuma` (uptime-kuma create-a-monitor functional test)
 ## Build backlog
 ### DONE
 - [x] Phase state files created (STATUS-kuma.md, BACKLOG-kuma.md, REVIEW-kuma.md, JOURNAL-kuma.md)
 - [x] Approach decision: Playwright over python-socketio (recorded in DECISIONS.md)
 - [x] Inspect uptime-kuma 2.2.1 source for exact DOM selectors
 - [x] Implement `tests/uptime-kuma/playwright/test_monitor_wizard.py`
 ### DONE (continued)
 - [x] Open recipe-maintainers/uptime-kuma PR #3 + trigger `!testme`
 - [x] Drone build #460 = LEVEL 5, playwright:1 PASS
 - [x] Claim M1 gate (fe8922c)
 ### IN PROGRESS
 - [ ] Second `!testme` run (comment #14352, flake check) — polling for build
 - [ ] M1 Adversary review
 ### PENDING (after M1 Adversary PASS)
 - [ ] Second `!testme` run (flake check — 2 consecutive green)
 - [ ] Update PARITY.md (note the new playwright/ test)
 - [ ] Close DEFERRED.md entry "2026-05-28 — uptime-kuma create-a-monitor"
 - [ ] Claim M2 gate
 - [ ] Write ## DONE after M2 Adversary PASS
 ## Adversary findings
 (Adversary-owned — no items yet; populated as issues are found)
--- a/machine-docs/BACKLOG-lvl5.md
+++ b/machine-docs/BACKLOG-lvl5.md
@ -0,0 +1,99 @@
 # BACKLOG — Phase lvl5
 ## Build backlog
 - [x] B1 (P1) `level.py`: append rung `lint` (L5); new status vocabulary {pass, fail, skip, unver}; `compute_level()` → new formula (level = max i: rung_i pass ∧ ∀j<i status ∈ {pass,skip}); DELETE cap_reason/capped concepts.
 - [x] B2 (P1) lint executor (`harness/lint.py`): `abra recipe lint <recipe>` against the exact tested ref; hard ~60s timeout; rc+full output → `lint.txt` artifact; pass/fail/unver classification (missing abra / timeout / exception → unver, never pass, never skip); mirror-context handling per phase-plan §2.3 (probe abra behavior first; any filtering = named + unit-tested + DECISIONS.md).
 - [x] B3 (P1) `results.py`: wire lint into `derive_rungs` + explicit intentional-vs-unintentional classification of EVERY N/A source; drop level_cap_reason/level_cap_rung from schema; `skips()` reflects new statuses; orchestrator (`run_recipe_ci.py`) runs lint executor at the tested-ref point + passes result through; verdict-neutral (R7 wrap).
 - [x] B4 (P1) unit tests: rewrite test_level.py/test_results.py to new semantics incl. mission worked examples (fail-blocks → L1; intentional-skip climbs → L5; unver-blocks → L2; lint unver → L4; unclassifiable N/A → unver default); lint executor tests; old-artifact rendering compat tests.
 - [x] B5 (P2) `card.py`: 0–5 color ramp; cap line removed ("level N of 5" neutral); rung table renders ✔/✘/intentional-skip/unverified; level_badge_svg loses cap_skip third segment (badge = number+color only); tolerate old artifacts.
 - [x] B6 (P2) `dashboard.py`: _LEVEL_COLOR 5-scale; _level_pill/badge SVG number-only; legend text; old results.json (cap_reason present, lint absent) render without KeyError.
 - [x] B7 (P2) docs: results-ux.md, testing.md, recipe-customization.md §EXPECTED_NA wording — L5 ladder, de-cap semantics.
 - [x] B8 (P1) DECISIONS.md: semantics change record (replaces Phase-3 "N/A caps"); N/A classification table (every derive_rungs N/A source → intentional|unintentional); mirror-filter decision for lint (if any filtering).
 - [x] B9 — gate M1: claim (branch w/ P1+P2; clean tree; cold-verifiable).
 - [x] B10 (P3) lint sweep over ALL enrolled recipes (scratch clones — never touch ~/.abra/recipes during builds); matrix here (pass/fail + rule hits); mechanical fixes → mirror PRs (never push main/never merge); rest → DEFERRED.md.
 - [x] B11 (P4) real-CI proofs: ≥1 genuine L5; ≥1 lint-blocked L4 (synth branch ok); ≥1 N/A-skip climb; 2× drone !testme; canary suite at re-derived designed levels; 1 synthesized unver-blocks run; before/after level table for ALL enrolled recipes; card/dashboard PNG/SVG visually verified.
 - [x] B12 — gate M2: claim; then ## DONE after fresh PASS.
 ## Adversary findings
 ## P3 lint sweep matrix (B10) — all 19 enrolled, mirror main HEAD, 2026-06-11
 Method: per recipe, fresh scratch clone of its canonical origin (mirror for the 17
 recipe-maintainers recipes; coopcloud upstream for bluesky-pds/custom-html-tiny/mumble) +
 upstream version tags fetched (production fetch_recipe shape), then `harness.lint.run_lint`
 from phase-lvl5 @ 3d8d286 in a scratch ABRA_DIR (`/tmp/lvl5-sweep` on cc-ci; full outputs in
 `/tmp/lvl5-sweep/art/<recipe>/lint.txt`). Canonical `~/.abra/recipes` never touched.
 **Result: 19/19 PASS** (no error-severity rule unsatisfied anywhere). No recipe-mirror PRs and
 no DEFERRED entries needed. Warn-severity misses (informational, do not fail the rung):
 | recipe | lint | warn-rule misses |
 |---|---|---|
 | bluesky-pds | pass | R002 R007 R015 |
 | cryptpad | pass | R002 R005 R007 |
 | custom-html | pass | R002 R004 R005 |
 | custom-html-tiny | pass | R002 |
 | discourse | pass | R002 R007 R015 |
 | ghost | pass | R015 |
 | hedgedoc | pass | R015 |
 | immich | pass | R002 R005 |
 | keycloak | pass | R002 R015 |
 | lasuite-docs | pass | R005 |
 | lasuite-drive | pass | R002 R005 |
 | lasuite-meet | pass | R002 |
 | mailu | pass | R002 |
 | matrix-synapse | pass | R002 R015 |
 | mattermost-lts | pass | R002 R015 |
 | mumble | pass | R002 |
 | n8n | pass | R002 R015 |
 | plausible | pass | R002 R005 R007 |
 | uptime-kuma | pass | R015 |
 Note: lasuite-meet's historically-lightweight tag `0.3.0+v1.16.0` is now ANNOTATED upstream
 (verified `git cat-file -t` = tag on all three version tags) — R014 passes genuinely; the
 abra.py:105 lightweight-tag deploy fallback simply no longer triggers for it.
 ## Before/after level table skeleton (§2.9 — "after" to be filled by P4 real runs)
 Baseline = latest results.json on cc-ci per recipe re-scored under the CURRENT (pre-lvl5,
 4-rung) rule; ancient 6-rung artifacts (builds ≤205, integration/recipe_local era) re-read on
 their four essential rungs. Predicted = same tier outcomes + sweep lint result under the new
 rule (assumption flagged; P4 produces the real values).
 | recipe | baseline rungs (latest artifact) | baseline level | predicted new level | REAL new level (P4 run) | why it shifts |
 |---|---|---|---|---|---|
 | bluesky-pds | no artifact (deploy-gated upstream, shot-phase N/A) | — | — | — (still deploy-gated; documented N/A) | still deploy-gated |
 | cryptpad | I✔ U✔ B✔ F✔ (#181) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | custom-html | I✔ U✔ B✔ F✔ (#182) | 4 | 5 | **4** (#405 PR4 lintdemo: lint fail R011; main analytic 5) | + lint pass |
 | custom-html-tiny | I✔ U✔ B-na F-na (#205, predates functional/) | 2 | 5 | **5** (#399 — N/A-skip climb, was 2) | de-cap: backup skip declared; functional/ tests exist now; + lint |
 | discourse | I✔ U✔ B✔ F✔ (#184) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | ghost | I✔ U✔ B✔ F✔ (#185) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | hedgedoc | I✔ U✔ B✔ F✔ (#113) | 4 | 5 | **5** (#398, 100s) | + lint pass |
 | immich | I✔ U✔ B✔ F✔ (#370) | 4 | 5 | **5** (#406, drone !testme PR2, 199s) | + lint pass |
 | keycloak | I✔ U✔ B✔ F✔ (#187) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | lasuite-docs | I✔ U✔ B✔ F✔ (#188) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | lasuite-drive | I✔ U✔ B✔ F✔ (#189) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | lasuite-meet | I✔ U✔ B✔ F✔ (#204) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | mailu | I✔ U✔ B-na F✔ (#191) | 2 | 5 | (not re-run; analytic 5 — same de-cap as #399) | de-cap: not backup-capable → skip climbs (the §2.9 N/A-skip demo) |
 | matrix-synapse | I✔ U✔ B✔ F✔ (#203) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | mattermost-lts | I✔ U✔ B✔ F✔ (#196) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | mumble | no results.json artifact retained | — | — | **5** (#413, 80s — first retained artifact) | P4 run to establish |
 | n8n | I✔ U✔ B✔ F✔ (#197) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 | plausible | I✔ U✔ B✔ F✔ (#371) | 4 | 5 | **5** (#407, drone !testme PR3, 164s) | + lint pass |
 | uptime-kuma | I✔ U✔ B✔ F✔ (#165) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
 Canaries (designed levels under the NEW formula, re-derived): custom-html-bkp-bad /
 custom-html-rst-bad — backup-capable with a failing backup/restore tier → backup_restore rung
 FAIL → level 2 (fail still blocks; run verdict red as today). To be proven in P4.
 ### Canary designed-level re-derivation (P4, runs 415/416 — 2026-06-11)
 Under the NEW formula the bad canaries' designed level is **1**, not the old 2: their mirrors
 carry no published version tags on the SRC+REF path → upgrade = intentional skip (climbs past
 but never earns), backup_restore = FAIL blocks → level = install = 1. Verified live: 415
 (bkp-bad) + 416 (rst-bad) both **verdict FAILURE (red)**, rungs
 {install: pass, upgrade: skip, backup_restore: fail, functional: unver (post-failure abort),
 lint: pass}, LEVEL 1. Backup/restore fail still blocks; verdict logic untouched.
 (First attempts 411/412 failed in 1s: canaries are mirror-only, not catalogue recipes — they
 need SRC+REF params, as prior phases ran them.)
--- a/machine-docs/BACKLOG-mailu.md
+++ b/machine-docs/BACKLOG-mailu.md
@ -0,0 +1,32 @@
 # BACKLOG — phase `mailu` (backupbot labels + backup/restore coverage)
 ## Build backlog
 (Builder-owned — read only for Adversary)
 ## Adversary findings
 ### [ADV-mailu-01] `/mail` Maildir volume restoration not tested — seed too shallow [adversary]
 **Filed**: 2026-06-11T20:58Z
 **Status**: CLOSED @2026-06-11T21:00Z — fix verified green in build #477 (M1 PASS)
 **Plan requirement** (`plan-phase-mailu-backup.md` §2.3): "a seeded mailbox + message that survives
 backup→wipe→restore — extend the existing functional helpers if the current seed is too shallow"
 **Repro**:
 1. Current `ops.py::pre_backup` creates user account in SQLite (account record in `/data`), but never
   injects a mail message into the Maildir at `/mail`.
 2. `ops.py::pre_restore` deletes the SQLite account record only — does NOT wipe any maildir content.
 3. `test_restore.py::test_restore_returns_mailbox` only asserts the account is back in config-export.
 4. Result: the entire test exercises ONLY the `/data` (SQLite) volume; `/mail` (Maildir) restoration
   is never specifically verified. If backupbot silently failed to restore `/mail`, this test passes.
 **Fix**:
 1. `pre_backup`: inject a uniquely-tagged message into `citest@<domain>` mailbox via in-container
   postfix→dovecot delivery (same mechanism as `test_mail_flow.py::test_send_and_receive_mail`)
 2. `pre_restore`: additionally wipe the `citest@<domain>` maildir 
   (`doveadm expunge -u citest@<domain> mailbox INBOX ALL` in the `imap` container)
 3. `test_restore.py`: also assert the seeded message is back
   (e.g., `doveadm search -u citest@<domain> mailbox INBOX ALL` returns ≥1 result)
 **Only the Adversary closes this** after re-test with a fresh green build.
--- a/machine-docs/BACKLOG-nixenv.md
+++ b/machine-docs/BACKLOG-nixenv.md
@ -0,0 +1,19 @@
 # BACKLOG — phase `nixenv`
 ## Build backlog
 - [x] M1: define shared harness/recipe-test runtime env once (overlay in `packages.nix`):
      `ccciPyEnv` + `ccciRuntimeTools` (the union tool set) + `cc-ci-run`.
 - [x] M1: `harness.nix` references `pkgs.cc-ci-run` (no local pyEnv/runtimeInputs).
 - [x] M1: `nightly-sweep.nix` invokes `cc-ci-run` (no duplicate pyEnv, no own tool list, DEFECT-3 patch gone).
 - [x] M1: both host `configuration.nix` `systemPackages` reference `pkgs.ccciRuntimeTools` (+ openssh); end identical.
 - [x] M1: grep proof — exactly one `withPackages`/`pytest playwright` in nix/ (packages.nix); no module declares its own harness tool list.
 - [x] M1: `nixos-rebuild build` succeeds for both `#cc-ci` and `#cc-ci-hetzner`.
 - [x] M1: CLAIM, await Adversary PASS.
 - [x] M2: deploy via `nixos-rebuild switch`; verify host health (systemctl --failed, oneshots, timer, endpoints).
 - [x] M2: live parity — gitea `test_lfs_roundtrip` green under BOTH Drone path (build #871) and a real timer fire from the unified env.
 - [x] M2: canon-style sweep still promotes/SKIPs correctly (no regression; gitea promote-fail + discourse/mattermost red all pre-existing, identical pre-deploy).
 - [x] M2: CLAIM @ 2026-06-17T18:17Z (this commit). Await Adversary PASS → `## DONE`.
 ## Adversary findings
 <!-- Adversary-owned section. Builder does not edit. -->
--- a/machine-docs/BACKLOG-poe2e.md
+++ b/machine-docs/BACKLOG-poe2e.md
@ -0,0 +1,36 @@
 # BACKLOG — phase poe2e
 ## Build backlog
 (Builder-owned)
 - [x] **B1 — PO scratch project full lifecycle (D1).** Use the PO's `scripts/create-project.sh` to
  scaffold a throwaway scratch project under an isolated parent dir; switch it to the engine's
  dependency-free `demo` backend on a unique `session_prefix`; `up` it, confirm `status` shows the
  sessions RUNNING through the harness; `down` it; delete the throwaway. Capture full transcript.
 - [x] **B2 — Staged cc-ci project skeleton (D2).** Scaffold a local git repo `cc-ci` (staging) with
  `engine/` submodule pinned at v0.1.0 (`289ef07`). Initial commit.
 - [x] **B3 — Migrate `agents.toml` (D2).** Translate the live `/srv/cc-ci/cc-ci-plan/agents.toml`
  to the engine v0.1.0 schema: all agents + services, both backends, defaults (+ required
  `session_prefix`/`log_dir`), the full `[loop]` phases array (19 phases) with per-phase model
  overrides, handoff, on_complete, plus `kickoff_template` + `roles_dir`.
 - [x] **B4 — Migrate `prompts/` (D2).** Copy `prompts/{builder,adversary}.md` verbatim from live;
  author `prompts/kickoff.md` reproducing the live `build_loop_kickoff()` preamble via the engine's
  `{phase_id}/{plan}/{status}/{role}` slots.
 - [x] **B5 — Parity verification (D2).** Run `engine/agents.py status` on the staged config from a
  clean checkout inside `nix develop`; diff agents/models/phases against the live status; produce a
  side-by-side in STATUS. Must match (modulo the STATE column, which differs because staged is never
  started).
 - [x] **B6 — Register staged cc-ci in `fleet.toml` (D3).** Add a `[[project]]` entry in the PO
  repo's `fleet.toml`; `scripts/fleet.py validate` passes.
 - [x] **B7 — Operator cutover runbook (D4).** Write the exact, reviewed operator-supervised cutover
  steps (stop live → point systemd/shims at the project's engine → start), with rollback.
 - [x] **B8 — Prove live untouched (D5).** Re-checksum live `agents.{py,toml}`, `state/phase-idx`,
  and tmux session list; confirm unchanged vs the Adversary's baseline; confirm no `cc-ci-`-prefixed
  watchdog/loop was started by me.
 - [x] **B9 — Claim the gate.** Clean tree (commit + push everything), STATUS `## Gate CLAIMED` with
  WHAT/HOW/EXPECTED/WHERE; await Adversary.
 ## Adversary findings
 (Adversary-owned — read-only for Builder)
--- a/machine-docs/BACKLOG-porepo.md
+++ b/machine-docs/BACKLOG-porepo.md
@ -0,0 +1,16 @@
 # BACKLOG — phase porepo
 ## Build backlog
 (Builder-owned — read-only to Adversary)
 1. [x] Create `recipe-maintainers/project-orchestrator` repo (Gitea API) + clone to `/home/loops/porepo/`.
 2. [x] Add `engine/` submodule pinned at `agent-orchestrator` `v0.1.0` (289ef07).
 3. [x] PO harness config: `agents.toml` (persistent `project-orchestrator` agent, fleet-mgmt role) + `prompts/`.
 4. [x] `fleet.toml` — documented schema + sample entry that parses (`scripts/fleet.py validate`).
 5. [x] Project-management capability: docs (`docs/`) + helper scripts (`scripts/`) for create / start-stop-update / list-status.
 6. [x] `flake.nix` + `flake.lock` devShell (python3>=3.11, tmux, git+submodule); README documents `nix develop`.
 7. [x] Bootstrap doc (`docs/bootstrap.md`).
 8. [x] Self-verified all DoD from a clean anon `/tmp` recursive clone inside `nix develop`; clean tree; **gate CLAIMED** @ 346ed31.
 ## Adversary findings
 (none yet)
--- a/machine-docs/BACKLOG-prevb.md
+++ b/machine-docs/BACKLOG-prevb.md
@ -0,0 +1,33 @@
 # BACKLOG — phase `prevb`
 SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-prevb-previous-dynamic-base.md`.
 ## Build backlog
 ### M1 — implemented + green locally  [CLAIMED @2026-06-17T00:40Z, awaiting Adversary]
 - [x] B1. Dynamic upgrade-base resolution (last-green → main-tip → skip): `resolve_upgrade_base`/`BasePlan`.
 - [x] B2. `tests/<recipe>/previous/` mechanism: discovery, VERSION marker, base-only application,
      head exclusion (stripped before head redeploy), version-guard + stale-flag. Unit-tested.
 - [x] B3. Discourse migration: `compose.ccci.yml` environmental-only (`order: stop-first`); bitnamilegacy
      pins + sidekiq removed; `UPGRADE_BASE_VERSION` removed. No `previous/` (base deploys clean).
 - [x] B4. Unit tests: resolver matrix + `previous/` apply/skip/stale + COMPOSE_FILE layering.
 - [x] B5. Discourse upgrade tier GREEN locally (run-prevb-disc2): app image official 3.5.3 (not
      bitnamilegacy), no sidekiq (pruned), version 0.8.1+3.5.0→1.0.0+3.5.3, install+upgrade pass.
      (Found+fixed: docker stack deploy no-prune left sidekiq orphaned → `prune_orphan_services`.)
 - [x] B6. CLAIM M1 (clean tree + STATUS WHAT/HOW/EXPECTED/WHERE/TEETH).
 ### M2 — proven in real CI + spot-check  [M1 PASS @01:03Z dbc7a3b]
 - [x] B7. discourse PR #4 `!testme` GREEN in real CI — **Drone build 717** ✅, bridge marked PR#4 "passed".
      All 5 tiers 0-fail (junit): install/upgrade/backup/restore/custom. Upgrade tier proved
      `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head` PASS
      (head = official discourse/discourse:3.5.3, sidekiq dropped, migration exercised). Custom green via
      the image-agnostic mint_admin fix (b66abc4). Clean teardown. Found+fixed under prevb: mint_admin
      hardcoded bitnamilegacy path (broke once the head genuinely ran official — the prevb consequence).
 - [x] B8. Spot-check 3 upgrade-tier recipes GREEN under dynamic base (all main-tip kind=ref, no regression):
      cryptpad #5 (data-continuity), keycloak #3 (origin/master fallback + realm-continuity, SSO/DEPS),
      hedgedoc #1 (simple). + discourse PR#4 real CI = 4 recipes. (warm-canonical last-green e2e N/A — none
      exist on host; that path is unit-tested.) Records reconciled: 717 artifacts durable, PR#4 "✅ passed".
 - [x] B9. M2 PASS @01:58Z (1c3ba71). Both M1+M2 fresh Adversary PASS, no VETO → ## DONE written.
 ## Adversary findings
 (Adversary-owned section — Builder does not edit below.)
--- a/machine-docs/BACKLOG-pvcheck.md
+++ b/machine-docs/BACKLOG-pvcheck.md
@ -0,0 +1,20 @@
 # BACKLOG — phase pvcheck (post-proxy verification)
 ## Build backlog
 - [x] Create pvcheck phase files (STATUS, JOURNAL, BACKLOG)
 - [x] Fix [A2] upgrade-all SKILL.md stale description (orchestrator commit 84e13a7)
 - [x] Collect M1 evidence (proxy subnet, endpoints, service health, routes, VIP journal)
 - [x] Claim M1 — control plane and routing verified
 - [x] M2: real recipe CI run through proxy — hedgedoc build #608 ✅ passed level 5 (06:04Z post-fix)
 - [x] M2: bounded allocator headroom proof — 5 stacks deploy/rm, 0 leaks, 0 VIP errors (06:08Z)
 - [x] M2: cleanup verification — proxy endpoints: 7 (baseline), no residue (06:09Z)
 - [x] M2: claim gate
 ## Adversary findings
 ### [A2] upgrade-all SKILL.md guard description stale (2026-06-13T05:56Z)
 - [x] Filed
 - [x] Builder fix — orchestrator commit `84e13a7` (2026-06-13T05:59Z): updated guard description from "until that lands" to "belt-and-suspenders even after the /16 fix"
 - [x] Adversary re-verify and close — CLOSED 2026-06-13T06:10Z. Orchestrator commit 84e13a7 confirmed in git log. SKILL.md text now reads "belt-and-suspenders even after the /16 fix." ✅
--- a/machine-docs/BACKLOG-pvfix.md
+++ b/machine-docs/BACKLOG-pvfix.md
@ -0,0 +1,64 @@
 # BACKLOG — phase pvfix
 ## Build backlog
 - [x] Seed pvfix state files
 - [x] Read plan-phase-pvfix-swarm-proxy.md + runbook
 - [x] Inspect live host subnets + services on proxy
 - [x] Patch nix/modules/swarm.nix (add --subnet 10.10.0.0/16)
 - [x] Write exact maintenance procedure in STATUS-pvfix.md
 - [x] **CLAIM M1** — awaiting Adversary review
 - [x] Execute live maintenance (after M1 PASS)
 - [x] Verify health post-maintenance
 - [x] **CLAIM M2** — awaiting Adversary verification
 ## Adversary findings
 ### A1 [adversary] deploy-proxy health gate circular dependency on fresh boot
 **Filed:** 2026-06-13T05:49Z  
 **Severity:** D8 risk — from-scratch install deadlocks deploy-proxy for up to 15 min on first boot  
 **Status:** OPEN
 **Description:**
 `deploy-proxy.service` runs `warm_reconcile.py traefik` whose health gate checks
 `ci.commoninternet.net` returns HTTP 200. That URL is served by the dashboard.
 `deploy-dashboard.service` has `After=deploy-proxy.service` (`nix/modules/dashboard.nix`),
 so systemd holds deploy-dashboard until deploy-proxy exits.
 On a fresh-from-scratch boot:
 1. deploy-proxy starts, deploys traefik, calls `wait_healthy` → polls `ci.commoninternet.net`
 2. deploy-dashboard is blocked by `After=deploy-proxy.service` (systemd won't start it)
 3. `ci.commoninternet.net` never returns 200 (dashboard not up)
 4. deploy-proxy times out at `TimeoutStartSec=900` (15 min) and fails
 5. deploy-dashboard then starts but proxy is in failed state
 **Repro (controlled):**
 ```bash
 # Simulate on live host:
 systemctl stop deploy-dashboard deploy-proxy
 systemctl reset-failed deploy-dashboard deploy-proxy
 # Observe: starting deploy-proxy without deploy-dashboard running → wait_healthy loops until timeout
 systemctl start deploy-proxy &
 journalctl -u deploy-proxy -f  # confirms repeated curl ci.commoninternet.net failures
 ```
 **Root cause:** `warm_reconcile.py traefik` spec has `health_domain = "ci.commoninternet.net"`
 (a routed host proving Traefik routes + TLS — valid goal, wrong URL for a service ordered-after).
 **Fix options for Builder:**
 1. Change `health_domain` to a URL independent of ordered services (e.g. a Traefik
   `api/ping` endpoint on `traefik.ci.commoninternet.net`, or `drone.ci.commoninternet.net`
   which starts concurrently with deploy-proxy since deploy-drone only has `After=deploy-proxy`
   — but that would also be circular since drone is after proxy too).
 2. Remove `deploy-proxy.service` from deploy-dashboard's `after` list — dashboard becomes
   concurrent with proxy on boot (fine: it's a static web server, just won't be routable until
   Traefik is up, which is tolerable).
 3. Add `Wants=deploy-dashboard.service` + `After=deploy-dashboard.service` to deploy-proxy, so
   systemd starts dashboard before proxy runs its health gate (reverses the current ordering).
 **Note:** Pre-existing, not introduced by pvfix. Manual maintenance worked around it by starting
 deploy-dashboard concurrently. Only a cold from-scratch boot or deliberate service reset exposes
 the deadlock. Builder flagged it in STATUS-pvfix.md anomaly note.
 **Only the Adversary closes this item**, after re-test confirms the fix resolves the deadlock.
--- a/machine-docs/BACKLOG-pxgate.md
+++ b/machine-docs/BACKLOG-pxgate.md
@ -0,0 +1,29 @@
 # BACKLOG — phase pxgate
 ## Build backlog
 (Builder-owned — Adversary reads only)
 - [x] Create phase state files (STATUS/JOURNAL/BACKLOG-pxgate.md)
 - [x] Change `health_path` from `/` to `/api/version`; drop `health_domain` override in `runner/warm_reconcile.py`
 - [x] Update stale comments in warm_reconcile.py + proxy.nix
 - [x] Update DECISIONS.md + DEFERRED.md
 - [x] Run controlled reproduction (dashboard swarm scaled 0 → old=404, new=200)
 - [x] Claim M1
 ## Adversary findings
 No findings yet. Recording break-it probes to run once the fix lands.
 ### Break-it probes to execute at M1 gate
 - [ ] **P1-neg (traefik-down gate fails):** Stop traefik service; verify `health_code` returns non-200
      and the reconciler would roll back. (Prove the new gate has teeth — not always-pass.)
 - [ ] **P2-controlled-repro:** Simulate dashboard-absent scenario: with dashboard held back (or stopped),
      run the NEW reconciler → verify it completes healthy (no deadlock). Run the OLD reconciler with
      dashboard held back → verify it hangs/fails (confirm the fix actually breaks the cycle).
 - [ ] **P3-ordering:** Confirm `After=deploy-proxy` consumers (drone, warm-keycloak, bridge, dashboard,
      backupbot, reports-nightly) still order correctly. Check `systemctl cat <service>` for each.
 - [ ] **P4-alert-cleared:** Verify the 20260613T054428Z unhealthy-on-latest alert is addressed (either
      the Builder explicitly handles it, or the fix makes the next reconcile cycle healthy).
 - [ ] **P5-secret-leak:** grep `/var/lib/ci-warm/alerts/` for any secret values (keys, passwords).
      The alert file must contain only version strings, no credentials.
--- a/machine-docs/BACKLOG-rcust.md
+++ b/machine-docs/BACKLOG-rcust.md
@ -0,0 +1,23 @@
 # BACKLOG — sub-phase rcust
 ## Build backlog
 - [ ] P1.1 `runner/harness/meta.py`: KEYS registry (14 keys + 3 deprecated) + `load(recipe) -> RecipeMeta`
 - [ ] P1.2 migrate readers L1–L6 to `meta.load()` (orchestrator loads once, passes down)
 - [ ] P1.3 mumble private constants → underscore-prefixed (`_WELCOME_TEXT_MARKER`, `_MAX_USERS`) + fix importers
 - [ ] P1.4 `tests/unit/test_meta.py` (all-recipes-load-clean, MetaError cases, defaults, R2 proof)
 - [ ] P1.5 `scripts/gen-meta-docs.py` + doc-sync unit test
 - [ ] P2a compose.ccci.yml first-class (auto-copy + auto-chaos); strip ghost/discourse boilerplate
 - [ ] P2b install-time deps only; migrate lasuite-docs; delete setup_custom_tests.sh machinery
 - [ ] P2c SKIP_GENERIC meta key deleted; env form documented dev-only + loud warning in CI runs
 - [ ] P2d conftest cleanup: delete deployed/deployed_app (+app_domain if unused); consolidate deps fixture; migrate 6 lasuite test files
 - [ ] P3 HookCtx + convert all hook call sites + migrate in-repo users + unit tests
 - [ ] P4 discovery placement rule + op_state/deps fixtures + migrate hand-parsers
 - [ ] P5 customization manifest (print block + results.json key) + unit tests
 - [ ] P6 docs rewrite (recipe-customization.md §8, testing.md, enroll-recipe.md)
 - [ ] M1 pre-claim: run `pytest tests/concurrency -q` once to prove untouched
 - [ ] M2 prep: build baseline matrix (21 recipe dirs, expected outcomes) BEFORE merging — commit to STATUS-rcust.md
 ## Adversary findings
 (Adversary-owned section)
--- a/machine-docs/BACKLOG-redfix.md
+++ b/machine-docs/BACKLOG-redfix.md
@ -0,0 +1,109 @@
 # BACKLOG — phase `redfix`
 ## Build backlog
 ### M1 — investigate + isolate + classify (all six)
 - [ ] discourse — reproduce cold-deploy timeout/wedge in isolation; root-cause (headroom vs
      convergence bug vs upstream compose defect `sidekiq.depends_on: discourse`); classify.
 - [ ] mattermost-lts — `test_restore.py::test_restore_returns_state` in isolation: green→load flake,
      red→diagnose restore (recipe vs test).
 - [ ] mumble — `custom/test_protocol_handshake.py::test_handshake_completes_with_channel_presence` in
      isolation (canonical already present from today → likely flake; confirm).
 - [ ] bluesky-pds — warm-canonical promote routing: why `warm-bluesky-pds…` → 000 over HTTPS while
      container healthy internally + cold-test domain routes. Find cc-ci warm-machinery defect.
 - [ ] gitea — `3.5.3→3.6.0` warm advance crash (`app.ini` read-only, JWT save). Recipe vs harness.
 - [ ] keycloak — de-enrolled (live-warm OIDC collision). Design collision-free warm domain/namespace.
 ### M2 — FIX + verify all six (recipe PR or harness improvement)
 **Execution gated on M1 PASS** (avoid node contention with Adversary M1 re-runs; classifications must
 hold). Concrete fix designs from M1 evidence:
 - [ ] **mattermost-lts** (recipe PR, clearest) — add `pg_backup.sh` (immich pattern, no VectorChord
      bits): `backup(){ pg_dump -U mattermost mattermost | gzip > /var/lib/postgresql/data/backup.sql; }`
      `restore(){ gunzip -c …/backup.sql | psql -U mattermost -d mattermost -f -; }`. compose: add
      `configs: pg_backup → /pg_backup.sh`; postgres labels → `backup.pre-hook: /pg_backup.sh backup`,
      `restore.post-hook: /pg_backup.sh restore`, `backup.volumes.postgres.path: backup.sql` (dump-only,
      drop the whole-PGDATA `backup.path` + the `rm` post-hook). Verify via `!testme` → restore green.
 - [ ] **bluesky-pds** (recipe PR) — eliminate the `app`-alias collision on shared proxy: give the PDS
      service a unique name (e.g. `pds`) OR a unique network alias, and update caddy refs
      (`reverse_proxy`, `on_demand_tls ask http://…/tls-check`), healthcheck, backup labels, ops/test
      service= refs. Verify warm promote → 200 on /xrpc/_health. (NOTE: cc-ci harness `ops.py`/tests
      reference `service="app"` for bluesky? check + update if the recipe service renames — but recipe
      mirror is PR-only; cc-ci-side refs are a separate cc-ci change.) Confirm exact approach in M2.
 - [ ] **gitea** (recipe PR) — make app.ini writable on the warm-reattach advance so 3.6.0 can persist
      the JWT secret: render app.ini into the WRITABLE `config:/etc/gitea` volume via the existing
      `docker-setup.sh` entrypoint (copy the templated config to a writable path) instead of the
      read-only `app_ini` docker-config mount; OR ensure the persisted JWT secret is accepted without
      rewrite. Verify the 3.5.3→3.6.0 advance promotes. (Ties to LFS PR #1.)
 - [ ] **keycloak** (harness, cc-ci branch) — `canonical.canonical_domain(r)`: return a collision-free
      domain when `r` is a live-warm provider (`r in warm.WARM_DOMAINS`) → e.g.
      `warm-canon-<r>.ci.commoninternet.net`; else keep `warm-<r>` (zero blast radius on the 15 others).
      Set keycloak `WARM_CANONICAL=True`. Verify keycloak promotes at warm-canon-keycloak WITHOUT
      disrupting live warm-keycloak (200 throughout).
 - [ ] **mumble** (harness, cc-ci branch) — stabilize the handshake under load: add a READY_PROBE/
      readiness gate (TCP 64738 stably listening + a successful handshake) before the custom tier
      and/or raise `retry_handshake` budget; verify green under a concurrent-load re-run.
 - [ ] **discourse** (TRICKIEST — decide in M2) — the overlay `test_upgrade.py` asserts a
      bitnamilegacy→official migration absent from all releases/main. Options: (a) cc-ci test PR
      (--with-tests) scoping the faithfulness assertion to ONLY fire when the head actually performs
      the migration (image still bitnamilegacy → N/A, not RED) — NOT a weakening, a correct scope; +
      file an upstream recipe issue/PR for the real bitnamilegacy→official migration. (b) recipe PR
      doing the migration (major rewrite — official discourse image is launcher-based, likely
      infeasible cleanly). Lean (a)+tracked-upstream; may need operator input (DEFERRED?) — assess in M2.
 ## Adversary findings
 (Adversary-owned — do not edit.)
 ### [adversary] F-redfix-1 — discourse migration INCOMPLETE: dangling image-less `sidekiq` in compose.smtpauth.yml (R011 lint regression + breaks SMTP-auth deploys) — **CLOSED @2026-06-18T07:06Z**
 **CLOSED by Adversary re-test.** Builder fixed in PR #4 @9ff5e19 (force-pushed onto 53ba0910): removed the
 orphaned `sidekiq:` block from compose.smtpauth.yml; the `app:` service retains the smtp env + secret (SMTP
 auth preserved — official image runs sidekiq internally). My re-verify: (1) exact lint.py repro @9ff5e19 →
 **R011 ✅** (R003/R004 also clean; `grep -c sidekiq compose*.yml` = 0); (2) my own full cold run
 `/tmp/adv-discourse-m2v2.log` → **level=5 of 5**, all 5 tiers pass, `lint rung: pass`, both overlay tests
 (`test_head_runs_official_image_not_bitnamilegacy`, `test_sidekiq_service_dropped_by_head`) still PASS. The
 fix is minimal + correct (no test change, smtp preserved). Regression resolved.
 **Severity:** blocks M2 (discourse not "verified green"). Fix-introduced regression on a recipe PR meant to be merged.
 **What:** The discourse official-image migration (PR #4 @53ba0910) drops the `sidekiq` service from
 `compose.yml` (correct — sidekiq is internal to the official image; `test_sidekiq_service_dropped_by_head`
 asserts this). BUT it leaves a `sidekiq:` service block in **`compose.smtpauth.yml`** (smtp env +
 `smtp_password` secret, **no `image:`**). After the drop, that block is a dangling service with no image:
 - The L5 lint rung (`abra recipe lint`, which globs ALL `compose*.yml`) sees the merged
  `compose.yml`+`compose.smtpauth.yml` with an image-less `sidekiq` → **R011 "all services have images"
  FAILS** (2× `WARN invalid reference format`). Run drops to **level=4 of 5** (the other 5 fixed recipes
  all reach level=5).
 - Any real deployment that enables SMTP auth (`COMPOSE_FILE` including `compose.smtpauth.yml`) would try to
  start a `sidekiq` service with no image → deploy failure.
 **Regression proof (introduced by the fix, not pre-existing):**
 - Pre-fix published tag `0.8.1+3.5.0`: lint R011 = ✅ — old `compose.yml` had `sidekiq:` WITH
  `image: bitnamilegacy/discourse:3.5.0`, so the smtpauth `sidekiq` override merged onto a real image.
 - Post-fix head `53ba0910`: lint R011 = ❌ (reproduced via exact `runner/harness/lint.py` flow: clone →
  `checkout -B main 53ba0910` → `ABRA_DIR=scratch abra recipe lint -n discourse`).
 - `grep -l sidekiq ~/.abra/recipes/discourse/compose*.yml` @head → ONLY `compose.smtpauth.yml`.
 **Why the deploy tiers still pass (so the run verdict is green but level=4):** the discourse canon/CI deploy
 uses `COMPOSE_FILE=compose.yml:compose.ccci.yml` (per recipe_meta EXTRA_ENV) — it does NOT include
 compose.smtpauth.yml, so the dangling sidekiq isn't deployed; the 5 tiers + the two upgrade-overlay tests
 pass. The lint rung (globs all compose files) is what surfaces it. Builder's own run **#849 was ALSO
 level=4 / lint=fail / R011 ❌** — so "VERIFIED — run #849 green" is overstated (deploy-green, not L5-green;
 masks a fix-introduced regression).
 **Repro:**
 ```
 cd ~/.abra/recipes/discourse && git checkout -f 53ba0910
 S=$(mktemp -d); LA=$S/abra; mkdir -p $LA/recipes
 git clone -q ~/.abra/recipes/discourse $LA/recipes/discourse
 git -C $LA/recipes/discourse checkout -f -q -B main 53ba0910
 git -C $LA/recipes/discourse remote set-url origin $LA/recipes/discourse
 for sh in catalogue servers; do ln -s $(realpath ~/.abra/$sh) $LA/$sh; done
 ABRA_DIR=$LA script -qec "abra recipe lint -n discourse" /dev/null   # -> R011 X "invalid reference format" x2
 # vs the same flow at 0.8.1+3.5.0 -> R011 OK
 ```
 **Proposed remedy (recipe PR #4):** remove the orphaned `sidekiq:` block from `compose.smtpauth.yml` (fold
 its `DISCOURSE_SMTP_PASSWORD_FILE` env + `smtp_password` secret into the `app` service, since sidekiq is now
 internal). Re-run discourse cold -> EXPECT R011 OK, level=5. Only the Adversary closes this, after re-test.
--- a/machine-docs/BACKLOG-regall.md
+++ b/machine-docs/BACKLOG-regall.md
@ -0,0 +1,107 @@
 # BACKLOG — phase `regall`
 ## Build backlog
 ### Batch 1 (DONE)
 - [x] B1a: drone PR#1 → Drone 726 → L5 ✓
 - [x] B1b: gitea PR#1 → Drone 727 → L5 ✓
 - [x] B1c: matrix-synapse PR#4 → Drone 725 → L5 ✓
 ### Batch 2 (DONE)
 - [x] B2a: mumble PR#1 → Drone 732 → L5 ✓
 - [x] B2b: lasuite-meet PR#7 → Drone 730 → L5 ✓
 - [x] B2c: n8n PR#6 → Drone 731 → L5 ✓
 ### Batch 3 (DONE)
 - [x] B3a: custom-html PR#5 → Drone 737 → L5 ✓
 - [x] B3b: mattermost-lts PR#2 → Drone 739 → L5 ✓
 - [x] B3c: mailu PR#4 → Drone 738 → L5 ✓
 ### Batch 4 (DONE)
 - [x] B4a: ghost PR#6 → Drone 744 → L5 ✓
 - [x] B4b: immich PR#3 → Drone 745 → L5 ✓
 - [x] B4c: lasuite-docs PR#6 → Drone 743 → L5 ✓
 ### Batch 5 (DONE)
 - [x] B5a: lasuite-drive PR#3 → Drone 749 → L5 ✓
 - [x] B5b: plausible PR#3 → Drone 758 → L5 ✓ (genuine upgrade; recipe bug in PR#4 no-op)
 - [x] B5c: uptime-kuma PR#4 → Drone 748 → L5 ✓
 ### Batch 6 (DONE)
 - [x] B6a: custom-html-tiny PR#8 → Drone 752 → L5 ✓
 - [x] B6b: bluesky-pds PR#3 → Drone 753 → L5 ✓
 ### Post-sweep (DONE)
 - [x] B7: Results table built — all 21 GREEN, 0 prevb regressions (see STATUS-regall.md)
 - [x] B8: No prevb-caused regressions to fix
 - [x] B9: N/A (no fixes needed)
 - [x] B10: M1 CLAIMED — 2026-06-17T04:45Z
 - [x] B11: M2 CLAIMED — 2026-06-17T04:45Z
 ## Adversary findings
 ### A-regall-2 [adversary] OPEN @2026-06-17T03:25Z — plausible backup_restore=fail; classify prevb regression or flake
 **Filed:** 2026-06-17T03:25Z
 **Severity:** MEDIUM — backup_restore failure drops plausible from baseline L5 to L2. Blocks M1 classification.
 **Run:** 750 (Drone 750, PR#4). Result: level=2, backup_restore=fail.
 **Baseline:** run 658, level=5, backup_restore=pass.
 **Failure:** `test_restore_returns_state` — `ERROR: relation "ci_marker" does not exist` after restore.
 - Backup test passed (only checks artifact file exists, 0.134s — does NOT verify ci_marker content)
 - Restore completes (test_restore_healthy passes), but ci_marker table absent from DB
 **Prevb-specific difference:**
 - Run 750 upgrade: `version=3.0.1+v2.0.0→3.0.1+v2.0.0` (NO-OP: UPGRADE_BASE_VERSION='3.0.1+v2.0.0' matches recipe.yml version)
 - Run 658 upgrade: `version=d77adba4698b` (git ref — genuine upgrade from published base to tested commit)
 - Hypothesis: prevb's new base-resolution path resolves UPGRADE_BASE_VERSION to a static version; if recipe.yml also pins that same version, the upgrade is a no-op, which may change the DB state sequence enough to break backup/restore
 - Same failure pattern in m2r-plausible and m2rr-plausible (prevb development runs) — both level=2, backup_restore=fail
 **Builder rerun:** Drone 754 — **ALSO FAILED** (same error, same level=2, backup_restore=fail).
 **Adversary verdict: GENUINE REGRESSION (2/2 runs failed) — NOT a flake.**
 Both runs 750 and 754:
 - `version=3.0.1+v2.0.0→3.0.1+v2.0.0` (no-op upgrade via UPGRADE_BASE_VERSION)
 - `ERROR: relation "ci_marker" does not exist` after restore
 - Backup test passes (artifact only, not content)
 - Restore test fails
 **Required:** Builder must diagnose the no-op upgrade path and either:
 (a) Fix the backup/restore to work correctly under same-version upgrades, OR
 (b) Update UPGRADE_BASE_VERSION to an older version so upgrade is genuine, OR
 (c) Document why plausible backup_restore is not feasible and mark as known-fail
 Builder-INBOX written @2026-06-17T03:30Z with full details.
 **CLOSED @2026-06-17T03:45Z:** Builder diagnosis accepted. Run 758 (PR#3, d77adba4698b) → L5, backup_restore=pass. Pre-existing recipe bug in 3.0.1+v2.0.0, NOT prevb regression. Plausible counts as L5 GREEN in regall sweep.
 ---
 ### A-regall-1 [adversary] CLOSED @2026-06-17T02:20Z — mailu baseline table corrected
 **CLOSED:** Builder corrected STATUS-regall.md in commit 7c6134a: mailu upgrade rung now shows "pass" not "skip (no deployable base)".
 ~~### A-regall-1 [adversary] OPEN — mailu baseline table has incorrect upgrade rung~~
 **Filed:** 2026-06-17T02:10Z
 **Severity:** LOW (informational — does not block the sweep, but affects regression classification)
 **Discrepancy:** STATUS-regall.md baseline table shows mailu upgrade rung = "skip (no deployable base)".
 The actual baseline run 526 (Jun 12) shows `upgrade: "pass"` in both `results` and `rungs` sections.
 **Evidence (cold-verified from /var/lib/cc-ci-runs/526/results.json):**
 ```
 "results": { ..., "upgrade": "pass", ... }
 "rungs": { ..., "upgrade": "pass", "backup_restore": "skip", ... }
 ```
 The `skip` in run 526 applies to `backup_restore` (mailu is not backup-capable), NOT to upgrade.
 **Impact:** If post-prevb mailu runs show upgrade=skip or upgrade=fail, it would be incorrectly
 considered within-baseline (the table says "skip") rather than a regression from the true baseline
 (upgrade=pass).
 **Required correction:** STATUS-regall.md should read: `mailu | 5 | pass | 526` for the upgrade rung.
 **Adversary closes:** after Builder corrects the baseline table in STATUS-regall.md.
--- a/machine-docs/BACKLOG-samever.md
+++ b/machine-docs/BACKLOG-samever.md
@ -0,0 +1,25 @@
 # BACKLOG — phase `samever`
 ## Build backlog
 - [x] **M1** — resolver reads head version; step-back chain; unit tests. (CLAIMED 2026-06-17)
  - [x] `abra.head_compose_version(recipe)` — parse `coop-cloud.<stack>.version` from head compose.yml
  - [x] `warm_reconcile.version_key` + `newest_older_version` — single coop-cloud ordering source
  - [x] resolver chain: override → (canonical if ≠ head) → (newest-older if canonical==head) → main-tip → skip
  - [x] unit tests extended (13 pass): step-back, canonical≠head unchanged, no-older→skip, ordering, None-head
 - [ ] **M2** — prove in real CI: nightly steady-state (canonical==latest) cold-on-latest steps back
  (base_version < latest); PR form (non-version-bump PR, head==canonical); discourse #4 version-bump
  UNAFFECTED; spot-check ≥1 other enrolled recipe. Awaiting M1 PASS before starting real-CI runs.
 ## M2 execution log (live)
 - Run A (custom-html cold-on-latest, /root/samever-runA.log on cc-ci): launched 04:3xZ. No canonical
  yet → upgrade base kind=skip (head==main tip); on green promotes canonical→latest 1.13.0+1.31.1.
 - Run B (next): cold-on-latest again → canonical==head → expect step-back base 1.11.0+1.29.0 (<latest).
 ### M2 result — CLAIMED 2026-06-17T04:55Z (all 5 demonstrations green)
 - [x] Run B nightly steady-state step-back: custom-html canonical==head 1.13.0 → base 1.11.0+1.29.0,
  upgrade 1.11.0→1.13.0 (base<head real delta), 5 tiers green. [§5 DoD]
 - [x] Run C version-bump UNAFFECTED (enrolled): canonical older 1.11.0 → head 1.13.0, "last-green" path.
 - [x] Run D PR form: ref=2b82ebab pr=999, head==canonical → step-back still triggers.
 - [x] discourse #4 UNAFFECTED: kind=ref main-tip f87c612d, migration 0.8.1→1.0.0 green. [§5 DoD]
 - [x] Spot-check hedgedoc: step-back 3.0.9→3.0.10 generalizes to a 2nd recipe/tag-set, green.
--- a/machine-docs/BACKLOG-settings.md
+++ b/machine-docs/BACKLOG-settings.md
@ -0,0 +1,24 @@
 # BACKLOG — phase `settings`
 ## Build backlog
 - [x] **B1** — `harness/settings.py`: stdlib `tomllib` loader, `[upgrade].skip_canonicals_for_upgrade`
  (bool, default false), `_SCHEMA` single-source defaults+validation, graceful on absent/malformed,
  warn-and-ignore unknown keys/tables, raise on wrong type. Path `$CCCI_SETTINGS` / `/etc/cc-ci/settings.toml`.
 - [x] **B2** — tracked `settings.toml.example` documenting keys + defaults (no secrets).
 - [x] **B3** — wire `SKIP_CANONICALS_FOR_UPGRADE` into `resolve_upgrade_base` (`run_recipe_ci.py`):
  flag true → bypass canonical lookup → no-canonical fallback. Scope = upgrade base only.
 - [x] **B4** — improved no-canonical fallback `_no_canonical_base` (§2.C): newest release tag `< head`
  (reuse `warm_reconcile.newest_older_version`) → main-tip → skip. Always-on.
 - [x] **B5** — unit tests: full resolution matrix (`tests/unit/test_upgrade_base.py`) + loader
  (`tests/unit/test_settings.py`). 315 unit pass, lint clean.
 - [x] **B6 (M1 claim)** — clean tree, push, claim M1 in STATUS-settings.md.
 ### M2 (after M1 PASS)
 - [x] **B7** — deploy to cc-ci (`/etc/cc-ci` git pull + nixos-rebuild if needed); confirm harness reads
  settings (absent → default false; or file present false).
 - [x] **B8** — live evidence (a): a recipe WITHOUT a canonical resolves base to newest release tag `< head`
  (not raw main-tip).
 - [x] **B9** — live evidence (b): flip `SKIP_CANONICALS_FOR_UPGRADE = true` (scratch) → a canonical-bearing
  recipe ALSO resolves to the release-tag base (canonical bypassed); then restore false.
 - [x] **B10 (M2 claim)** — claim M2; on fresh PASS of M1+M2 → `## DONE`.
--- a/machine-docs/BACKLOG-shot.md
+++ b/machine-docs/BACKLOG-shot.md
@ -0,0 +1,128 @@
 # BACKLOG-shot.md — phase `shot` (recipe screenshot audit & repair)
 SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md. Gates: M1 (audit+diagnosis), M2 (all OK / agreed N/A).
 ## Build backlog
 ### P1 — Audit matrix (status: complete, all 19 PNGs visually inspected 2026-06-11)
 Enrolled set (19) = `tests/<r>/recipe_meta.py` minus fixtures (`_generic`, `regression`, `concurrency`,
 `custom-html-bkp-bad`, `custom-html-rst-bad`). Evidence: `/var/lib/cc-ci-runs/<run>/` on cc-ci;
 PNGs pulled to /tmp/shot-audit/ on the builder host and each one Read (visually).
 | recipe | latest run w/ artifacts | screenshot field | PNG bytes | visual content (I looked) | class |
 |---|---|---|---|---|---|
 | bluesky-pds | ab-bluesky-pds-oldmain | null | — | no PNG; install=fail level=0 (upstream image breakage, rcust DEFERRED) → capture correctly skipped (`if deploy_ok`) | N-A-candidate (blocked upstream) |
 | cryptpad | m2r-cryptpad | screenshot.png | 4802 | solid light-grey frame, nothing else | BLANK |
 | custom-html | m2r-custom-html | screenshot.png | 35707 | "Welcome to nginx!" default page | OK? (diagnose: is this the recipe's true fresh-install content?) |
 | custom-html-tiny | m2r-custom-html-tiny | screenshot.png | 12950 | seeded CI content ("cc-ci custom-html-tiny … DG5") | OK |
 | discourse | m2p-discourse | screenshot.png | 66121 | real forum UI, welcome topic, Sign Up/Log In | OK |
 | ghost | m2r-ghost | screenshot.png | 444183 | real blog landing ("Thoughts, stories and ideas") | OK |
 | hedgedoc | m2r-hedgedoc | screenshot.png | 131967 | real landing (logo, Sign In, feature intro) | OK |
 | immich | 356 | screenshot.png | 4801 | pure white frame | BLANK |
 | keycloak | m2r-keycloak | screenshot.png | 8764 | spinner + "Loading the Administration Console" | LOADING |
 | lasuite-docs | m2r-lasuite-docs | screenshot.png | 6022 | lone spinner on white | LOADING |
 | lasuite-drive | m2p2-lasuite-drive | screenshot.png | 5895 | lone spinner on white | LOADING |
 | lasuite-meet | m2r-lasuite-meet | screenshot.png | 4801 | pure white frame | BLANK |
 | mailu | m2r-mailu | screenshot.png | 33800 | real sign-in page (empty fields) | OK |
 | matrix-synapse | m2r-matrix-synapse | screenshot.png | 33296 | "It works! Synapse is running" landing | OK |
 | mattermost-lts | m2b-mattermost-lts | screenshot.png | 242139 | brand splash/loading screen (logo on blue), NOT the login form | LOADING (borderline — brand-recognizable but a loading state) |
 | mumble | m2r-mumble | screenshot.png | 7913 | spinner on grey — a web page IS served on the domain | LOADING (diagnose what serves it; N/A may NOT be justified) |
 | n8n | m2r-n8n | screenshot.png | 4801 | off-white blank frame. Flaky: run 197 (30256 B) shows the real "Set up owner account" form (empty fields, credential-free) | BLANK (flaky) |
 | plausible | 357 | null | — | no PNG on ANY run (122→357) | NULL |
 | uptime-kuma | m2r-uptime-kuma | screenshot.png | 30858 | real "Create your admin account" setup form (empty fields) | OK |
 PNG-size note: 4801/4802 B at 1280×800 is a byte-stable blank-frame fingerprint (3 different apps, same size).
 ### P2 — Root-cause diagnoses
 - [x] **NULL — plausible** (evidence: Drone build 357 ci-step log, t=73s):
  `screenshot: capture failed (non-fatal, verdict unaffected): page.goto(https://plau-b51425.ci.commoninternet.net/) never returned a status in (200, 301, 302, 303, 401, 403) after 15 attempts (45s); last status=500`.
  Plausible's `/` 500s **by design** under `DISABLE_AUTH=true` (auth_controller; documented in
  `tests/plausible/functional/test_health_check.py` docstring and recipe_meta — that's why HEALTH_PATH
  is `/api/health`). Default landing-page capture can NEVER succeed → needs a per-recipe SCREENSHOT
  hook to a path that actually renders (probe live: e.g. /login or /sites).
 - [x] **NULL — bluesky-pds**: install fails (level=0) before the app is up → `if deploy_ok:` gate in
  runner/run_recipe_ci.py:1024 correctly skips capture. Not a screenshot defect; upstream image
  breakage already filed in machine-docs/DEFERRED.md (rcust). → documented N/A while upstream is broken.
 - [x] **BLANK class — immich, lasuite-meet, n8n(flaky), cryptpad**: SPA paint race. capture() navigates
  with `wait_until="domcontentloaded"` (runner/harness/screenshot.py:91) and screenshots immediately;
  SPA shell HTML has loaded but JS hasn't painted → solid 4801-2 B frame. n8n flakiness = same race,
  sometimes JS wins (run 197 captured the real form).
 - [x] **LOADING class — keycloak, lasuite-docs, lasuite-drive, mumble, mattermost-lts(borderline)**:
  same race, caught mid-paint (spinner/splash rendered, app JS still loading/connecting).
 - [x] **mumble** web stack identified: recipe deploys a `web` service (mumble-web client) on the domain —
  spinner is its connecting state; landing renders a connect dialog once JS settles. NOT an N/A.
 - [x] **custom-html** nginx-welcome question: the recipe's fresh install genuinely serves the nginx
  default page at `/` (no content seeded for this recipe's install; only custom-html-tiny seeds via
  install_steps.sh). Screenshot is an honest representative view of a fresh install. → OK as-is.
 ### P3 — Fixes (all merged to main)
 - [x] Harness default improvement (ce50f64 + A1 hardening 7ad7d1f): bounded networkidle settle
  (10s) + 0.5s render grace after domcontentloaded; blank/spinner-frame detect (<10000 B) → ONE
  retry with 4s settle, larger frame kept (A1). Wait budget 45+10+0.5+4+0.5 = 60s, unit-tested.
  8 new unit tests; 207 pass; lint PASS.
 - [x] plausible — NOT a hook in the end: the real root cause was EXTRA_ENV SECRET_KEY_BASE being
  62 chars (<64-byte Phoenix cookie-store minimum) → every HTML render 500'd. Fixed to 68 chars
  (b98a471); default capture then lands the genuine registration page. Stale auth_controller
  comments corrected (no assertion touched).
 - [x] mattermost-lts SCREENSHOT hook (80e5713 + 3c33129): interstitial appears on ANY first-visit
  route incl /login (proven byte-identical PNG) → hook navigates /login, clicks "View in Browser"
  best-effort, settles; lands the real login form. First real hook; public screenshot.settle().
 - [x] keycloak / lasuite-docs / lasuite-drive / lasuite-meet / immich / cryptpad / n8n: fixed by
  the harness default alone (no hooks needed — proof PNGs below).
 - [x] mumble: NOT fixable harness-side — pinned mumble-web:0.5 client never paints UI for an
  anonymous browser (≥90s DOM/console/network observation: no errors, no failed requests,
  connect-dialog elements absent, no autoconnect overrides). Loader frame = the genuine anonymous
  web view; voice (the recipe's function) fully covered by protocol tests. DEFERRED.md entry filed
  (upstream question for the operator).
 - [x] bluesky-pds: documented N/A while upstream image broken (rcust DEFERRED; Adversary-agreed at
  M1, contingent re-check at M2 — latest failing evidence ab-bluesky-pds-oldmain, 2026-06-11).
 ### P4 — Proof runs (fresh, post-fix; every PNG visually Read by Builder)
 | recipe | proof run (dir on cc-ci) | level (baseline) | PNG B | visual |
 |---|---|---|---|---|
 | immich | 370 (drone !testme immich#2) | 4 (=356:4) | 234351 | real "Welcome to Immich" onboarding |
 | plausible | 371 (drone !testme plausible#3) | 4 (=357:4) | 64132 | real registration form, empty fields |
 | keycloak | shot-proof-keycloak | 4 | 215587 | real "Sign in to your account" form |
 | cryptpad | shot-proof-cryptpad | 4 | 57310 | real landing + document-type picker |
 | lasuite-meet | shot-proof-lasuite-meet | 4 | 225686 | real video-conferencing landing |
 | lasuite-docs | shot-proof-lasuite-docs | 4 | 284769 | real Docs landing |
 | lasuite-drive | shot-proof2-lasuite-drive | 4 | 132037 | real Drive landing |
 | n8n | shot-proof-n8n | 4 | 26433 | real "Set up owner account", empty fields (now deterministic) |
 | mattermost-lts | shot-proof3-mattermost-lts | 2 (=m2r:2) | 178367 | real "Log in to your account" form (hook v2) |
 | mumble | shot-proof-mumble | 4 | 7980 | loader frame — best-available (see P3/DEFERRED) |
 Drone durations pre/post (same recipe+PR): immich 199s→198s; plausible 209s→166s (faster — capture
 no longer burns 45s failing). Healthy class (ghost, hedgedoc, discourse, custom-html,
 custom-html-tiny, mailu, matrix-synapse, uptime-kuma): existing artifacts cited in P1 matrix, each
 visually verified real + credential-free; no new runs needed per plan §3 P4.
 Dashboard/card: grid thumbnails for runs 370/371 served 200, summary.html embeds screenshot.png,
 /badge/immich.svg 200.
 ## Adversary findings
 ### [adversary] A1 — blank-retry can REGRESS a larger frame to a worse one (LOW, non-blocking) — CLOSED @2026-06-11T06:32Z
 **CLOSED:** fixed in 7ad7d1f (retry snapped to a temp path; `os.replace` only if `retry >= first`,
 else discard + cleanup in `finally`). Re-verified COLD with my own probe (not the Builder's test):
 the exact filed case `[9999,4801]` now keeps **9999** (retry discarded, no temp leak); originals
 intact (`[4801,30256]`→30256, `[4801,4802]`→4802, `[35707]`→1 shot, `[5000,5000]`→replace). 5/5 pass.
 R7 contract preserved (retry-raise still propagates to capture's swallow → None; first frame on disk).
 --- original finding (for the record) ---
 **Where:** `runner/harness/screenshot.py` `_snap_with_blank_retry` (ce50f64).
 **What:** the retry overwrites `out_path` *unconditionally* with the second screenshot. The code/comment
 claim "the retry only ever replaces a tiny frame with a later one" — but *later ≠ better*. If the first
 frame is e.g. 9999 B (a partial render, just under `BLANK_SIZE_BYTES=10000`) and the page regresses in the
 extra 4 s settle (redirect, session-timeout splash, error overlay), the retry can yield a 4801 B blank that
 **overwrites the better 9999 B frame**. The Builder's unit test only covers blank→blank (4801→4802); the
 bigger→smaller regression is untested.
 **Repro (cold, my independent probe, not the Builder's test file):** fake page returning sizes
 `[9999, 4801]` → `_snap_with_blank_retry` keeps **4801** (the worse frame).
 **Severity:** LOW. R7 holds (cosmetic only, never affects verdict); my M2 per-PNG visual check is the
 backstop — any actually-blank final PNG will FAIL that recipe regardless. Filed for hardening, not a veto.
 **Suggested guard (trivial, strictly safer):** keep the larger frame — only overwrite if
 `getsize(retry) >= getsize(first)` (or snap retry to a temp path and pick `max`). Then extend the unit
 test with a bigger→smaller case asserting the larger frame survives.
 **Closes:** only I close this, after re-test. Non-blocking for an M2 claim, but I will re-check at M2.
--- a/machine-docs/DECISIONS.md
+++ b/machine-docs/DECISIONS.md
@ -4,6 +4,17 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
 ## Settled
 - **nixos-rebuild submodule protocol — SETTLED (2026-06-13, phase pvfix).** The canonical nixos-rebuild command on the live host is `nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"`. The `path:` scheme does NOT support `?submodules=1` in this Nix version; `git+file://` does. Plain `nixos-rebuild switch --flake /root/builder-clone#cc-ci` fails with `secrets/secrets.yaml does not exist` because the git submodule is not included in the nix store copy.
 - **deploy-proxy health gate — SETTLED (2026-06-13, phase pxgate, supersedes pvfix workaround).** Changed the traefik health probe from `ci.commoninternet.net/` (dashboard, ordered After=deploy-proxy → circular on cold boot) to `traefik.ci.commoninternet.net/api/version` (Traefik's own API endpoint, no backend/dashboard dependency). A broken traefik still fails the gate (returns non-200 or times out), so rollback semantics are preserved. Controlled reproduction confirms: with dashboard scaled to 0, old probe returns 404, new probe returns 200. Cold-boot deadlock eliminated. DEFERRED item 2026-06-13 closed by this fix. (Old pvfix note about concurrent manual restart workaround is now superseded.)
 - **cfold deprecated-folder policy — SETTLED (2026-06-12, phase cfold).** `tests/<recipe>/custom/`
  is the canonical home for custom tests. Discovery keeps recognizing legacy `functional/` and
  `playwright/` subdirs for both cc-ci and approved repo-local tests as a temporary compatibility
  alias, but it emits a one-line warning to stderr whenever it discovers tests there. Rationale:
  the phase plan forbids silent coverage loss, and recipe repos outside this clone may still be on
  the old layout during the migration window.
 - **Wildcard TLS:** operator pre-issues wildcard cert at `/var/lib/ci-certs/live/`; Traefik file
  provider serves it; **no ACME** for commoninternet.net. (Plan §4.0/§8 — fixed.)
 - **Repo:** `git.autonomic.zone/recipe-maintainers/cc-ci`, private. Bot is org admin. (Bootstrap.)
@ -1283,3 +1294,318 @@ the commit), which is the correct SCM integration.
  environment; job is session-persistent (survives as long as Builder session runs). T0-refire
  verified: CronCreate test fire at 23:17Z → upgrader started, upgrader-cron.log created, status
  RUNNING. (2026-06-01)
 ## conc P3 (2026-06-10, Builder): install_steps.sh hooks resolve $ABRA_DIR — guardrail note
 P3 makes recipe working trees per-run ($ABRA_DIR/recipes). tests/{ghost,discourse}/install_steps.sh
 hard-coded `${HOME}/.abra/recipes/...` to copy their compose.ccci.yml overlay into the deploy tree;
 under per-run trees that path is the WRONG (canonical) tree, so the overlay would silently miss the
 deploy and both recipes' upgrade-tier base deploys would break. Fixed with ONE mechanical line per
 hook: `RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (identical resolution rule to
 the abra CLI and abra.recipe_dir()). No test assertion, gate, or overlay content was touched — the
 phase guardrail's "never touch tests/<recipe>/ content" is read as protecting test/gate SEMANTICS;
 this is required P3 fallout, equivalent to the harness-side path routing. Flagged here for the
 Adversary's gate-integrity review.
 ## Phase lvl5 — L5 lint rung + level semantics de-cap (SETTLED 2026-06-11, operator-specified)
 **The level formula (replaces the Phase-3 "N/A caps" stance).** Operator decision 2026-06-11
 (explicit Q&A, recorded verbatim in plan-phase-lvl5-lint-rung.md): with per-rung statuses
 {pass, fail, skip (intentional), unver (unintentional/not-verified)}:
    level = max i such that rung_i == "pass" and all j < i have status in {"pass","skip"}; else 0.
 A real FAIL blocks. An INTENTIONAL skip (the rung genuinely does not apply, from a declared or
 structural fact) is climbed past — this is the de-cap: a non-backup-capable recipe is no longer
 stuck at L2. An UNVERIFIED rung (should have run, wasn't checked) blocks exactly like a fail —
 this preserves the honest core of the old N/A-caps rule: never claim what wasn't checked. The
 words cap/capped/cap_reason are deleted from code, schema (results.json schema 2), card,
 dashboard, badge and docs; the per-rung table (✔/✘/intentional-skip/unverified) is the SOLE
 carrier of "why isn't the level higher". The big level badges (card corner, dashboard pill,
 /badge/<recipe>.svg) show ONLY number + colour (operator-specified). Old schema-1 artifacts are
 rendered as-is (their stored level, their 4-rung ladder) — no retroactive relabeling.
 **The ladder is now five rungs:** install(1) upgrade(2) backup_restore(3) functional(4)
 **lint(5) = `abra recipe lint` passes against the exact ref under test** (PR head on PR builds).
 Lint is a LEVEL RUNG, not a run gate: no lint outcome ever changes the run verdict.
 **N/A classification table (derive_rungs, results.py — every N/A source, Adversary-reviewed).
 Default for anything unclassifiable: UNVER (conservative).**
 | rung | source of non-pass/fail | class | status |
 |---|---|---|---|
 | install | tier skipped / missing (any reason — install always applies) | unintentional | unver |
 | upgrade | tier skipped by orchestrator AND no upgrade target (`prev is None`: only one published version — structural) | intentional | skip |
 | upgrade | declared `EXPECTED_NA["upgrade"]` (tier not pass/fail) | intentional | skip |
 | upgrade | tier skipped though a target exists (install failed → downstream abort), or tier missing (CCCI_STAGES dev escape) | unintentional | unver |
 | backup_restore | not backup-capable (no backupbot labels / `BACKUP_CAPABLE=False` — structural/declared) | intentional | skip |
 | backup_restore | declared `EXPECTED_NA["backup_restore"]` (tiers not pass/fail) | intentional | skip |
 | backup_restore | backup-capable but either tier did not produce pass/fail (abort, partial run) | unintentional | unver |
 | functional | declared `EXPECTED_NA["functional"]` (no custom tests / tier skipped) | intentional | skip |
 | functional | no custom tests / tier skipped, undeclared — absent functional coverage is a GAP, not a property | unintentional | unver |
 | lint | executor could not produce pass/fail (timeout, abra/script missing, env FATA, unparseable output) — NO escape hatch, `EXPECTED_NA["lint"]` is ignored | unintentional | unver |
 EXPECTED_NA never overrides an exercised rung: pass/fail always stand.
 **Lint executor mirror-context decision (plan-phase-lvl5 §2.3).** Probed on cc-ci 2026-06-11
 (JOURNAL-lvl5): (a) abra lint globs every `compose*.yml` in the recipe tree, so the CI's
 untracked install_steps overlays (e.g. compose.ccci.yml) FATA it — harness artifact; (b) abra
 lint force-fetches tags from `origin`, so a PR run's private-mirror origin (token never written
 to .git/config) FATAs "unable to fetch tags" — harness artifact; (c) `abra recipe lint` exits
 non-zero ONLY on FATA — rule verdicts live in its table (error-severity ❌ rows + a trailing
 "WARN critical errors present" sentinel, rc still 0). Decision: the executor (harness/lint.py)
 lints a PRISTINE SCRATCH CLONE of the per-run recipe tree checked out at the exact tested sha —
 origin becomes a local path (offline tag fetch, no auth) and the run's true tag set rides along
 (fetch_recipe already fetches the canonical upstream version tags into the per-run tree, so
 R014 evaluates the recipe's real tags). **No lint rule is filtered or ignored** — the
 plumbing pollution is solved by context, not by exemptions. Classifier: fail iff an
 error-severity rule is unsatisfied (or the FATA is content-attributable: "unable to validate
 recipe"); pass iff the table rendered clean; anything else unver + loud log. Hard 60s budget
 (observed ~0.7s); executor runs before the tiers (tree at tested ref), double-wrapped, R7
 verdict-neutral. Full output → run artifact `lint.txt` (dashboard-served); status + failing
 rule ids → results.json `lint`.
 **bluesky-pds re-pin decision (phase bsky, 2026-06-11).** The recipe pinned the moving tag
 `ghcr.io/bluesky-social/pds:0.4`, which upstream now republishes with main-branch builds
 (currently @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the
 recipe's entrypoint override (`exec node --enable-source-maps index.js`). Fix: pin the
 newest RELEASED exact tag `0.4.219` (Node 20.20, `/app/index.js`, CMD identical to the
 recipe's exec line — entrypoint stays valid unchanged) and bump the version label
 `0.2.0+v0.4` → `0.3.0+v0.4.219` (minor bump for an upstream pin change, immich-PR#2
 precedent). REJECTED: tracking 0.5.1 (only exists as moving/sha- tags built from main —
 no release tag; would also require entrypoint `index.ts` migration against an unreleased
 version); digest-suffix pinning (abra survey/upgrade tooling chokes on tag@digest — see
 immich standing note). When upstream cuts real 0.5.x release tags, upgrade properly
 (entrypoint will then need the index.ts/Node-24 migration — recorded in
 cc-ci-plan/upstream/bluesky-pds.md). Never re-pin to `:0.4`/`latest`/minor tags.
 **EXPECTED_NA["upgrade"] suppresses the upgrade-tier base deploy (phase bsky, 2026-06-11).**
 The deploy-once design deploys the upgrade BASE (previous published version) and only the
 upgrade tier chaos-redeploys the PR head — so a recipe whose published versions ALL became
 undeployable (bluesky-pds: every tag pins moving `ghcr.io/bluesky-social/pds:0.4`, which
 upstream republished with incompatible main builds) fails INSTALL at the base before the PR
 head is ever exercised, and no UPGRADE_BASE_VERSION value can help (it must be a published
 tag — they're all broken). Decision: declaring the upgrade rung in EXPECTED_NA (the existing
 intentional-skip mechanism) now ALSO makes upgrade_base() return None → the single deploy is
 the PR head itself; the upgrade tier records "skip"; derive_rungs classifies it as the
 DECLARED intentional skip with the recipe's reason (results.json skips.intentional). NOT a
 gate weakening: the rung is never reported pass, the skip + reason are fully visible, and the
 declaration is evidence-backed in the recipe_meta comment + upstream registry; it is the only
 way to exercise a PR at all for a recipe in this state. Re-enable path documented per-recipe
 (bluesky: drop EXPECTED_NA + set UPGRADE_BASE_VERSION="0.3.0+v0.4.219" once merged+published).
 Locked by tests/unit/test_upgrade_base.py.
 ## 2026-06-11 — uptime-kuma: Playwright (option b) for monitor-wizard test (phase kuma)
 **Decision:** use Playwright (option b from plan-phase-kuma-monitor.md §1) to implement
 the `tests/uptime-kuma/playwright/test_monitor_wizard.py` test.
 **Why not python-socketio (option a):** python-socketio is NOT installed in the cc-ci
 Nix Python environment (site-packages has playwright + pytest only; no socketio wheel).
 Adding it would require modifying `nix/cc-ci.nix` and running `nixos-rebuild switch` on
 cc-ci — extra Nix overhead when Playwright already handles Socket.IO transparently through
 the real browser. The option (a) benefit (speed, headless) is outweighed by the absence of
 the package.
 **Why Playwright works here:** uptime-kuma 2.2.1 has stable `data-cy` attributes on the
 setup form and `data-testid` attributes on the monitor form + status badge — confirmed
 present in the compiled bundle (`dist/assets/index-D_mnxLA0.js`). These are the canonical
 Cypress/testing selectors; they do not change without an intentional test-attribute removal.
 The Playwright flow is deterministic: wizard → `/add` form → `/dashboard/:id` detail page.
 **Runtime implication:** Playwright adds ~5–10 s overhead vs a headless socketio client,
 but stays well within the ≤90 s budget. Acceptable.
 ## Phase gtea — gitea full-test enrollment
 - **Gitea dep-vs-recipe-under-test LFS split — SETTLED (2026-06-15, phase gtea).** The `EXTRA_ENV`
  callable in `tests/gitea/recipe_meta.py` guards LFS-overlay activation with TWO conditions: (1)
  `compose.lfs.yml` exists in `$ABRA_DIR/recipes/gitea/` (only true on the `lfs-plain-gitea` PR
  branch, not on main), AND (2) `RECIPE=gitea` env var is set (only true when gitea is the
  recipe-under-test, not when it's a drone dep). Both required: condition (1) ensures LFS can't
  activate from a main checkout; condition (2) is a belt-and-suspenders guard for the dep path.
  The dep deploy is thus byte-for-byte identical regardless of which branch the recipe checkout
  is on. Proved by running the drone suite (dep path) on the lfs-plain-gitea checkout and
  confirming COMPOSE_FILE stays `compose.yml:compose.sqlite3.yml`.
 - **Gitea admin user management — SETTLED (2026-06-15, phase gtea).** Gitea has no default admin
  user after `abra app deploy`. `ops.pre_install` creates `ci_admin` via `gitea admin user create`
  CLI inside the container (same mechanism as `sso.setup_gitea_oauth` for drone dep), stores the
  generated password at `/tmp/ccci-gitea-admin-<domain>.json` (mode 600). All subsequent
  `pre_<op>` hooks read from this file. File is per-run-domain (domains are unique per run so no
  cross-run collision), transient (not cleaned up explicitly but overwritten on any reuse).
 - **Gitea data-integrity marker — SETTLED (2026-06-15, phase gtea).** Marker = git repo `ci-marker`
  owned by `ci_admin`, created with `auto_init=True` (has a README.md initial commit). API-based
  (same model as keycloak realm marker). Idempotent creation (409 = already exists → OK).
  `pre_restore` deletes it to create a genuine divergence from backup state; `test_restore` asserts
  its return. The sqlite3 DB is the persistence layer being tested.
 - **Dynamic upgrade base — SETTLED (2026-06-17, phase prevb).** The upgrade tier's BASE version is
  resolved at run time, replacing the static `previous_version(vers[-2])` default. Resolution order:
  (1) **last-green** = the warm-canonical registry record (`canonical.read_registry(recipe).version`,
  status warm/idle) when present; (2) fallback **target-branch (`main`) tip** = the recipe repo's
  `main` HEAD (a git ref, chaos-deployed) — the true predecessor the PR merges onto; (3) **else skip**
  the upgrade tier with a declared reason (new recipe / no predecessor / head==main). EXPECTED_NA[upgrade]
  and `upgrade∉stages` still short-circuit to skip first. `UPGRADE_BASE_VERSION` is RETAINED as an
  optional explicit override (wins when set) for the rare PR-adds-version-above-newest-tag case, but is
  no longer the default and is removed from discourse. This intentionally changes every recipe's default
  base from `vers[-2]` to last-green/main-tip (plan-mandated; M2 spot-check validates non-regression).
 - **Per-recipe `previous/` overlay — SETTLED (2026-06-17, phase prevb).** `tests/<recipe>/previous/`
  optionally holds the minimal config to deploy the *previous (last-green) version* when it can't deploy
  as-published (e.g. `compose.previous.yml` for an image relocation). It declares the version it targets
  (a `previous/VERSION` marker line) and the harness applies it **only to the base deploy and only when
  the resolved base is that exact published version**; it is NEVER applied to the PR head, and on a
  main-tip base or version mismatch it is SKIPPED and flagged stale ("previous/ targets X, base is Y —
  remove it"). The all-deploys `compose.ccci.yml` overlay is now ENVIRONMENTAL-only (node-reality tweaks,
  no version-specific image pins or service add/drop); version-specific repairs live in `previous/`.
  Discourse ships NO `previous/` (base bitnamilegacy:3.5.0 deploys clean).
 ## Phase canon (2026-06-17) — canonical sweep made real
 - **Tagged-promote gate (§2.A).** A canonical only ever advances to a PUBLISHED RELEASE TAG.
  `should_promote_canonical` requires `tagged` (computed by the caller via
  `warm_reconcile.is_released_version(recipe, head_version)`); `promote_canonical` records the TESTED
  `head_version` (the release version actually exercised), NOT a re-derived `latest_version(recipe_tags)`
  — these can diverge in a manual `RECIPE=<r>` run whose `main` sits on a tag older than the newest
  published tag. An untagged `main` commit never becomes a canonical.
 - **New-release-tag trigger (§2.D).** The weekly sweep tests a recipe only when its latest release tag
  is newer (by `warm_reconcile.version_key`) than its canonical version — NOT on new commits. No new
  tag → SKIP (even if `main` has untagged commits). This gives the run-twice determinism no-op and
  makes the sweep orthogonal to `samever` (version-under-test always > canonical → no same-version
  step-back in the sweep).
 - **Mirror-sync is a VENDORED `scripts/recipe-mirror-sync.sh`, not the nix-store
  recipe-upgrade/open-recipe-pr.sh.** Rationale: open-recipe-pr.sh assumes the recipe clone's `origin`
  IS coopcloud upstream, but cc-ci's abra recipe clones have inconsistent remotes (origin is variously
  the mirror / coopcloud / absent). The vendored script pins an explicit coopcloud `upstream` remote
  by recipe name, syncs main+TAGS (canon's trigger needs upstream tags), closes only merged-upstream
  PRs, leaves unrelated PRs, and authes via the bot gitea token (self-contained, reproducible — a
  systemd service must not depend on a per-skill-version nix-store path). Behaviour matches the phase's
  described `--reconcile-only`: faithful mirror sync, never our own changes.
 - **Hollow-sweep root cause + fix.** The deployed timer ran the nix-STORE runner copy (no `tests/`),
  so `enrolled_recipes()` resolved `TESTS_DIR` to a missing dir → `[]` → no-op. Fix: the sweep runs
  from `$CCCI_REPO=/etc/cc-ci` (has runner/ AND tests/); deploys `git -C /etc/cc-ci pull` +
  nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only).
 - **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly
  `cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled.
 ## Phase canon (2026-06-17) — enrollment exception: keycloak
 **keycloak is NOT enrolled as a data-warm canonical (WARM_CANONICAL=False), by exception (§2.B).**
 keycloak is the project's LIVE-WARM OIDC dep provider: an always-on shared service at
 `warm-keycloak.ci.commoninternet.net` (warm_reconcile SPECS["keycloak"]) that lasuite-docs/-drive/
 -meet and drone consume for SSO. A data-warm canonical uses that SAME stable warm domain, so the
 sweep's promote (deploy/teardown at warm-keycloak) would collide with — and could disrupt — the live
 provider. keycloak is instead kept at latest by the sweep's **roll_warm_infra** step (the health-gated
 warm/infra reconciler, WC1.1, run before the per-recipe loop), so it has full coverage without a
 data-warm canonical. Verified live: a sweep keycloak-promote attempt FAILed cleanly (recipe compose
 mismatch) and left the running live keycloak healthy (200 on /realms/master) — no disruption — but the
 collision is structural, so keycloak is de-enrolled rather than relying on the promote failing safely.
 ## Phase canon (2026-06-17) — recipe RED exceptions (canonical not promoted; left intact)
 These enrolled recipes did NOT get a canonical in the authoritative sweep. Each is a genuine
 recipe/upstream issue, NOT a canon-machinery defect — recorded per §2.B/guardrail ("a red test is
 information; never weaken a test to make a recipe promote"). The sweep correctly left each intact.
 - **discourse — UPSTREAM compose defect at the latest release `0.8.1+3.5.0`.** The base recipe
  compose.yml (`git show 0.8.1+3.5.0:compose.yml`) declares `sidekiq.depends_on: [discourse]` but the
  main service is named `app` (not `discourse`) → `abra app deploy` FATAs "service sidekiq depends on
  undefined service discourse: invalid compose project". This is upstream coop-cloud/discourse's bug,
  not cc-ci's overlay (tests/discourse/compose.ccci.yml does not add that dependency). Cold deploy
  cannot converge → red → canonical unchanged. (Re-enroll-able once upstream fixes the 0.8.1 compose.)
 - **mattermost-lts — recipe test red at latest.** `tests/mattermost-lts/test_restore.py::
  test_restore_returns_state` FAILED on the latest release's cold run. The test is UNMODIFIED this
  phase (last touched in phase "2": 012a477/80ad0a9) — a real restore-state failure, not weakened.
 - **mumble — recipe test red at latest.** `tests/mumble/custom/test_protocol_handshake.py::
  test_handshake_completes_with_channel_presence` FAILED on the latest release's cold run. Test
  UNMODIFIED this phase (last touched in phase "cfold": 44e0242) — a real voice-handshake failure.
 - **bluesky-pds — warm-domain routing (recipe-specific).** Cold test GREEN, but the warm-canonical
  promote deploy never becomes healthy over HTTPS (`/xrpc/_health` → 000) even though the PDS
  container is healthy internally (200 on localhost:3000) — traefik does not route the caddy-fronted
  warm domain. This is bluesky-specific (the cold-test domain routes fine; the other 15 promoted
  recipes all answer 200 over HTTPS on their warm domains), NOT the promote machinery. canonical not
  written (correct — never promote an unhealthy state).
 ## Phase canon (2026-06-17) — gitea 3.6.0 warm-ADVANCE exception + determinism framing
 - **gitea: canonical valid at 3.5.3+1.24.2-rootless; the 3.5.3→3.6.0 ADVANCE does not promote (recipe
  issue, not machinery).** The new-release-tag trigger correctly fires (RUN on 3.6.0 > canonical
  3.5.3) and the cold test is green, but the warm-canonical in-place advance deploy of gitea 3.6.0
  CRASH-LOOPS: `LoadCommonSettings() [F] ... error saving JWT Secret ... failed to save
  "/etc/gitea/app.ini": open ... read-only file system` (gitea 3.6.0 tries to persist a JWT secret to
  a read-only app.ini). This is a gitea-3.6.0 / rootless-config recipe issue (the cold FRESH 3.5.3→3.6.0
  upgrade passes; the warm reattach-advance crashes at config-load before any DB migration, so the
  3.5.3 volume stays intact). gitea keeps its known-good 3.5.3 canonical (correct — never promote an
  unhealthy state). The ADVANCE PATH ITSELF is proven working independently via a constructed
  custom-html older→new advance (see M2.6 evidence) — so this is gitea-specific, not the promote
  machinery.
 - **Determinism (M2.3) framing.** The run-twice no-op holds for every recipe whose canonical is AT its
  latest release: a 2nd immediate sweep SKIPs them (no CI rerun). Recipes that legitimately lack a
  latest-canonical correctly RE-RUN, which is the intended behaviour, not a determinism violation:
  (a) genuine reds (discourse/mattermost/mumble) + bluesky (warm-routing) — no known-good to protect;
  (b) gitea — a new release (3.6.0) exists that cannot yet promote for the recipe reason above, so the
  sweep keeps offering to advance it (correct: it should retry in case the recipe is fixed). No
  promoted-at-latest recipe is ever needlessly re-tested. "Skip every recipe" is the all-promoted ideal;
  the demonstrated property is "no promoted-at-latest recipe re-runs", which is the operative no-op.
 ## Phase canon (2026-06-17) — warm-volume disk budget (§2.B / M2.7)
 All-enrolled is sustainable on the single node; the warm-volume budget is NOT the binding constraint,
 so the fallback (decouple version-record from retained volume) is NOT needed. Measured 2026-06-17 (read
 -only, `ssh cc-ci`):
 - Root fs `/`: 150G total, 107G used, **38G free, 74% used**.
 - `du -sh /var/lib/ci-warm` (registry metadata + small content) = **1.1G**; largest per-recipe dir
  `immich` 307M, `ghost` 208M, `plausible` 114M; most <50M.
 - `docker system df`: Local Volumes 47 total, **2.024GB**, 929MB (45%) reclaimable; ~50 `warm-*` data
  volumes (16 retained canonicals + warm-keycloak infra + per-run residue the WC8 `ci-docker-prune`
  reclaims).
 - 16 retained canonicals total ~2G of volumes + 1.1G metadata against 38G free → ample headroom even
  at the full 20-enrolled set. WC8 disk-hygiene (`ci-docker-prune`) keeps residue bounded.
 Conclusion: keep all-enrolled with retained volumes; revisit only if `/` free drops below a single
 recipe's largest restore (~1–2G working set). No recipe dropped for disk.
 ## phase dash — per-recipe history sourced from local run artifacts (2026-06-17)
 The dashboard's per-recipe history page (`/recipe/<recipe>`) sources its run list from the local
 `/var/lib/cc-ci-runs/*/results.json` artifacts (complete: 308 finished runs; durable; already
 bind-mounted read-only), NOT the Drone `…/builds?per_page=100` slice (root cause: that 100-build
 window dropped each recipe's older runs out of view after the regall sweep → most recipes showed 1
 run). Newest-first by the `results.json` `finished` timestamp (run ids are MIXED numeric + named, so
 only a timestamp sort is correct — `int(run_id)` would crash on `m2r-*`/`ab-*`); display-capped at
 `HISTORY_CAP=30`. Status derived from the per-stage `results` map (no top-level status field). The
 OVERVIEW (`/`) and badges keep their Drone latest-per-recipe source unchanged. Deliberately did NOT
 merge Drone live "running" status into history (optional per plan; re-adds the network dependency the
 local source removes; overview already shows live status). Retention: 308 parseable runs present, no
 trim job observed → adequate; revisit only if a cap is ever needed.
 ---
 ## Phase `settings` (2026-06-17) — server settings.toml + SKIP_CANONICALS_FOR_UPGRADE + release-tag-first fallback
 - **Settings home = `harness/settings.py` (new), file `/etc/cc-ci/settings.toml` (override `$CCCI_SETTINGS`).**
  No pre-existing cc-ci config module existed to extend (config was scattered `os.environ.get` reads);
  a minimal stdlib-`tomllib` loader is the minimal+extensible mechanism. `_SCHEMA` (table→{key:(type,default)})
  is the single source of defaults+validation. Tracked `settings.toml.example`; live file untracked/operator-
  managed/no-secrets (secrets stay in sops). Default `/etc/cc-ci` chosen over the plan's suggested
  `/srv/cc-ci` (orchestrator-ambiguous): `/etc/cc-ci` is where the harness already runs (`CCCI_REPO`),
  absolute so Drone+sweep read the same file, untracked file survives deploy `git pull`.
 - **`SKIP_CANONICALS_FOR_UPGRADE` scope = upgrade BASE only.** Wired into `resolve_upgrade_base`: flag
  true → skip canonical lookup → no-canonical fallback (behaves as if no canonical). Does NOT touch
  canonical *promotion* or the `--quick` warm-reattach — those are separate optimizations; a future
  `SKIP_CANONICAL_SWEEP` / `SKIP_QUICK` could gate them (out of scope here).
 - **No-canonical fallback (always-on, §2.C):** newest release TAG `< head` (reuse
  `warm_reconcile.newest_older_version`, the single version-ordering source) → raw main-tip (no prior
  release tag) → skip. Replaces the old jump-straight-to-main-tip path; improves this server too (false
  flag, un-promoted recipes get a real release base).
 - **Canonical-present path (incl. samever step-back) preserved byte-for-byte.** With flag false + a
  canonical, behavior is unchanged. The step-back's "no older predecessor → skip" is intentionally NOT
  routed to main-tip (would reintroduce the same-version no-op samever prevents); the §2.C "==head"
  routing is satisfied because the step-back already takes the same release-tag helper as fallback step 1.
 - **Validation:** absent/unreadable/malformed-TOML → WARN + all-defaults (cannot crash the harness);
  unknown table/key → warn-and-ignore; present known key of wrong type → raise TypeError (loud typo).
 - **OBSERVATION (not this phase's defect):** `scripts/lint.sh` (pinned ruff) reports
  `dashboard/dashboard.py` + `tests/unit/test_dashboard.py` would be reformatted — confirmed pre-existing
  at HEAD f68f1c5, outside the settings diff. Flagged for the dashboard owner / orchestrator; not fixed
  here (narrow scope).
--- a/machine-docs/DEFERRED.md
+++ b/machine-docs/DEFERRED.md
@ -118,6 +118,8 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA:** —
 ### 2026-05-28 — uptime-kuma create-a-monitor (§4.3 prescribed)
 - [x] **CLOSED @2026-06-11 (Builder, phase kuma):** `tests/uptime-kuma/playwright/test_monitor_wizard.py` implemented and proven in real CI. Playwright (option b) drives the actual browser; Socket.IO handled transparently. Flow: wizard admin-create → self-probe monitor (→ Up, real heartbeat row) + dead-port monitor (→ Down, proves probe engine). Commits: `8da59cf` (test) + `fe8922c` (M1 claim). Drone builds #460 + #462 both LEVEL 5 with `test_monitor_wizard [pass]`. M1+M2 Adversary PASSes in REVIEW-kuma.md. DEFERRED is closed.
 - [x] **RE-ENTERED @2026-06-11:** operator approved — executing as phase `kuma` (cc-ci-plan/plan-phase-kuma-monitor.md).
 - [ ] **What:** Add a test that completes uptime-kuma's first-run setup wizard via Socket.IO,
      logs in to obtain a JWT, creates a monitor (`monitor add` Socket.IO emit), and asserts the
      monitor appears in the listed-monitors response.
@ -210,6 +212,7 @@ before the build is called done) — but does **not** force closure.
 (none yet — append `### YYYY-MM-DD — <slug> CLOSED (commit/PR)` here when re-entered.)
 ### 2026-05-28 — plausible (Q4.7) recipe enrollment
 - [x] **CLOSED @2026-06-11 (operator housekeeping):** overtaken — plausible is enrolled and running in CI (§4.3 floor `71af595`); the full-lifecycle remainder is the Q4.7b entry below (recipe PR#3 green, operator merge pending).
 - [ ] **What:** Enroll plausible in cc-ci with parity health_check + ≥2 specific tests (per
      plan §4.3: "track a test event, query it back"). `tests/plausible/recipe_meta.py` +
      `tests/plausible/functional/test_health_check.py` are drafted (commit pending) but the
@ -237,6 +240,7 @@ before the build is called done) — but does **not** force closure.
  Defensible defer; lift when the operator wants the deeper coverage OR Phase-4 reviews.
 ### 2026-05-29 — immich recipe needs a pg_dump backup hook for reliable DB restore (P4)
 - [x] **CLOSED @2026-06-11:** cc-ci-authored immich recipe PR#2 (pg_dump hook) verified green; operator confirmed 2026-06-11 — merge pending, no further loop work.
 - [ ] **What:** immich's upstream recipe backs up the LIVE postgres data VOLUME via restic
      (`backupbot.backup=true` on `database`, no pg_dump hook), so a DB row does NOT survive
      `abra app restore` (diagnosed: seed→backup→drop→restore→row absent; app healthy). Real
@ -256,6 +260,7 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA:** —
 ### 2026-05-29 — discourse: upstream recipe pins removed bitnami images (undeployable)
 - [x] **CLOSED @2026-06-11 (operator housekeeping):** superseded — discourse is enrolled and runs the full lifecycle in CI (L4 baseline run 184, 2026-06-05); the bitnami-pin blocker no longer applies.
 - [ ] **What:** discourse (Q4.6) cannot be enrolled/tested because the recipe pins
      `image: bitnami/discourse:<tag>` (app + sidekiq) and **Docker Hub no longer serves any
      `bitnami/discourse:*` tag** (bitnami's 2024/2025 legacy migration). Proven on cc-ci:
@ -282,6 +287,14 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.6.
 ### 2026-05-29 — mailu: no backup config (P4 N/A) — recipe-PR to add backupbot
 - [x] **CLOSED @2026-06-11 (phase mailu, Builder):** Mirror PR#3 (`add-backupbot-labels`, head
      `edc0201a79d3`) on `git.autonomic.zone/recipe-maintainers/mailu` adds backupbot v2 labels to
      `admin` service (`/data` SQLite) and `imap` service (`/mail` Maildir). Full lifecycle at PR head
      = LEVEL 5 (drone build #477): install/upgrade/backup/restore/functional all PASS; both
      `/data` (SQLite) and `/mail` (Maildir) seeded + wiped + verified restored. Adversary M1 PASS
      @2026-06-11T21:00Z. PR left open for operator merge. mailu's backup rung is now earned
      (`backup_capable=True`), not skipped. Phase mailu M1 PASS; M2 claim in progress.
 - [x] **RE-ENTERED @2026-06-11:** operator approved the backupbot recipe-PR route — executing as phase `mailu` (cc-ci-plan/plan-phase-mailu-backup.md).
 - [ ] **What:** mailu (Q4.9) ships **no `backupbot.backup` label** on any service, so cc-ci's
      backup/restore tiers cleanly SKIP (`backup_capable=False`) — P4 (backup data-integrity) is N/A
      for mailu as published (no backup mechanism to exercise). Durable fix = a recipe-PR adding
@ -296,6 +309,9 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.9.
 ### 2026-05-29 — drone (Q4.10) blocked on host /etc/timezone deploy (gitea SCM dep) + scoped integration
 - [x] **RE-ENTERED @2026-06-11:** operator approved — executing as phase `drone` (cc-ci-plan/plan-phase-drone-enroll.md); P0 host /etc/timezone deploy is orchestrator-owned.
 - [x] **MAXIMAL SUBSET COMPLETE @2026-06-11T22:30Z — Adversary M2 PASS, build #506 L5.** All mandatory tiers (install+upgrade+functional+lint) pass; backup structural skip justified in PARITY.md; bridge-triggered !testme CI run confirmed `event:custom`. DEFERRED item progressed: (1) P0 host fix: DONE; (2) Integration MAXIMAL SUBSET: DONE. **Build-creation gap (§4.3) remains open** — deferred sub-item per original filing.
 - **Adversary §7.1 sign-off on build-creation gap @2026-06-11T22:30Z:** The drone API build-creation flow (creating/running CI pipelines via drone's own API — requires drone OAuth token + `.drone.yml` + webhook) is accepted as a genuine, proportionate deferral. It is a harness capability gap, not a recipe gap. Drone boots with gitea SCM wired correctly (proven L5 in build #506); build-creation automation is a follow-on. SIGNED OFF. Remaining DEFERRED: build-creation API automation only.
 - [ ] **What:** drone (Q4.10, LAST §5 recipe) cannot be enrolled until two things land:
      (1) **HOST FIX — operator-deploy needed:** drone is a CI server that REQUIRES a git-provider SCM
      to boot; the only viable dep is **gitea**, which the recipe binds `/etc/timezone:ro` from the
@ -322,6 +338,7 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.10; JOURNAL-2 f86a58a; commit 3bde76f.
 ### 2026-05-30 — plausible Q4.7 full (recipe-PR Q4.7b: fix ClickHouse entrypoint wget restart-storm)
 - [x] **CLOSED @2026-06-11:** recipe PR#3 (ClickHouse entrypoint + backup fixes) verified GREEN at PR head; operator confirmed 2026-06-11 — merge pending. Post-merge follow-up: full lifecycle on main to formally claim Q4.7.
 - [ ] **What:** Fix the recipe `entrypoint.clickhouse.sh` so ClickHouse boots reliably, then run
      plausible's FULL lifecycle (`install,upgrade,backup,restore,custom`) green + claim Q4.7. Suite
      authored (`tests/plausible/` ops + test_backup/restore/upgrade + event-roundtrips); §4.3 floor
@ -335,3 +352,78 @@ before the build is called done) — but does **not** force closure.
 - **Re-entry trigger:** Builder authors recipe-PR Q4.7b (cache tarball on a volume / wget
  retry+backoff / drop `2>/dev/null` / `set +e` w/ fallback), then runs plausible-full green + claims.
 - **Linked:** REVIEW-2 `e850281` (root-cause + DENY), `71af595` (§4.3 floor); DECISIONS 2026-05-30.
 - [RE-ENTERED @2026-06-11 → phase `dstamp` (cc-ci-plan/plan-phase-dstamp-discourse-drift.md)] discourse upgrade-HC1 @7ae7b0f stamps prev-base tag commit (eb96de94+U) on BOTH old+new harness since ~06-10 (baseline 184 was L4 on 06-05); harness-neutral (rcust exonerated, M2-closed) but abra stamp-resolution mechanism UNATTRIBUTED — worth a standalone dig outside rcust. Evidence: /var/lib/cc-ci-runs/{m2p-discourse,ab-discourse-7ae7b0f-oldmain}, JOURNAL-rcust 2026-06-11.
  - ✅ **RESOLVED @2026-06-11 (phase `dstamp`, Builder).** NOT an abra stamp-resolution bug — abra
    stamps the PR head `7ae7b0f7+U` CORRECTLY (proven: repro2 `--debug` line + 3 bail-at-secrets
    repros; per-run git HEAD=7ae7b0f at deploy, reflog-verified). **Root cause:** discourse
    `compose.yml` app service `deploy.update_config: { failure_action: rollback, order: start-first,
    monitor: 5s }`. On the upgrade chaos redeploy, start-first co-resides OLD+NEW (~2× memory) for
    the precompile/Rails-heavy app; under host memory pressure the NEW task fails swarm's 5s update
    monitor → `failure_action: rollback` reverts the app service to PreviousSpec, including the
    `chaos-version` label (head→base `eb96de94+U`). start-first kept the old task serving so
    `wait_healthy` passed; HC1 then read the reverted base commit and misreported it as a stamp
    mismatch. **Direct evidence:** `/var/lib/cc-ci-runs/dstamp-repro4.console.log` — post-redeploy
    `UpdateStatus.State=updating`, `.Spec chaos-version=7ae7b0f7+U` (head applied), `.PreviousSpec
    chaos-version=eb96de94+U` (base); the read after the rollback = base. **Fix (commits 0cc31a5 +
    e9c26c7):** (1) `tests/discourse/compose.ccci.yml` app `update_config.order: stop-first` (new
    task boots with full memory → no OOM → no spurious rollback; `failure_action: rollback` left
    intact); (2) general `lifecycle.assert_upgrade_converged` (2-phase StartedAt protocol) detects a
    swarm rollback/pause and fails the upgrade HONESTLY — HC1 commit-match unchanged, unweakened.
    **Proven in real CI:** drone `!testme` build **#450** (discourse @7ae7b0f, cc-ci main 2da1f01) =
    **LEVEL 5**, all tiers PASS (install/upgrade/backup/restore/custom), clean_teardown + no_secret_leak
    true; PR recipe-maintainers/discourse#2 comment shows ✅ passed. **Blast-radius:** only discourse
    affected (keycloak/n8n have the same policy but upgrade-PASS L4 across runs; drone/traefik infra);
    the harness guard covers all rollback-policy recipes. M1+M2 evidence: STATUS-/JOURNAL-/REVIEW-dstamp.
 - [RE-ENTERED @2026-06-11 → phase `bsky`] ✅ **RESOLVED @2026-06-11 (phase bsky, Builder):** root cause = upstream republishes the MOVING tag `:0.4` with main-branch builds (now @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the recipe's entrypoint override. Fix PR open (operator merges): **recipe-maintainers/bluesky-pds PR #2** (`upgrade-0.3.0+v0.4.219`, head f7b6c8df — exact-pin `0.4.219` + version-label bump). Proven green at PR head via real drone CI: run 427 **level 5** (install/backup_restore/functional/lint PASS; upgrade = declared intentional skip — no deployable published base, both old tags pin the republished `:0.4`; negative control run 423). Screenshot real (PDS landing page). The shot-phase deploy-gated N/A is lifted on the PR runs. Upstream registry: cc-ci-plan/upstream/bluesky-pds.md; decisions: DECISIONS.md 2026-06-11 (pin choice + EXPECTED_NA-upgrade base suppression). Both the re-pin follow-up AND the rcust M2 exclusion note are hereby closed with these pointers. Original entry follows: bluesky-pds: UPSTREAM IMAGE BREAKAGE (non-rcust, M2-justified exclusion from baseline match).
  The app container crash-loops `Error: Cannot find module '/app/index.js'` (MODULE_NOT_FOUND,
  Node v24.15.0) under the recipe's pinned tag on EVERY current run — new main @ mirror head
  (m2r-bluesky-pds), new main serial re-run (m2rr-bluesky-pds), AND old pre-rcust main @ old
  default head b2d86ef (ab-bluesky-pds-oldmain): identical failure on both harnesses and both
  refs → upstream re-published/moved the image under the tag; NO harness change can make this
  recipe deploy until the recipe re-pins. Baseline ("full lifecycle green", pre-results-era
  Phase-2 evidence e45e0ee) is unreproducible on any current run for reasons outside this repo.
  Evidence: `grep -r MODULE_NOT_FOUND /var/lib/cc-ci-runs/{m2r,m2rr,ab}-bluesky-pds*/abra/logs/
  default/`; REVIEW-rcust.md 2026-06-11 entries. Follow-up (post-phase): file/propose a re-pin PR
  against the bluesky-pds recipe mirror.
 - mumble-web client never paints UI for an anonymous browser (phase-shot, 2026-06-11). The recipe's
  pinned web client (rankenstein/mumble-web:0.5 via compose.mumbleweb.yml, served by websockify)
  stays at its `loading-container` spinner ≥90s with NO console errors, NO failed asset/requests,
  connect-dialog DOM elements absent, and no autoconnect overrides in config.local.js (defaults
  untouched) — so the CI screenshot's best-available frame is the genuine loader view every visitor
  gets. The voice server itself is fully exercised (protocol handshake/config tests pass; that is
  mumble's actual function). A harness-side fix is impossible without changing what the recipe
  deploys (guardrail: prefer upstream over cc-ci overlays). **Operator input needed:** whether to
  pursue an upstream recipe issue/PR (newer mumble-web image or one that renders its connect dialog)
  — until then the dashboard shows the loader frame as the recipe's web-surface reality.
  Evidence: /tmp/mumble-probe{2,3,4}.out + /tmp/mumble-orch{4,5}.log on cc-ci (90s DOM/console/
  network observation; websockify reachable, /ws & /websocket 404 from websockify itself);
  /var/lib/cc-ci-runs/shot-proof-mumble/screenshot.png (L4 run, loader frame).
 ## WC5 promote-on-green-cold ignores stage completeness (filed 2026-06-11, Builder, phase lvl5)
 Observed during the lvl5 unver-blocks proof: a GREEN hand-run with `STAGES=install,upgrade,custom`
 (backup/restore excluded) on latest still advanced custom-html's warm canonical —
 `should_promote_canonical` checks green+cold+latest but not that ALL stages ran. Pre-existing
 behavior (not introduced or worsened by lvl5; Adversary concurs it is not a finding). Only
 reachable via the operator/dev STAGES escape — production drone runs always run all stages.
 **Needed from operator:** decide whether promote should additionally require the full stage set
 (one-line guard in `should_promote_canonical`), or whether dev hand-runs promoting is acceptable.
 ### 2026-06-13 — deploy-proxy health-gate circular dependency (D8 risk)
 - [x] **CLOSED @2026-06-13 (Builder, phase pxgate).** Fixed in `runner/warm_reconcile.py` — traefik health probe changed from `ci.commoninternet.net/` (dashboard, ordered After=deploy-proxy) to `traefik.ci.commoninternet.net/api/version` (Traefik's own API, no backend dependency). Cold-boot deadlock eliminated; rollback semantics preserved (broken traefik won't serve /api/version). Controlled reproduction confirmed: dashboard scaled to 0 → old probe returns 404, new probe returns 200. M1 claimed. Adversary PASS pending for DONE. See DECISIONS.md 2026-06-13 pxgate entry.
 - **Filed by:** Adversary, phase pvfix (cross-filed by Builder)
 ### 2026-06-17 — discourse mint_admin prints minted ApiKey to the Drone RAW build log (low-sev)
 - **What:** `tests/discourse/custom/_discourse.py::mint_admin` mints a run-scoped Discourse admin ApiKey
  via `rails runner` which prints `CCCI_API_KEY=<plaintext>` to the container stdout; this can reach the
  **access-controlled Drone RAW build log** (401 without a token). NOT on the public dashboard/results UI
  (Adversary independently scanned the public surface — clean), and the key is class-B run-scoped
  (destroyed at teardown). Flagged by the Adversary as **[F-prevb-C, INFO]** during M2 cold acceptance.
 - **Why deferred (not fixed in prevb):** PRE-EXISTING — the `.key` print predates prevb; prevb only made
  the container PATH image-agnostic (b66abc4). D6's hard requirement (no secrets on the public results UI)
  is met. Out of prevb scope (dynamic base + previous/); fixing it is a discourse-custom-test hardening,
  not a prevb deliverable. Adversary did not VETO / did not block M2 on it.
 - **Needed from operator:** decide whether to harden — e.g. have `mint_admin` avoid emitting the plaintext
  key on stdout (write to a run-scoped sidecar the test reads), or register the minted key in the harness
  redaction set so even the RAW log is scrubbed. Low priority (RAW log is access-controlled; key is ephemeral).
 - **Filed by:** Builder, phase prevb (acknowledging Adversary [F-prevb-C]).
--- a/machine-docs/JOURNAL-aoeng.md
+++ b/machine-docs/JOURNAL-aoeng.md
@ -0,0 +1,15 @@
 # JOURNAL — phase aoeng (Adversary)
 ## 2026-06-13T18:23Z — Orientation
 Phase aoeng initialized. Builder has not started yet.
 Performed pre-build orientation:
 - Read `plan-phase-aoeng-engine.md` (full)
 - Read `plan-agent-orchestrator.md` (full)
 - Read source files: `agents.py` (850 lines), `agents.toml` (155 lines)
 - Confirmed `recipe-maintainers/agent-orchestrator` exists on Gitea but is empty
 - Identified all cc-ci hardcoding points that must be generalized (see REVIEW-aoeng.md)
 - Initialized phase tracking files
 Awaiting Builder's first commit/claim. Will poll every 10 min until activity starts.
--- a/machine-docs/JOURNAL-aotest.md
+++ b/machine-docs/JOURNAL-aotest.md
@ -0,0 +1,72 @@
 # JOURNAL — phase aotest (Adversary)
 ---
 ## 2026-06-13T18:44Z — Phase orientation + initial files created
 - Read plan-phase-aotest-verify.md: mission is to verify agent-orchestrator has a committed
  tests/ dir covering unit tests + isolated live smoke tests on both claude and opencode backends.
 - Checked agent-orchestrator repo: current state is v0.1.0 (commit 289ef07), no tests/ dir.
 - Created phase-namespaced files: STATUS-aotest.md, REVIEW-aotest.md, BACKLOG-aotest.md,
  JOURNAL-aotest.md.
 - Builder has not yet pushed any aotest work. Entering polling stance.
 Next: poll agent-orchestrator for new commits every ~10 min.
 ---
 ## 2026-06-13T18:56Z — (Builder) test suite built, all DoD met, gate CLAIMED
 **Approach.** The harness (agents.py) is mostly pure functions with a thin tmux shell-out layer,
 so I split testing into (a) unit tests that exercise the pure logic directly and (b) live smokes
 that drive `agents.py` end-to-end on each real backend.
 **Unit tests (`tests/test_unit.py`, stdlib `unittest`, 51 tests).** Each builds a throwaway
 project (config + prompts + machine-docs) in a tempdir and calls the harness functions directly —
 no agents, no live tmux. The one function that *would* spawn sessions, `phase_advance_check`,
 calls module-level `stop_loops`/`start_loops`/`handoff_reset`; I monkeypatch those three to
 recorders so the phase-machine logic (advance, idempotent sequence-complete, append-a-phase
 resumes + clears the stale marker) is covered without launching anything. I also load the shipped
 `agents.example.toml` so an example regression is caught.
 - Gotcha: my `BASE_TOML` fixture had `\d+`/`·` regexes; in a normal triple-quoted string those
  collapse to single backslashes and tomllib rejects the invalid escape. Fixed by making the
  fixture a raw string (`r"""…"""`) so the on-disk TOML keeps the doubled backslash, like the real
  `agents.example.toml`.
 **Live smokes.** `smoke_claude.sh` / `smoke_opencode.sh` each spin up a throwaway persistent
 "probe" through `agents.py up` in a sandbox with a unique `session_prefix` and temp `log_dir`,
 confirm the session attaches (pane command `claude`/`opencode`), `status` shows RUNNING, `down`
 removes it; a cleanup trap (EXIT INT TERM) kills everything. claude uses the cheap
 `claude-haiku-4-5`. opencode generalizes cc-ci `test-opencode.sh` onto this repo with its own
 server on `:4097` (a guard refuses `4096`).
 - Gotcha: the opencode server runs in a subshell `( … serve … ) &`, so `$SERVER_PID` is the
  subshell, not the listener — killing it left `:4097` held (a DoD-4 leftover-port failure I caught
  on the first standalone run). Fixed cleanup to also `pkill -f "opencode serve.*--port ${PORT}"`
  and wait for the port to free. Re-ran: freed.
 **Verification.** Cold-cloned to `/tmp/aotest-cold` and ran inside `nix develop` (python311) — the
 Adversary's exact path: `unit=PASS (51) claude=PASS opencode=PASS isolation=PASS`, rc=0; afterwards
 no `aotest-*` sessions, `:4097` free, `cc-ci-orchestrator/watchdog/assistant3` present. Pushed the
 deliverable as `cdcece9`; clean tree; claimed the gate.
 ---
 ## 2026-06-13T19:00Z — Adversary cold verification COMPLETE — ALL DoD PASS
 Independent cold verification from `/tmp/ao-adv-check` clone (cloned before reading Builder STATUS):
 - DoD-1 Unit tests: `Ran 51 tests` … `OK`, rc=0 inside `nix develop` ✓
 - DoD-2 claude smoke: `=== CLAUDE BACKEND SMOKE: PASS ===` — isolated prefix `aotest-c-681472-`,
  pane command `claude`, TUI alive, status RUNNING, down cleans up ✓
 - DoD-3 opencode smoke: `=== OPENCODE BACKEND SMOKE: PASS ===` — dedicated port `:4097` (not 4096),
  isolated prefix `aotest-o-681566-`, TUI attached, status RUNNING, down cleans up + port freed ✓
 - DoD-4 Isolation: no `aotest-*` sessions; port 4097 free; `cc-ci-orchestrator/watchdog/assistant3`
  all present ✓
 - DoD-5 Committed + documented: `tests/` in commit `cdcece9`, README `## Testing` section covers
  invocation, layers, env vars, skip conditions, and safety ✓
 - Full suite via `run.sh`: `SUMMARY: unit=PASS claude=PASS opencode=PASS isolation=PASS` — rc=0 ✓
 Verdict written to REVIEW-aotest.md. Committed with `review(aotest)` prefix → watchdog pings Builder.
 Phase aotest DONE (Adversary side). Awaiting Builder to write `## DONE` to STATUS-aotest.md.
--- a/machine-docs/JOURNAL-bsky.md
+++ b/machine-docs/JOURNAL-bsky.md
@ -0,0 +1,120 @@
 # JOURNAL — phase bsky
 ## 2026-06-11T11:31Z–11:55Z — bootstrap + root-cause diagnosis (B1, B2)
 Phase start. Read plan-phase-bsky-fix.md + plan.md §6.1/§7/§9. Adversary seeded
 REVIEW-bsky.md (8d5bf30) with cold baseline recon — same suspects I confirmed below.
 **Diagnosis chain (commands + outputs):**
 1. Mirror clone (b2d86ef): `compose.yml` pins `image: ghcr.io/bluesky-social/pds:0.4`,
   overrides entrypoint (`dumb-init --` + config-mounted `/entrypoint.sh`);
   `entrypoint.sh.tmpl` ends `exec node --enable-source-maps index.js` — relative path,
   resolved against image WORKDIR.
 2. Live image inspection on cc-ci:
   `docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Id}} created={{.Created}} workdir={{.Config.WorkingDir}} ... cmd={{.Config.Cmd}}"`
   → `sha256:007500681bbf… created=2026-05-30T05:05:11Z workdir=/app entrypoint=[dumb-init --] cmd=[node --enable-source-maps index.ts]`
   `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c 'node --version; ls /app'`
   → `v24.15.0` / `index.ts node_modules package.json pnpm-lock.yaml` — **no index.js**.
   `grep @atproto/pds /app/package.json` → `"@atproto/pds": "0.5.1"`; /usr/local/bin/goat present.
   So `:0.4` is now a main-branch 0.5.1 build → recipe's `index.js` exec = MODULE_NOT_FOUND.
   This precisely explains the rcust-era crash-loop evidence (Node v24.15.0 in traceback).
 3. Upstream research:
   - ghcr tags/list (paginated): exact tags …0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193,
     0.4.204, 0.4.208, 0.4.219, plus anomalous 0.4.5001. `:0.4` digest `871194d2…` ==
     `latest`, ≠ `0.4.219` (`e0b756701c92…`) → :0.4 republished past the release line.
   - Dockerfile@v0.4.219: node:20.20-alpine3.23, WORKDIR /app, CMD index.js, dumb-init.
   - Dockerfile@main: node:24.15-alpine3.23, CMD index.ts, + goat binary — matches what
     `:0.4` now contains. GitHub `releases/latest` 404s (they only push git tags).
   - service/package.json@v0.4.219: `"@atproto/pds": "0.4.219"`.
 4. Candidate-fix image verified on cc-ci:
   `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c 'node --version; ls /app; grep @atproto/pds /app/package.json; which dumb-init'`
   → `v20.20.2` / index.js present / `"@atproto/pds": "0.4.219"` / `/usr/bin/dumb-init`.
   Image CMD `[node --enable-source-maps index.js]` — identical to what the recipe's
   entrypoint execs, so the override stays valid.
 **Why pin 0.4.219 and not chase 0.5.1 (rationale, summarized in DECISIONS.md):** 0.5.1
 exists only as the moving `:0.4`/`latest`/sha- tags — no exact release tag, built from
 main, and Co-op Cloud upgrade tooling works on tags. Re-pinning to the newest *released*
 exact tag is the minimal, justified fix; when upstream cuts real 0.5.x release tags the
 recipe can upgrade properly (entrypoint will then need `index.ts` + Node 24 — noted in
 upstream registry).
 Bridge enrollment confirmed: bluesky-pds in POLL_REPOS (nix/modules/bridge.nix:43) →
 `!testme` works. Mirror has only closed PR#1 (skill smoke test); my fix → PR#2.
 Next: DECISIONS entry (B3), mirror branch + PR (B4), !testme (B5).
 ## 2026-06-11T11:40Z–11:55Z — run 423 red: the upgrade-BASE trap (B5 first attempt)
 PR #2 opened (branch upgrade-0.3.0+v0.4.219, head f7b6c8df, 2-line diff) and !testme'd
 (comment 14340) → drone build/run 423. RESULT: install=fail, level 0 — but NOT the PR:
 the run never deployed the PR head. The harness deploys ONCE at the upgrade BASE
 (`previous_version` = vers[-2] = 0.1.1+v0.4 — confirmed: run-423's recipe checkout sat at
 tag 0.1.1+v0.4) and only the upgrade tier chaos-redeploys the PR head. Both published tags
 (0.1.1+v0.4, 0.2.0+v0.4) pin the broken moving `:0.4` → the base crash-loops the SAME
 MODULE_NOT_FOUND (run-423 app log: Node v24.15.0, /app/index.js missing) → install fails
 before my fix is ever exercised. No published version can EVER deploy again (upstream
 republished the tag) — so the upgrade path is structurally unverifiable until a fixed
 version is published post-merge.
 Fix (harness, evidence-backed, not a weakening): EXPECTED_NA["upgrade"] (the EXISTING
 declared-intentional-skip mechanism, de-capped levels phase lvl5) now also suppresses the
 base deploy — extracted `upgrade_base()` pure helper in run_recipe_ci.py; single deploy
 becomes the PR head; upgrade tier records "skip"; derive_rungs classifies it intentional
 with the declared reason (visible in results.json skips.intentional — never reported as a
 pass). tests/bluesky-pds/recipe_meta.py declares it with the full reason + the re-enable
 path (UPGRADE_BASE_VERSION="0.3.0+v0.4.219" once published). 6 new unit tests
 (tests/unit/test_upgrade_base.py) lock the decision matrix; meta-key doc regenerated.
 Verified: 253 unit tests pass on cc-ci (was 247), repo lint PASS. Pushed e9745c8.
 Re-triggered !testme (comment 14342) → build/run 427. Monitor armed.
 ## 2026-06-11T12:05Z — run 427 GREEN: level 5 at PR head; M1 claimed (B5, B6, B7)
 Run 427 (drone build 427, comment 14342): level 5 — install/backup_restore/functional/
 lint PASS, upgrade = declared intentional skip (reason verbatim in skips.intentional),
 clean_teardown + no_secret_leak true, ref f7b6c8dfb81c. Per-run recipe checkout at PR
 head f7b6c8d with image 0.4.219 (the fix WAS what deployed). Bridge reflected success →
 PR comment 14343 ✅. Screenshot Read and verified: genuine PDS landing page (ASCII
 butterfly, "This is an AT Protocol Personal Data Server", /xrpc/ pointer) — exactly the
 default capture the phase plan predicted would work once deploy works; no hook needed.
 Card (summary.png): 5/5, upgrade shown INTENTIONAL SKIP with reason; badge "level 5"
 green. M1 claimed in STATUS-bsky.md.
 ## 2026-06-11T12:15Z — records closed (B8) + operator summary drafted (B9)
 DEFERRED bluesky entry marked RESOLVED with pointers (f150012) — covers BOTH the re-pin
 follow-up and the rcust M2 baseline-exclusion note.
 **Shot-phase N/A disposition update (supersedes the deploy-gated classification):**
 the shot phase classified bluesky-pds's screenshot "deploy-gated N/A — never capturable
 because the app never comes up". With the PR#2 fix deployed (run 427, PR head), the
 DEFAULT landing-page capture works exactly as the phase plan predicted: a real,
 representative, credential-free PDS landing page (ASCII butterfly + "This is an AT
 Protocol Personal Data Server" + /xrpc/ pointer). No SCREENSHOT hook was needed. The
 N/A stands for HISTORICAL runs only; post-merge, bluesky-pds screenshots like any other
 recipe.
 Canonical/warm check: /var/lib/ci-warm has NO bluesky-pds dir → no canonical to reseed
 post-merge; the normal promote-on-green flow will mint one on the first green run after
 merge. Operator summary written to STATUS-bsky.md (B9).
 ## 2026-06-11T15:50Z — M1 PASS received; M2 claimed (B10)
 M1 PASS @12:30Z (REVIEW-bsky 369f4f4), no findings, no VETO — every item reproduced cold
 incl. negative-control teeth and the per-recipe scoping of the EXPECTED_NA change. (Gap
 12:30→15:45 was a quota window, not work.) All M2 builder-side items were already in
 place (DEFERRED f150012, operator summary cba53b6); claimed M2 with re-trigger
 instructions for the fresh cold pass. Phase DoD after M2 PASS → ## DONE with PR open.
 ## 2026-06-11T15:55Z — M2 PASS → ## DONE
 M2 PASS @15:48Z (42eabba): Adversary independently re-triggered !testme (comment 14344 →
 build 435, level 5 at f7b6c8df, identical rung profile + screenshot sha to 427) and
 corroborated every handoff item — including that 0.5.x has NO release tag, fully settling
 the §2.2 upgrade-preference question. ## DONE written. Phase ends with PR #2 open for the
 operator; loop stopped.
--- a/machine-docs/JOURNAL-canon.md
+++ b/machine-docs/JOURNAL-canon.md
@ -0,0 +1,213 @@
 # JOURNAL — phase `canon` (canonical sweep, make it real)
 Builder reasoning log. WHY lives here; WHAT/HOW/EXPECTED/WHERE live in STATUS-canon.md.
 ## 2026-06-17 — bootstrap / code survey
 Read the phase canon (`plan-phase-canon-canonical-sweep.md`) + plan.md §6.1/§7/§9. Surveyed the
 existing canonical/sweep machinery before designing. Key findings:
 ### Clone identity
 `/srv/cc-ci` is a symlink → `/srv/cc-ci-orch`; the env's two "working dirs" are the same directory.
 This IS the Builder clone (reflog shows the `claim(M2)`/`status(samever) ## DONE` commits). The
 Adversary cold-verifies from its own fresh clones. No collision.
 ### What already works (phase doc is partly stale)
 - The phase doc says "ZERO canonical.json exist". **Not true any more**: a real canonical for
  `custom-html` exists on the host at `/var/lib/ci-warm/custom-html/canonical.json`
  (`version 1.13.0+1.31.1`, commit `2b82eba…`, status idle, ts `20260617T050314Z`) with its retained
  data volume `warm-custom-html_..._content`. It was produced by a **manual** cold run during the
  `samever` phase, NOT by the timer. So the *promote primitive* (seed_canonical → write_registry +
  warmsnap) demonstrably works; the **sweep that should drive it is what's hollow.**
 ### The real "hollow sweep" defect (root cause, confirmed live)
 The deployed `nightly-sweep.timer` fired 2026-06-17 03:09 and logged:
 `===== nightly cold sweep: enrolled canonicals = [] =====` → a true no-op.
 Cause: `nightly_sweep.py` does `REPO = os.environ.get("CCCI_REPO", "/root/cc-ci")` then
 `sys.path.insert(0, REPO/runner); from harness import canonical`. The systemd unit
 (`nix/modules/nightly-sweep.nix`) sets **no `CCCI_REPO`**, and `/root/cc-ci` **does not exist** on the
 host. So the import falls through to the harness packaged in the **nix store** (`runnerSrc=../../runner`
 — runner/ only, NO tests/). `meta.TESTS_DIR = ROOT/tests` then points at a nonexistent dir →
 `enrolled_recipes()` swallows the OSError → `[]`. Even though `custom-html` is enrolled in the repo,
 the deployed timer never sees it. **This is the machinery that was "specified but never doing
 anything."** Fix: point the sweep at a real, current checkout that has `tests/`.
 ### How current code stays live on the host
 - Normal recipe CI: Drone `exec` pipeline auto-clones cc-ci per build into its workspace, then runs
  `cc-ci-run runner/run_recipe_ci.py` from that fresh clone → tests/runner always current.
 - `/etc/cc-ci` is a **git clone** (the nixos flake source: `nixos-rebuild --flake /etc/cc-ci#…`).
  It is currently STALE (`e60415d`, far behind main) because recent phases only touched `runner/`
  (picked up by Drone's fresh clone) and needed no nixos-rebuild. The sweep is the first thing that
  needs `/etc/cc-ci` current.
 - Plan: sweep service sets `CCCI_REPO=/etc/cc-ci` and runs `nightly_sweep.py` FROM the checkout
  (change the nix to exec `$CCCI_REPO/runner/nightly_sweep.py`, not the store copy) → after a deploy
  that does `git -C /etc/cc-ci pull && nixos-rebuild`, the sweep reads current tests/ + runner. This
  reuses the flake-source checkout (declarative, reproducible) rather than inventing a new clone.
 ### Promote path (the core, §2.A)
 - `should_promote_canonical(recipe, ref, overall, quick)` = enrolled & green & cold(not quick) &
  not-ref (no PR head). `promote_canonical` deploys `latest_version(recipe_tags(recipe))` (the latest
  git tag) fresh/in-place, waits healthy, undeploys, `seed_canonical` (snapshot + write_registry).
 - **Tagged-promote addition needed:** the green gate currently tests *whatever fetch_recipe checked
  out* (catalogue `main` HEAD for a cold run), which can be untagged-ahead of the latest tag, while
  promote always writes the latest TAG. Per operator: a canonical must only ever be a real release.
  Add a `tagged` requirement: the tested head version (`abra.head_compose_version`, the compose
  `version` label) must equal a published release tag (`recipe_tags`). When main HEAD == latest
  release (the common just-cut case) head_version == latest tag → promote; when main is untagged-ahead
  → no promote.
 ### Trigger on a NEW RELEASE TAG (§2.D) + test the tag (not main)
 - Version ordering is centralized in `warm_reconcile.version_key` / `latest_version` /
  `newest_older_version` (already used by samever step-back). Reuse them.
 - Trigger (pure, in the sweep, per recipe): after mirror-sync, `latest = latest_version(recipe_tags)`;
  `canon = read_registry(recipe).version`. No tag → SKIP (never released). `latest <= canon` (by
  version_key) → SKIP no-new-version (even if main has untagged commits — we compare tags not
  commits). `latest > canon` → run cold on the tag.
 - **Test the TAG cold:** to honour "run CI cold on that tagged version" (and so a green gate proves
  the exact thing that gets promoted), check out the latest tag in `~/.abra/recipes/<recipe>` and run
  with `CCCI_SKIP_FETCH=1` (the existing staging mechanism) → head_version = tag, head_ref = tag
  commit, REF empty (so `not ref` still holds → promote allowed). The upgrade-base resolver then sees
  canonical(older) < head(new tag) → real delta (samever step-back never fires: tag>canon by
  construction).
 ### samever orthogonality (operator-required)
 The release-tag trigger guarantees, in the sweep, version-under-test > canonical, so the upgrade
 base is strictly older → `samever`'s same-version step-back never fires. (a) no new tag → SKIP, no
 upgrade-tier run; (b) new tag → canonical(older)→new, real delta, promote. samever's same-version
 behaviour stays owned by the samever phase on the PR path. Will demonstrate both in M2.
 ### Enroll-all set (§2.B)
 Authoritative inventory = `cc-ci-plan/used-recipes.md` (21 rows: 20 `weekly` + `uptime-kuma`
 `external`). NOT the test fixtures (custom-html-bkp-bad / -rst-bad, concurrency, regression,
 _generic). custom-html-tiny IS in used-recipes (weekly) → enroll it too.
 ### Disk budget (§2.B watch-item)
 Host `/`: 150G total, 104G used, **40G free (73%)**. `du` of /var/lib/ci-warm today: custom-html 32K,
 keycloak 159M. Retaining ~21 fresh-install data volumes should be a few GB; immich/matrix/mailu are
 the ones to watch. Will measure during the M2 full sweep and record the real budget; raise the VM
 disk (orchestrator) rather than silently drop recipes if it binds.
 ### §2.G UPGRADE_BASE_VERSION retirement — gated on M2
 `plausible` pins `UPGRADE_BASE_VERSION="3.0.1+v2.0.0"`; `bluesky-pds` only references it in a comment.
 Retirement requires plausible's canonical to actually land at its latest green release so the dynamic
 resolver picks the right base — so this is sequenced AFTER M2 promotes plausible. Keep the pin if
 plausible can't go green dynamically (record why).
 ## 2026-06-17 — M1 built + live-proven (CLAIMED)
 All M1 code landed (HEAD d4cc9e4). Reasoning behind the choices:
 - **Tagged-gate computes `tagged` at the call site, not inside the gate** — keeps
  `should_promote_canonical` pure (the Adversary anti-anchoring + the existing unit-test contract).
  `is_released_version` lives in warm_reconcile (owns version logic + recipe_tags I/O).
 - **Promote the TESTED version (divergence fix, d4cc9e4):** the Adversary's pre-claim probe flagged
  that the gate checks `head_version` but promote recorded `latest_version(recipe_tags)`. Live proof-A
  made this concrete and favourable: the OLD record had commit `2b82eba` (a merge-to-main commit),
  but the tag `1.13.0+1.31.1` actually points to `df2e273`. Recording the tested version's head_ref
  now writes the TAG commit — strictly more correct. Sweep path was already safe (head==tag), but the
  manual `RECIPE=<r>` path needed it.
 - **Why a vendored mirror-sync script, not the nix-store open-recipe-pr.sh:** the recipe clones on
  cc-ci have INCONSISTENT remotes (n8n: origin=mirror; mumble: origin=coopcloud; ghost/discourse:
  origin=mirror, no `upstream`). open-recipe-pr.sh assumes origin=coopcloud → would force-sync mirror
  main to *mirror* main (no-op) for most. The vendored `scripts/recipe-mirror-sync.sh` pins an
  explicit coopcloud `upstream` remote from the recipe name, syncs main+TAGS (canon needs upstream
  tags for the trigger), and authes via the bot token (self-contained, not host .git-credentials).
  Behaviour matches the phase's described open-recipe-pr.sh --reconcile-only (faithful, close
  merged-upstream PRs, leave unrelated). See DECISIONS.
 - **Why test the TAG via checkout+CCCI_SKIP_FETCH (run_on_tag), not just REF=tag:** REF alone (no SRC)
  takes fetch_recipe's `abra recipe fetch` branch (ignores REF) AND would set `ref` → should_promote
  blocks. Staging the tag in the clone + CCCI_SKIP_FETCH makes head=tag with REF empty → promote
  allowed, and exercises the real "cold on the tagged release" path.
 ### Live proof evidence (cc-ci, /root/canon-verify @ d4cc9e4)
 - proof-A (promote): canonical.json fresh ts 065027Z, commit df2e273 (=tag commit). Note: because
  custom-html canonical already == latest, run_on_tag here re-promoted an EQUAL version → the samever
  step-back fired (base 1.11.0+1.29.0). That is an artifact of bypassing the trigger for the proof;
  the REAL sweep SKIPs equal-version (sweep_decision), so the step-back never fires in the sweep — to
  be shown live in M2 (canonical(older)→new tag, base=canonical, no step-back).
 - proof-B (reattach): --quick reattached the retained volume, green (4 tests passed), known-good
  version+commit UNCHANGED (df2e273); ts re-stamped only by the idle-status write (write_registry
  stamps ts on every status write) — NOT a promote.
 - proof-C (untagged→no-promote): green cold run (level 5/5) on an untagged head (label 1.13.1+1.31.1)
  → 0 promote log lines, canonical.json byte-identical before/after. Tagged-gate works live.
 ## 2026-06-17 — M2 prep recon (non-advancing, while awaiting M1 verdict)
 Read-only sweep_decision survey across the 21 enrolled (from existing host clones; the real sweep
 mirror-syncs+fetches first so tags may differ slightly):
 - **20 recipes have NO canonical yet → first sweep RUNs (seed) each**; only custom-html SKIPs.
 - plausible latest tag = **3.0.1+v2.0.0** (== the §2.G UPGRADE_BASE_VERSION pin target) → once the
  sweep seeds plausible's canonical at 3.0.1, the dynamic base should resolve 3.0.1 and the pin can go.
 M2 risks to plan for (when M1 PASSes):
 1. **Runtime:** 20 full cold deploy/test/teardown runs, several heavy (matrix-synapse, immich, mailu,
   discourse, ghost, mattermost) at 15-25 min each → a single full sweep likely EXCEEDS the timer's
   6h TimeoutStartSec. Options: run M2.2 in the foreground (not the timer) for the full promote proof,
   raise TimeoutStartSec, and prove the real-timer-fire (M2.5) on a smaller already-canonical set
   (so the fire advances at least one canonical, not exit-0 on empty).
 2. **Disk:** 20 retained data volumes on 40G free. Measure as it runs; raise the VM disk
   (orchestrator) if it binds rather than dropping recipes (per §2.B). Heavy: immich/matrix/mailu.
 3. **Reds are acceptable** (canonical just not advanced) — but maximise greens; investigate any red.
 4. Unusual tag formats (ghost 1.3.0+6.42.0-alpine, gitea 3.5.3+1.24.2-rootless, mumble
   1.0.0+v1.6.870-0) — version_key parses leading numerics; is_released_version exact-match covers them.
 ## 2026-06-17 — promote fix validated (DEFECT-1/2 response)
 Validated f94de22 on the 3 distinct failure classes via run_on_tag from /etc/cc-ci:
 - custom-html-tiny (install_steps content): PROMOTED 1.2.0+2.43.0 ✓
 - ghost (dirty-tree app-new FATA): PROMOTED 1.4.0+6.45.0-alpine ✓
 - bluesky-pds (special secret): secret now inserted in promote + deploy succeeds, but warm health
  fails — PDS is healthy INTERNALLY (200 on localhost:3000) yet not routed via traefik on the warm
  domain (000). This is a bluesky-specific WARM-DOMAIN ROUTING issue (cold-test domain worked),
  NOT the promote-wiring bug. Documented as a known red pending follow-up (the sweep leaves it
  intact per guardrails). DEFECT-1 (label) fixed: sweep result now derives from canonical existence.
 Full sweep re-run launched (skips the 7 already-promoted = determinism evidence; runs the rest).
 ## 2026-06-17 ~13:20 — RESUME reconstruction (post-compaction) + real-timer re-fire in flight
 Reconstructed state from cc-ci (not memory): the parity fix (2c61f2f) is DEPLOYED — the deployed
 nix-store sweep script `/nix/store/2q6a27hnnmy0.../cc-ci-nightly-sweep` contains
 `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"`. A prior iteration committed
 2c61f2f (13:00) → pulled /etc/cc-ci → nixos-rebuild → `systemctl start nightly-sweep.service` (13:01),
 then handed off. So the **DEFECT-3 production-env re-fire is IN FLIGHT** as the real timer service
 (PID 2149231, `TriggeredBy: nightly-sweep.timer`, ppid=1, journald socket).
 Parity precondition CONFIRMED real (not asserted): `git-lfs` → `/run/current-system/sw/bin/git-lfs`
 (symlink to git-lfs-3.6.1); Drone exec runner `/proc/<pid>/environ` PATH =
 `/run/current-system/sw/bin:/run/wrappers/bin` — identical head to the sweep's now-prepended PATH.
 This fire so far (journalctl -u nightly-sweep.service --since 13:01):
 - custom-html RUN — new release 1.13.0+1.31.1 > canonical **1.11.0+1.29.0** → **PASS (promoted
  1.13.0+1.31.1)** @13:15:17. A real-timer non-hollow promotion + the constructed older→new advance
  (M2.6 path 2 / M2.5 non-hollow) under the deployed parity env. (custom-html canonical had been
  reset to 1.11.0 pre-fire to stage the advance.)
 - cryptpad SKIP, custom-html-tiny SKIP (determinism — promoted-at-latest skip), bluesky-pds
  GREEN-BUT-PROMOTE-FAILED (documented warm-routing red).
 - Now at discourse (RUN seed, deploying). CRUX still pending: gitea (8th) must flip cold-GREEN under
  the parity PATH (git-lfs now present) — that is the DEFECT-3 acceptance criterion.
 Polling every ~5 min (single node, fire in flight). Not touching the node until it completes.
 ## 2026-06-17 ~14:40 — production re-fire COMPLETE; DEFECT-3 closed; launching clean determinism 2nd sweep
 The DEFECT-3 re-fire (nightly-sweep.service, 13:01:01→14:37:22, Result=success, status=0, single
 serial) completed cleanly under the deployed Drone-parity PATH. **gitea crux RESOLVED:**
 `test_lfs_roundtrip PASSED` (the test that redded on the missing-git-lfs fire) → gitea cold-GREEN in
 production env, then the documented app.ini warm-advance exception (3.5.3 kept). So the only reason
 gitea redded before was the timer-env git-lfs gap, now fixed by host-PATH parity — confirming the fix
 is the right one (the sweep validates exactly as Drone CI does). No NEW promote failures surfaced that
 the manual env had masked → DEFECT-3 is the LAST env-parity gap, now closed.
 custom-html 1.11.0→1.13.0 advance promoted in this real timer fire: this is simultaneously the M2.5
 non-hollow real-fire proof AND the M2.6 constructed older→new advance (canonical(older)→new tagged,
 real delta, samever step-back never fires because tag>canon by construction). 14 promoted-at-latest
 recipes SKIP no-new-version live = determinism preview inside the production fire.
 **Why a clean 2nd sweep now (M2.3):** in this fire custom-html was the one promoted recipe that RAN
 (I'd reset its canonical to 1.11.0 pre-fire to stage the advance). Now it's at 1.13.0 = latest, so all
 16 promoted canonicals are at-latest. An immediate 2nd sweep therefore yields the clean run-twice
 result the plan's M2.3 asks for: the 15 promoted-at-latest SKIP (incl. custom-html), and ONLY the 5
 documented exceptions RUN (gitea 3.6.0 advance retry, discourse/mattermost-lts/mumble reds, bluesky
 warm-routing). Reds re-running is the accepted, DECISIONS-recorded deviation from the literal "skip
 every recipe" (cannot weaken a test to force a promote). Launching it as the real service again
 (systemctl start) for max faithfulness; ~96 min (discourse's deterministic 60-min deploy-timeout
 dominates). Disk budget healthy: ci-warm 1.1G / 16 volumes, 38G free.
--- a/machine-docs/JOURNAL-cf48.md
+++ b/machine-docs/JOURNAL-cf48.md
@ -0,0 +1,61 @@
 # JOURNAL — phase cf48 (Opus 4.8 post-cfold coverage-loss review)
 ## 2026-06-13T05:30Z — Independent cold review complete, M1 claimed
 **Model check:** session reports `claude-opus-4-8`, override files
 `/srv/cc-ci/.cc-ci-logs/.loop-model-cf48 = claude-opus-4-8` and `.loop-backend = claude`. Matches the
 phase Model Requirement — proceeded.
 **Approach.** Reviewed independently first (formed my own verdict from the diff, the code, and live
 probes), THEN read cf55 to reconcile. The plan named GPT-5.5 for cf55 but cf55 actually ran on
 claude-sonnet-4-6 (launcher mismatch, orchestrator relaunch — documented in its own state files), so the
 "two different models" cross-validation is Sonnet 4.6 vs Opus 4.8. Recorded honestly in STATUS rather
 than pretending it was GPT vs Claude.
 **Why I'm confident it's a pure relocation.** The cfold safety argument (discovery globs both old subdirs
 with no branching, both map to the L4 `functional` rung, identical fixtures/failure semantics) was already
 established in the cfold plan §1. My job was to confirm the *execution* matched. Three things made it
 provable rather than "looks right":
 1. The cardinal coverage diff (cmd 6) compares the actual git trees at `44e0242^` and HEAD by
   `(recipe, filename)`, stripping the folder component — a byte-identical sorted diff means no file was
   added, dropped, or renamed-away, only re-parented. This is stronger than a count match (counts can
   coincide while a file is swapped).
 2. `git show --find-renames` collapses the 100%-identical moves so only the 5 content-touched test files
   surface — and each of those is a docstring/comment/sys.path line, never an assertion. Small surface to
   eyeball exhaustively.
 3. The whole-repo grep for `functional/`/`playwright/` literals outside the alias handling, plus the
   `== "functional"` value-branch grep, proves no consumer (manifest, screenshot, dashboard, drone, bridge)
   silently keys off the old folder name. Only `discovery.py`'s intentional alias lines remain.
 **Discrepancy I caught vs cf55.** cf55's narrative claims keycloak's custom tests had a `sys.path` depth
 adjustment `../..` → `../../..`. The diff shows those lines unchanged (only the comment moved). Harmless —
 functional/ and custom/ are equal depth so no adjustment was needed — but it's a factual slip in cf55's
 write-up. Surfaced in the agreement note per the phase's "note where the two disagree" instruction. cf48
 found it; cf55 missed it. No coverage consequence either way.
 **Evidence audit stance.** Did NOT rerun the full fleet sweep (guardrail: don't re-sweep unless cfold
 evidence is incomplete — it isn't). Relied on cfold's cold-verified M2 PASS (REVIEW-cfold.md 04:11:00Z):
 all 20 recipes L5, custom-junit counts = baseline per recipe, ghost upgrade junit=2, live_pr_apps=0. That
 is sufficient and independently re-runnable evidence; re-sweeping would be churn.
 **Commands run (all green):** unit suite `18 passed`; per-recipe counts all match; cardinal diff
 `IDENTICAL SET`; alias probe `found: ['test_new.py','test_old.py','test_ui.py']` + 2 warnings; stale-
 consumer grep clean; `git status` clean; RUNG name `"functional"` intact.
 **Next:** parked at M1 CLAIMED gate awaiting Adversary M1 + M2 PASS in REVIEW-cf48.md. No other unblocked
 cf48 work (review-only phase). Will self-poll with a fallback while the watchdog edge-pings on the
 Adversary's `review(...)` commit.
 ## 2026-06-13T06:32Z — Resumed to close cf48; M2 claimed
 Re-invoked on cf48. Found M1 PASS already recorded (REVIEW-cf48.md @05:29Z, commit `836ab13`) but the
 loop had advanced through pvfix/pvcheck/ghost (all DONE) without an explicit **M2** PASS or a `## DONE`
 here — cf48 was left dangling at M1. The M2 gate (no-loss verdict) was never separately handshaken even
 though the M1 review text already establishes the full no-loss evidence.
 Action: re-verified the cheap structural checks (1–6) to confirm no test-tree drift since M1 — canonical=64,
 stale=0, lifecycle_in_custom=0, lifecycle_top=64, cardinal diff still IDENTICAL SET. Then updated STATUS
 to mark M1 PASS received + claim M2, and pushed `claim(cf48-M2)` (commit `61ad356`) to ping the Adversary.
 M2 reuses M1's already-cold-verified evidence — no new build/sweep (review-only phase, cfold evidence
 complete per guardrail; re-sweeping would be churn). Parked awaiting Adversary M2 PASS in REVIEW-cf48.md,
 after which I write `## DONE`.
--- a/machine-docs/JOURNAL-cf55.md
+++ b/machine-docs/JOURNAL-cf55.md
@ -0,0 +1,54 @@
 # JOURNAL — phase cf55
 ## 2026-06-13 — Phase cf55 bootstrap stopped on model mismatch
 Phase requirements checked:
 - Kickoff prompt requires `plan-phase-cf55-gpt55-cfold-review.md` as the single source of truth for this phase.
 - That phase plan requires both Builder and Adversary to run on `GPT-5.5` and to record their model in the first phase entry.
 Observed session state:
 - Current OpenCode session model: `openai/gpt-5.4`
 - This does not satisfy the phase requirement, so no review work was started.
 Actions taken:
 - Read the kickoff prompt and required plan documents.
 - Confirmed there were no existing `machine-docs/*cf55*` state files.
 - Seeded `STATUS-cf55.md`, `BACKLOG-cf55.md`, and `JOURNAL-cf55.md` with the blocked state.
 Next required action:
 - Orchestrator must relaunch the Builder for phase `cf55` on `openai/gpt-5.5` before any diff review,
  discovery-parity check, assertion audit, or evidence audit begins.
 ---
 ## 2026-06-13T05:11Z — Review work complete; M1 claimed (Claude Code relaunched by orchestrator)
 Prior GPT-5.4 loops (both Builder and Adversary) correctly stopped on model mismatch.
 Orchestrator relaunched this phase via Claude Code (claude-sonnet-4-6). Proceeded with the
 full cf55 review per the phase plan.
 **Review performed:**
 1. Read `plan-phase-cf55-gpt55-cfold-review.md`, `STATUS-cfold.md`, `REVIEW-cfold.md`.
 2. Examined cfold implementation commit `44e0242` in full:
   - `discovery.py` diff
   - `manifest.py` diff
   - All unit test diffs (`test_discovery.py`, `test_discovery_phase2.py`, `test_manifest.py`)
   - Mailu lifecycle overlay `sys.path` updates
   - Ghost recipe_meta.py + drone install_steps.sh comment changes
   - Keycloak test file path adjustments
   - Documentation diffs (`recipe-customization.md`)
 3. Verified live repo state:
   - `git ls-files "tests/*/custom/test_*.py" | wc -l` → 64
   - `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_` → empty
   - Per-recipe counts: all 20 match baseline exactly
   - `nix shell ...pytest tests/unit/...` → 18 passed
   - Lifecycle overlay check: zero files in `custom/test_{install,upgrade,backup,restore}.py`
   - Deprecated-alias probe: both deprecated dirs found with WARNING emitted
   - RUNG name `"functional"` preserved in `level.py`
   - `git status` → clean
 **Decision:** No coverage loss found. All 7 review categories PASS. Claimed M1.
 Awaiting Adversary PASS on M1. Since both M1 and M2 are covered by this review (the review
 matrix is the entire DoD), will claim M2 simultaneously with M1 and await a single combined
 Adversary verdict, or claim M2 immediately after M1 PASS if the Adversary needs separation.
--- a/machine-docs/JOURNAL-cfold.md
+++ b/machine-docs/JOURNAL-cfold.md
@ -0,0 +1,487 @@
 # JOURNAL — phase cfold
 ## 2026-06-11 — Phase cfold start
 ### Investigation findings
 Pre-existing test layout:
 - 60 files in `functional/` subdirs across 20 recipes
 - 4 files in `playwright/` subdirs (cryptpad, custom-html, uptime-kuma)
 - Helper modules to move: `_discourse.py`, `_ghost.py`, `_mailu.py`, `_mm.py`, `_mumble_proto.py`, `drone/functional/__init__.py`
 - `mailu/test_backup.py`, `test_restore.py`, `ops.py` explicitly add `functional/` to sys.path — need updating to `custom/`
 ### Decision: deprecated aliases
 Per plan §2 option (RECOMMENDED): keep recognizing `functional/`/`playwright/` as deprecated aliases
 AND emit a loud one-line warning when a test is found in a deprecated folder. Using `warnings.warn()`
 at import time of discovery or `print()` directly. Will use `print()` (stderr) so it shows up in CI
 logs without needing to configure warning filters.
 Implementation: `subdirs = ("custom", "functional", "playwright")` — canonical first — and after
 finding a test in `functional/` or `playwright/`, emit:
 `print(f"WARNING [cfold]: test found in deprecated folder '{sub}/' — move to custom/: {path}", flush=True, file=sys.stderr)`
 This way:
 - `custom/` is canonical and gets discovered first
 - Old folders still work (zero breakage for repo-local tests) but emit a loud warning
 - No silent coverage loss possible
 ## 2026-06-12 — M1 checkpoint: canonical `custom/` layout landed locally
 Code/work completed:
 - `runner/harness/discovery.py`: canonical `custom/` discovery, deprecated alias warnings, and
  `custom_subdir_label()` normalization helper.
 - `runner/harness/manifest.py`: custom-test counts now normalize to canonical `custom`.
 - all cc-ci custom tests/helper modules moved from `tests/<recipe>/{functional,playwright}/` into
  `tests/<recipe>/custom/`.
 - helper-import fallout fixed where needed (`tests/mailu/{ops.py,test_backup.py,test_restore.py}`).
 - docs updated to describe `custom/` as the canonical layout and explain the alias-compatibility window.
 Mechanical move summary:
 - 64 custom test files relocated into `custom/`
 - helper modules relocated too: `_discourse.py`, `_ghost.py`, `_mailu.py`, `_mm.py`,
  `_mumble_proto.py`, `tests/drone/custom/__init__.py`
 Verification:
 ```bash
 nix shell nixpkgs#python312Packages.pytest --command pytest \
  tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q
 # ..................
 # 18 passed in 0.09s
 ```
 Post-move grep state:
 - remaining `functional/` / `playwright/` matches in live code are intentional: alias-policy docs,
  deprecated-folder assertions in the unit tests, and discovery comments describing the alias behavior.
 - the pre-migration inventory in `BACKLOG-cfold.md` is intentionally unchanged because it is the M1
  baseline record the Adversary will compare against.
 ## 2026-06-12 — M1 coverage proof assembled
 Verification commands + observed outputs:
 ```bash
 $ git ls-files "tests/*/custom/test_*.py" | wc -l
 64
 $ git ls-files "tests/*/functional/*" "tests/*/playwright/*"
 # no output
 $ for recipe in bluesky-pds cryptpad custom-html custom-html-tiny discourse drone ghost hedgedoc immich keycloak lasuite-docs lasuite-drive lasuite-meet mailu matrix-synapse mattermost-lts mumble n8n plausible uptime-kuma; do count=$(git ls-files "tests/$recipe/custom/test_*.py" | wc -l); printf "%s %s\n" "$recipe" "$count"; done
 bluesky-pds 4
 cryptpad 4
 custom-html 4
 custom-html-tiny 1
 discourse 3
 drone 1
 ghost 4
 hedgedoc 2
 immich 3
 keycloak 3
 lasuite-docs 5
 lasuite-drive 3
 lasuite-meet 3
 mailu 3
 matrix-synapse 3
 mattermost-lts 3
 mumble 5
 n8n 4
 plausible 2
 uptime-kuma 4
 $ nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q
 ..................
 18 passed in 0.14s
 ```
 Conclusion: the migrated tree still contains the exact same 64 custom test files with the same
 per-recipe cardinality as the pre-cfold baseline in `BACKLOG-cfold.md`; only the folder paths changed.
 ## 2026-06-12 — Adversary M1 PASS received
 Pulled `review(cfold): M1 PASS cold verification` (`4b4d665`). Confirmed in `REVIEW-cfold.md`:
 - total canonical custom tests = 64
 - old tracked `functional/` / `playwright/` trees = none
 - per-recipe counts match the baseline exactly
 - focused unit suite = `18 passed`
 - deprecated-alias warning probe works
 - normalized `(recipe, filename)` before/after set = exact match (`missing []`, `extra []`)
 No fix-forward required. Phase advances to M2 baseline assembly.
 ## 2026-06-12 — M2 sweep snapshot: 19 fresh greens, Ghost upgrade regression remains
 Bootstrap/access re-checks before the live sweep:
 ```bash
 $ ssh cc-ci "hostname && whoami && nixos-version"
 nixos
 root
 24.11.20250630.50ab793 (Vicuna)
 $ set -a; . /srv/cc-ci/.testenv; set +a; curl -fsS "https://$GITEA_URL/api/v1/version"
 {"version":"1.24.2"}
 $ getent hosts "probe-$RANDOM.ci.commoninternet.net"
 91.98.47.73     probe-4360.ci.commoninternet.net
 ```
 Open-PR inventory before triggering uncovered recipes showed 16 enrolled repos already had live PRs;
 `custom-html`, `keycloak`, `cryptpad`, and `mumble` did not. I reopened reusable closed PRs for the
 first three (`custom-html#2`, `keycloak#3`, `cryptpad#5`) and created a minimal sweep-only `mumble#1`
 probe PR via the Gitea API.
 Fresh post-cfold success set gathered from the live server (`/var/lib/cc-ci-runs/<build>/results.json`):
 ```text
 506  drone            L5
 510  custom-html-tiny L5
 521  discourse        L5
 522  immich           L5
 523  lasuite-docs     L5
 524  lasuite-drive    L5
 525  lasuite-meet     L5
 526  mailu            L5
 527  matrix-synapse   L5
 528  n8n              L5
 529  mattermost-lts   L5
 530  plausible        L5
 531  uptime-kuma      L5
 541  custom-html      L5
 553  keycloak         L5
 554  cryptpad         L5
 555  hedgedoc         L5
 556  bluesky-pds      L5
 558  mumble           L5
 ```
 Ghost is the lone non-green outlier:
 ```text
 557  ghost PR#4 @ d88f5801  -> L1 (install pass, upgrade fail, backup/restore/custom pass)
 559  ghost PR#5 @ d42d0f7c  -> L1 (same failure shape on last known-green Ghost head)
 185  ghost PR#4 @ d42d0f7c  -> L4 / pre-lint-era green baseline on 2026-06-05
 ```
 The critical Ghost comparison is the same ref `d42d0f7c`:
 - historical build `185` (2026-06-05): upgrade passed at `d42d0f7c`
 - fresh probe build `559` (2026-06-12): same `d42d0f7c` now fails upgrade with swarm `UpdateStatus='paused'`
 That isolates the regression away from cfold itself. In both fresh Ghost failures (`557`, `559`), the
 custom tier still discovered and passed all four `tests/ghost/custom/test_*.py` files, while the
 upgrade op failed before upgrade assertions could run:
 ```text
 !! upgrade op failed: <ghost-domain>: upgrade redeploy did NOT converge to the head spec — swarm UpdateStatus='paused'.
 The recipe's app service uses update_config failure_action=rollback/pause; the NEW (head) task failed swarm's update monitor,
 so the service reverted/paused and the RUNNING spec is the previous version, not the code under test.
 ```
 Adversary update pulled during this pass:
 - `review(cfold)` commit `93f56ae` added only an idle audit entry to `REVIEW-cfold.md`
 - no finding filed
 - no M2 PASS yet because no `claim(cfold): M2 ...` commit exists
 ## 2026-06-12 — Follow-up Ghost artifact audit (same-ref historical pass vs fresh fail)
 Focused cold checks after the M2 sweep snapshot:
 ```bash
 $ ssh cc-ci "jq '{level,recipe,ref,results,rungs,stages:(.stages|map({name,status}))}' /var/lib/cc-ci-runs/185/results.json"
 {
  "level": 4,
  "recipe": "ghost",
  "ref": "d42d0f7c7cf9",
  "results": {
    "backup": "pass",
    "custom": "pass",
    "install": "pass",
    "restore": "pass",
    "upgrade": "pass"
  },
  "rungs": {
    "backup_restore": "pass",
    "functional": "pass",
    "install": "pass",
    "integration": "na",
    "recipe_local": "na",
    "upgrade": "pass"
  },
  "stages": [
    {"name": "install", "status": "pass"},
    {"name": "upgrade", "status": "pass"},
    {"name": "backup", "status": "pass"},
    {"name": "restore", "status": "pass"},
    {"name": "custom", "status": "pass"}
  ]
 }
 $ ssh cc-ci "jq '{level,recipe,stages:(.stages|map({name,status,summary}))}' /var/lib/cc-ci-runs/559/results.json"
 {
  "level": 1,
  "recipe": "ghost",
  "stages": [
    {"name": "install", "status": "pass", "summary": null},
    {"name": "backup", "status": "pass", "summary": null},
    {"name": "restore", "status": "pass", "summary": null},
    {"name": "custom", "status": "pass", "summary": null},
    {"name": "lint", "status": "pass", "summary": null}
  ]
 }
 $ ssh cc-ci "grep -R -n \"start_period\" /var/lib/cc-ci-runs/559/abra/recipes/ghost"
 /var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.yml:60:      start_period: 15m
 /var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.yml:84:      start_period: 1m
 /var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.ccci.yml:35:      start_period: 15m
 /var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.ccci.yml:38:      start_period: 15m
 ```
 Conclusion:
 - Historical build `185` passed the full Ghost lifecycle on the SAME ref now used in probe build `559`
  (`d42d0f7c7cf9`), so the current M2 blocker is not tied to the `custom/` folder migration.
 - Fresh failing runs still execute the canonical 4-file `tests/ghost/custom/` suite and pass every
  non-upgrade stage; the missing upgrade junit output remains the key symptom.
 - The current repo does not show an obvious cfold-local fix to apply: the Ghost-specific overlay is
  unchanged, the recipe artifact still carries the expected `compose.ccci.yml` file, and the failure
  remains in the live upgrade path rather than discovery/custom-test coverage.
 - Net: cfold remains blocked on a cfold-neutral Ghost upgrade regression / flake. No repo-local code
  change was justified by that audit alone.
 ## 2026-06-13 — Ghost PR #3 fresh probe after reopen: same upgrade-only failure, plus duplicate trigger signal
 I looked for the smallest allowed M2 step that did not touch recipe code: reuse an existing Ghost PR head
 that had historically gone green and rerun it through the live `!testme` path.
 Actions taken:
 ```bash
 $ set -a && . /srv/cc-ci/.testenv && set +a
 $ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" -X PATCH \
    -H 'Content-Type: application/json' \
    -d '{"state":"open"}' \
    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/pulls/3"
 # PR #3 reopened; head remains 720faa0bebc46a34857b2933df1924ccabbd4087
 $ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" -X POST \
    -H 'Content-Type: application/json' \
    -d '{"body":"!testme"}' \
    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/issues/3/comments"
 # comment 14497 created at 2026-06-13T00:07:50Z
 ```
 Fresh live outcomes:
 ```bash
 $ ssh cc-ci 'jq "{run_id, pr, recipe, ref, level, results, stages: (.stages | map({name,status,summary}))}" /var/lib/cc-ci-runs/568/results.json'
 {
  "run_id": "568",
  "pr": "3",
  "recipe": "ghost",
  "ref": "720faa0bebc4",
  "level": 1,
  "results": {
    "backup": "pass",
    "custom": "pass",
    "install": "pass",
    "restore": "pass",
    "upgrade": "fail"
  },
  "stages": [
    {"name": "install", "status": "pass", "summary": null},
    {"name": "backup", "status": "pass", "summary": null},
    {"name": "restore", "status": "pass", "summary": null},
    {"name": "custom", "status": "pass", "summary": null},
    {"name": "lint", "status": "pass", "summary": null}
  ]
 }
 $ ssh cc-ci 'jq "{run_id, pr, recipe, ref, level, finished, results, stages: (.stages | map({name,status}))}" /var/lib/cc-ci-runs/569/results.json'
 {
  "run_id": "569",
  "pr": "3",
  "recipe": "ghost",
  "ref": "720faa0bebc4",
  "level": 1,
  "finished": 1781309502.5494862,
  "results": {
    "backup": "pass",
    "custom": "pass",
    "install": "pass",
    "restore": "pass",
    "upgrade": "fail"
  },
  "stages": [
    {"name": "install", "status": "pass"},
    {"name": "backup", "status": "pass"},
    {"name": "restore", "status": "pass"},
    {"name": "custom", "status": "pass"},
    {"name": "lint", "status": "pass"}
  ]
 }
 ```
 Comment-stream evidence for duplicate triggers from one `!testme`:
 ```bash
 $ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" \
    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/issues/3/comments?limit=20"
 # ...
 # 14497: !testme (2026-06-13T00:07:50Z)
 # 14498: cc-ci failure comment for run 568 (2026-06-13T00:08:05Z)
 # 14499: cc-ci in-progress comment for run 569 (2026-06-13T00:08:05Z)
 # 14500: cc-ci in-progress comment for run 570 (2026-06-13T00:08:05Z)
 ```
 Takeaways:
 - Ghost is now freshly red post-cfold on three distinct PR heads (`720faa0b`, `d88f5801`, `d42d0f7c`), all
  with the same upgrade-only failure shape while custom discovery stays green.
 - That further weakens any cfold-local explanation; the blocker remains in Ghost's live upgrade path.
 - There is also likely a separate trigger dedupe problem: one `!testme` comment spawned runs `568`, `569`,
  and `570`. I did not broaden into a D1 investigation in this loop step because cfold M2 is already
  hard-blocked by Ghost's repeated upgrade failures, but the evidence is now recorded.
 ## 2026-06-13 — Root-caused Ghost triple-trigger replay; bridge fix authored with unit coverage
 Pulled the Adversary's latest cfold audit (`review(cfold)` `ddefc96`). It was not an M2 verdict or a
 finding; it confirmed the sweep is still unclaimable while teardown remains clean (`live_pr_apps=0`).
 I then closed out the duplicate-run side observation from the Ghost PR #3 retrigger.
 Evidence:
 ```bash
 $ ssh cc-ci 'docker logs --since "2026-06-13T00:07:30" --until "2026-06-13T00:08:30" c54c433972ac 2>&1'
 [poll] triggered build 568 for ghost@720faa0b (PR #3, comment 14029) by autonomic-bot
 [poll] triggered build 569 for ghost@720faa0b (PR #3, comment 14032) by autonomic-bot
 [poll] triggered build 570 for ghost@720faa0b (PR #3, comment 14497) by autonomic-bot
 $ ssh cc-ci 'docker service ps ccci-bridge_app --no-trunc'
 # single running replica only; no restart near the incident
 $ ssh cc-ci 'docker ps --format "{{.ID}} {{.Names}} {{.Status}}" | grep ccci-bridge || true'
 c54c433972ac ccci-bridge_app.1.u5msezm603izeyf7kizqxq97j Up 22 hours
 ```
 Conclusion: this was NOT one comment id deduped incorrectly inside a single process. It was the poller
 correctly treating THREE distinct comment ids as unseen after PR #3 was reopened:
 - `14029` and `14032` were historical `!testme` comments from when PR #3 had been open earlier.
 - PR #3 was closed when the current bridge process started, so those comments were not covered by the
  startup pass that marks pre-existing comments seen.
 - When PR #3 was reopened, the poller saw those old comments for the first time and replayed them, then
  also processed the fresh comment `14497`.
 Repo fix authored:
 - `bridge/bridge.py`: added `_PROCESS_STARTED_AT` and `_is_preexisting_comment()` so the poller now marks
  any trigger comment older than the current bridge process as already-seen, even if the PR was closed at
  startup and only becomes visible later via reopen.
 - `tests/unit/test_bridge_trigger.py`: added focused tests for pre-start vs post-start comment handling.
 Verification:
 ```bash
 $ nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_bridge_trigger.py -q
 ..........                                                               [100%]
 10 passed in 0.04s
 $ ssh cc-ci 'nixos-rebuild switch --flake "git+file:///root/cfold-deploy?submodules=1#cc-ci"'
 # rebuild succeeded; deploy-bridge.service restarted and rolled the bridge task
 $ ssh cc-ci 'docker service inspect ccci-bridge_app --format "{{.Spec.TaskTemplate.ContainerSpec.Image}}"'
 cc-ci-bridge:eb32876581d9
 $ ssh cc-ci 'curl -fsS https://ci.commoninternet.net/hook/healthz'
 ok
 $ ssh cc-ci 'docker logs --since 5m 2088e44a0534 2>&1 | sed -n "1,80p"'
 poller (primary) watching ['recipe-maintainers/cc-ci', ..., 'recipe-maintainers/drone'] every 30s
 comment-bridge listening on 0.0.0.0:8080 (poll primary + optional webhook)
 ```
 This fix addresses the replay hole exposed during cfold's Ghost retrigger. It does not change the cfold
 bottom line: Ghost's upgrade tier remains the lone M2 blocker, while custom discovery continues to pass.
 ## 2026-06-13 — Ghost upgrade blocker fixed in cc-ci; same-ref real CI rerun now green
 I stayed on the Ghost blocker until I had a same-ref real-`!testme` proof, since M2 could not be claimed
 while Ghost remained the only non-green recipe in the sweep.
 Focused investigation sequence:
 - Preserved-current-code repros showed the old failure mode honestly: during the base->head crossover, the
  new Ghost app task could start before the replacement mysql service was usable, exiting on
  `ENOTFOUND` / `ECONNREFUSED` against `${STACK_NAME}_db`, which made swarm pause the update before the
  head spec settled.
 - My first attempt (`restart_policy.delay`) was insufficient because swarm paused the update on the first
  failed new task before any retry delay could matter.
 - My second attempt (wrapping Ghost in `command: sh -ec ...`) proved the DB wait idea but regressed the
  base install: it bypassed Ghost's normal docker-entrypoint first-boot path, so the default `source`
  theme was never seeded and `/` stayed 500 (`The currently active theme "source" is missing`).
 - Final fix: move the DB wait into the app `entrypoint`, then exec the normal
  `/abra-entrypoint.sh node current/index.js` path. That preserved both the first-boot seeding behavior
  and the upgrade crossover guard.
 The finished overlay in `tests/ghost/compose.ccci.yml` now does three things and nothing more:
 1. keep the existing 15m app healthcheck grace,
 2. keep the existing 15m db healthcheck grace,
 3. wait for the DB TCP socket before entering the normal Ghost entrypoint on the base->head crossover.
 Verification:
 ```bash
 $ ssh cc-ci 'jq -r ".results, .stages" /var/lib/cc-ci-runs/ghost-repro-cfold-3/results.json'
 {
  "install": "pass",
  "upgrade": "pass"
 }
 [
  {"name":"install","status":"pass",...},
  {"name":"upgrade","status":"pass",...},
  {"name":"lint","status":"pass",...}
 ]
 $ ssh cc-ci 'tok=$(cat /run/secrets/bridge_drone_token); curl -fsS -H "Authorization: Bearer $tok" https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/585 | jq -r "[.number,.status,.after,.params.RECIPE,.params.PR,.params.REF] | @tsv"'
 585	success	d44f799de945d0775933aad58726d46509154a64	ghost	5	d42d0f7c7cf9946077a583ffa3f7c96abfe94a77
 $ ssh cc-ci 'jq -r "{level,recipe,ref,results,stages:(.stages|map({name,status}))}" /var/lib/cc-ci-runs/585/results.json'
 {
  "level": 5,
  "recipe": "ghost",
  "ref": "d42d0f7c7cf9",
  "results": {
    "backup": "pass",
    "custom": "pass",
    "install": "pass",
    "restore": "pass",
    "upgrade": "pass"
  },
  "stages": [
    {"name":"install","status":"pass"},
    {"name":"upgrade","status":"pass"},
    {"name":"backup","status":"pass"},
    {"name":"restore","status":"pass"},
    {"name":"custom","status":"pass"},
    {"name":"lint","status":"pass"}
  ]
 }
 $ ssh cc-ci 'printf "ghost custom junit="; ls /var/lib/cc-ci-runs/585/junit/custom__cc-ci__*.xml | wc -l; printf " ghost upgrade junit="; ls /var/lib/cc-ci-runs/585/junit/upgrade*.xml | wc -l'
 ghost custom junit=4
 ghost upgrade junit=2
 $ ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'
 live_pr_apps=0
 ```
 Outcome:
 - Ghost is no longer the M2 blocker.
 - The real PR-triggered build (`585`) on the same Ghost ref that previously failed (`d42d0f7c`) is now L5.
 - The custom tier remained intact throughout: still 4 canonical custom JUnit files on the green run.
 - With Ghost green and teardown clean, the cfold phase is ready for a formal M2 claim.
--- a/machine-docs/JOURNAL-conc.md
+++ b/machine-docs/JOURNAL-conc.md
@ -0,0 +1,165 @@
 # JOURNAL — sub-phase conc (Builder, append-only)
 ## 2026-06-10 — bootstrap
 Read concurrency-restructure-full-plan.md (SSOT) + plan.md §6.1/§7/§9. Oriented on the code:
 - `runner/harness/lifecycle.py` — recipe flock (l.46), registry (l.65–97), deploy_app
  registration (l.283), teardown unregister (l.723), three-way janitor (l.726).
 - `runner/run_recipe_ci.py` — `acquire_recipe_lock` call site (l.843), `fetch_recipe` (l.140,
  rm-rf + reclone of the shared tree), janitor call sites (l.600 quick, l.932 cold).
 - `.drone.yml` — recipe-ci step runs `cc-ci-run runner/run_recipe_ci.py` bare (P1 wraps it),
  `concurrency.limit: 2` (P4 removes).
 - Greps for P3 fallout: `~/.abra/recipes` referenced in abra.py (recipe_checkout,
  has_lightweight_version_tags, recipe_head_commit, recipe_versions), generic.py:28,
  lifecycle.prepull_images, run_recipe_ci (fetch_recipe, snapshot_recipe_tests, comment),
  warm_reconcile.py:202 (runs OUTSIDE per-run context — keeps default), and
  tests/ghost+discourse install_steps.sh (`${HOME}/.abra/recipes/...` — these run INSIDE a
  run and copy compose.ccci.yml into the deploy tree, so they must resolve the per-run dir).
 - `~/.abra/servers/...` paths are unaffected by design (servers/ is symlinked to the canonical
  /root/.abra/servers, so both resolutions land on the same file).
 Working setup: state files on main in this clone; code on branch `restructure/concurrency`
 via a git worktree at ../cc-ci-conc; test runs on the cc-ci host via /root/builder-clone
 (`cc-ci-run -m pytest ...`, `nix develop .#lint`).
 ## 2026-06-10 — P1–P4 landed on restructure/concurrency
 - P1 b492f99: harness/lifetime.py (PDEATHSIG+ppid recheck, SIGTERM/SIGALRM→SystemExit funnel
  with re-entrancy guard, alarm(3600)); main() installs first; both finally blocks mark
  begin_teardown(); .drone.yml setsid+trap wrap. Live smoke on cc-ci (cc-ci-run /tmp/p1-smoke.py):
  TERM→rc=143+finally; ALRM→rc=142+finally+deadline log; parent-kill→child TERM'd, teardown ran.
 - P2 b302f3a: acquire_app_lock + _probe_and_reap + janitor rewrite; registry deleted. Live smoke
  (/tmp/p2-smoke*.py): held lock → "live concurrent run, leaving it", reaped=[]; killed holder →
  reap exactly once + lockfile unlinked; waiter blocked during probe-held reap, then re-acquired
  on the FRESH inode (probe confirmed held by waiter). Note: a select()-on-fd readline artifact
  in my smoke script initially looked like a failure — kernel state was verified directly.
  Unlink/recreate race guarded on BOTH sides via fstat/stat st_ino identity checks.
 - P3 17ebdf3: per-run ABRA_DIR. Verified abra CLI honors $ABRA_DIR on-host (skeleton probe:
  FATAs only on empty servers/; with servers+catalogue symlinks + recipes/ it works and even
  auto-clones recipes for `app ls` resolution into the per-run dir). p3-smoke: setup + fetch of
  custom-html-tiny landed in /tmp/p3runs/9999/abra/recipes, head commit + versions readable via
  abra.recipe_dir(). install_steps.sh path fix justified in DECISIONS.md (conc P3 entry).
  Pre-existing observation (NOT mine, unchanged): `abra app ls -S -m -n` currently FATAs
  "unable to resolve '0cc57a5a'" under the DEFAULT abra dir too → janitor's abra discovery
  yields [] and the docker-service sweep carries discovery. Out of this phase's scope.
 - P4 91d3cc7: concurrency.limit removed; maxTests comment states single-knob + new model.
  One stale comment line (.drone.yml l.39 "concurrency.limit=2 below") folds into P5.
 All four commits: tests/unit 138 passed + lint PASS before each. Next: tests/concurrency suite.
 ## 2026-06-10 — tests/concurrency (84d90fb) + P5 (d3fe9e2) + M1 claim (e8e52cf)
 - Suite: 20 tests / 19 plan cases, all real-kernel (helpers.py subprocesses hold real flocks,
  install real prctl/alarm guards; CCCI_APP_LOCK_DIR sandboxes /run/lock; HelperPool reaps every
  helper + recorded grandchildren). First full run on cc-ci: 20 passed in 9.96s, zero flakes in
  3 repeat runs during the P5 verification re-runs.
 - Design notes for the Adversary's blind-spot hunt (my own known limits):
  - case 8 (two janitors) uses threads in one process — valid because flock conflicts are
    per-open-file-description, and overlap is forced via a Barrier + 2s slow teardown stub.
  - case 14 relies on reparent-to-pid-1 (true on the cc-ci host; would need adjustment in a
    subreaper environment — marked NEVER_REPARENTED visibly if so).
  - cases 5-12 stub teardown_app (recording) — janitor probe/reap ordering is what's under
    test, not teardown internals (covered by Phase-1 e2e + M2 live checks).
 - M1 claimed at e8e52cf; full verification recipe in STATUS-conc.md (WHAT/WHERE/HOW/EXPECTED).
 ## 2026-06-10 — M2: merge + live verification (a)
 - Merge: bb5eb3d (--no-ff) pushed; push build 266 (self-test lint+hello) SUCCESS.
 - (a) cancel-mid-run: !testme on immich#2 → build 267 (custom) running on the NEW harness —
  log shows the setsid/trap wrap + "== per-run ABRA_DIR: /var/lib/cc-ci-runs/267/abra ==";
  lock /run/lock/cc-ci-app-immi-ad3e33...lock held by pid 636902; 4 immich services up.
  Canceled via drone API 04:42:07Z (HTTP 200, build status "killed"). Result: harness pid
  GONE (no leaked python — the old §8.1 gap is closed), immich services 0, volumes 0,
  secrets 0, .env 0 — the SIGTERM funnel ran the run's own teardown (better than the plan's
  minimum, which allowed the janitor to do the reaping). Lock RELEASED (lockfile present but
  unheld — tidy-swept by the next janitor, to be observed during (b)).
 - (b) triggered 04:46:53Z: !testme immich#2 (comment 14287) + plausible#3 (14288) in parallel.
 ## 2026-06-10 — M2(b) round 1: green runs, poisoned exit code → wrapper fix
 - Builds 268 (immich#2) + 269 (plausible#3) ran in PARALLEL on the new harness: both logs end
  with all-tiers-pass RUN SUMMARY (level=4, deploy-count 1/1) and the host shows ZERO leakage
  after (no harness processes, no immi/plau services/volumes/secrets, only unheld lockfiles).
  Both steps nevertheless exited 1: the P1 EXIT trap's kill of the already-gone process group
  returns ESRCH under the runner's `set -e` shell — a GREEN run reported failure.
 - Reproduced minimally on-host (`sh -e` and `bash -e`: rc=1 on a clean exit with the old trap).
  Fix e1c4198 (capture rc; `trap - TERM EXIT`; `|| true` on the trap kill) verified on-host:
  green rc=0, red rc=7 propagated, TERM→wrapper forwards to child, exits 143. Merged to main
  b7a009c; push builds 272-274 green. Adversary notified via inbox.
 - (b) re-triggered on the fixed wrapper 04:56:10Z (immich#2 + plausible#3).
 ## 2026-06-10 — M2(b) PASS + (c) triggered
 - (b) round 2 on fixed wrapper: builds 275 (immich#2) + 276 (plausible#3) ran in PARALLEL,
  BOTH status=success (drone API). Host after: 0 python harness processes, 0 immi/plau
  services/volumes/secrets/.envs — zero leakage. (d) satisfied by 275 (full green immich e2e).
  Leftover unheld lockfiles present by design (tidy-swept at next janitor).
 - (c) double-!testme on immich#2: two comments at 05:03:58Z → two custom builds, same run
  domain immi-ad3e33 → exactly one must block on the app lock with the visible log line.
 ## 2026-06-10 — CONC-A1: (c) failure root-caused + fixed (run-keyed state files)
 - (c) round 1 = builds 279+281, both RED. Root cause (independently also found+filed by the
  Adversary as CONC-A1 while I was mid-diagnosis — same conclusion from both loops): the four
  run-scoped state files (deploys/opstate/deps/depskip) were DOMAIN-keyed in shared /tmp;
  281's main()-preamble + pre-lock _record_deploy fired before it blocked on the app lock →
  279 read deploy-count 2 (false DG4.1 RED); 279's end-of-run os.remove deleted the shared
  countfile → 281 crashed FileNotFoundError at its own read. Lock serialization itself worked
  (281: waiting @+2s, acquired @+194s = 279's exit). Masked pre-restructure by the
  end-to-end recipe flock.
 - Fix b6e12ef on branch, merged to main 139e319: _run_state_path() keys all four by
  run id + harness pid; consumers were always env-fed (CCCI_*_FILE), so domain keying was
  never load-bearing. Both cleanup sites already remove all four on normal exit.
 - New tests/concurrency/test_run_state.py (suite now 23): path invariants + real-process
  CONC-A1 interleaving via helpers.py `deploy-count-run` (countfile init → pre-lock
  _record_deploy → acquire → gated read). Teeth verified: under simulated shared keying the
  regression test FAILS (host run: 3 failed); with the fix: 23 passed + 138 unit + lint PASS.
 - Next: push build green → re-run (b)+(d), then (c), then (a) per the VETO's conditions.
 ## 2026-06-10 — M2 re-verification on CONC-A1-fixed main (139e319)
 - Push builds 283/284/285 (branch fix, merge, inbox) all green.
 - (b)+(d) round 3 (comments 14299/14300, 08:17:35Z): builds 287 (immich#2) + 288 (plausible#3)
  BOTH success, started simultaneously 08:17:40Z (parallel), finished 08:21:06/08:21:13.
  Both logs: deploy-count = 1 (expect 1), level=4. Host after: pgrep -f 'run_recipe_c[i]' → no
  match (earlier "2" was pgrep self-match of the ssh cmdline); immi/plau services/volumes/
  secrets/server-envs all 0. Zero leakage. (d) satisfied by 287 (full green immich e2e on the
  final harness code).
 - (c) round 2 triggered 08:22:13Z: comments 14303+14304 on immich#2 (same domain immi-ad3e33).
 ## 2026-06-10 — M2(c) PASS round 2 (builds 290+291) + (a) re-run triggered
 - (c) round 2: builds 290 (08:22:30→08:46:05) + 291 (08:22:33→08:49:23) BOTH success.
  291 log: "== app lock: another run of immi-ad3e33... in flight — waiting ==" at +1s,
  "acquired" at +1411s = exactly 290's exit. Both: deploy-count = 1 (expect 1), level=4.
  Slowness was an immich-ML healthcheck flake (Adversary cross-confirmed live via lslocks:
  one holder pid 739163, one waiter pid 739341 on the same lock inode — serialization observed
  in the kernel lock table); ML converged inside the 1500s window, both runs green anyway —
  no clean re-run needed.
 - After both: no harness procs (pgrep run_recipe_c[i] empty), 0 immi/plau services/volumes/
  secrets/server-envs. Unheld lockfile remains by design (tidy-swept at next janitor probe).
 - (a) re-run on fixed harness: !testme immich#2 comment 14307 @08:50:02Z; will cancel mid-run
  via drone API once the deploy is in flight, then check pid/lock/leakage + janitor reap.
 ## 2026-06-10 — M2(a) re-run PASS (build 295) + M2 claim
 - (a) on fixed harness: build 295 (comment 14307 @08:50:02Z) canceled @08:51:05Z (HTTP 200)
  while mid-deploy (lock held by pid 763099, 4 immich services converging). Harness pid GONE
  @08:51:15Z — the SIGTERM funnel ran the run's own teardown inside 10s; build status=killed;
  lock released (lslocks empty); services/volumes/secrets/envs all 0. Zero leakage, no janitor
  required.
 - Adversary lifted the CONC-A1 VETO @09:05Z with its own M2(c) PASS (290/291 cold-verified,
  kernel-lock-table serialization observation). Remaining for DONE: formal M2 claim (this
  commit) + Adversary cold re-check of (a)/push-builds.
 - M2 claimed in STATUS-conc.md with consolidated (a)-(d) evidence + cold re-check recipe.
 ## 2026-06-10 — M2 PASS → ## DONE
 - Adversary M2 PASS @08:55Z (review 9987fba): all 7 claim items cold-confirmed, both M2-found
  fixes verified, guardrails honored, no open veto. Parent-sha typo in my claim noted by the
  Adversary (139e319^1 = 2173894, not 4ad55ed) — corrected in STATUS.
 - ## DONE written to STATUS-conc.md. Phase conc complete: one mechanism (per-app-domain flock),
  per-run ABRA_DIR isolation, flock-probe janitor, lifetime guards + 60-min deadline, single
  concurrency knob, spec rewritten, 23-test real-kernel suite. Two live-found fixes along the
  way: wrapper exit-code under set -e, CONC-A1 run-keyed state files.
--- a/machine-docs/JOURNAL-dash.md
+++ b/machine-docs/JOURNAL-dash.md
@ -0,0 +1,58 @@
 # JOURNAL — phase `dash` (reasoning; Adversary does not read before verdict)
 ## 2026-06-17 — M1 design + implementation
 **Root cause (confirmed against plan §1 + host):** `history_for` read `_custom_recipe_builds()`,
 which fetches a single Drone page `…/builds?per_page=100`. The recent `regall` sweep `!testme`'d all
 21 recipes once, filling the latest-100 window, so each recipe's older runs fell outside it → most
 recipes rendered exactly 1 history row. Host has 432 run dirs (308 parseable `results.json`).
 **Why source from local artifacts, not paginate Drone:** the plan's chosen design. Local artifacts
 are complete (308 finished runs vs 100-build Drone window), durable (independent of Drone
 retention/pagination), already bind-mounted read-only, and already read per-run by `_results_for`.
 Pure-local also removes a network dependency + failure mode from the history page. I deliberately did
 NOT merge in Drone "currently running" live status (plan lists it as an optional "e.g." value-add):
 it re-introduces the Drone dependency and the overview already shows live status; the DoD asks only
 that the *historical* list come from local artifacts. Recorded as a decision.
 **Status derivation:** `results.json` (schema 2) has no top-level status field. Derived from the
 per-stage `results` map: any `fail`/`error` → failure; all `pass`/`skip` → success; else unknown.
 A skip alone is not a failure (e.g. custom-html-bkp-bad: backup=fail → failure; level-5 plausible:
 all pass → success). This matches what the run actually did without inventing a Drone call.
 **The sort trap (flagged by Adversary's pre-claim baseline too):** run ids are MIXED numeric
 (`753`,`556`) and named (`m2r-bluesky-pds`,`ab-bluesky-pds-oldmain`). `int(run_id)` would crash on
 named ids; lexical sort would scatter them and misorder `9…` vs `7…`. The ONLY correct order is by
 `finished` timestamp. Sort key = `(finished, _numeric_id)` reverse — finished is primary, numeric id
 is a stable tiebreak (named ids get -1, so timestamp always decides their slot). Verified the output
 matches the Adversary's independently-derived bluesky-pds order byte-for-byte.
 **Cap:** `HISTORY_CAP=30` (env-overridable). Sorted newest-first BEFORE slicing, so the cap keeps the
 30 newest and drops the oldest — verified plausible (33 runs) keeps the newest 30, drops oldest 3.
 **Caching:** `_local_history` scans the whole runs dir once per `CACHE_TTL` (reuses the existing 30s
 TTL) and groups by recipe, so a busy page doesn't json-load 300+ files per request. `_results_for`
 (already traversal-guarded) is reused for each dir read, so the path-traversal guarantee is unchanged.
 **Retention:** 308 parseable runs present spanning many days — retention is adequate; no trimming of
 `/var/lib/cc-ci-runs` observed that would vanish history. Will confirm no cleanlogs/prune job trims it
 during M2 and record in DECISIONS if a cap is ever needed (none needed now).
 **Local verification (M1):** 13/13 unit tests pass (incl. new local-sourcing test). Full-fixture run
 against all 308 real `results.json` + injected malformed/empty/no-recipe dirs: bluesky-pds=8 in exact
 timestamp order, plausible capped 30 (newest kept), 308 total grouped, edge dirs skipped without
 raising, security guards (`_RUN_ID_RE`, `_results_for`, `serve_run_file`) all still reject traversal.
 ## 2026-06-17 — M2 deploy + live verify
 **Deploy gotcha (recorded):** `nixos-rebuild switch --flake /etc/cc-ci#cc-ci` FAILED:
 `error: path '…/secrets/secrets.yaml' does not exist`. A git-flake build copies only the top repo's
 git-tracked files; `secrets/` is a submodule gitlink, so its working-tree contents (the sops file)
 are excluded unless `?submodules=1`. The documented canonical approach builds a `path:` flake of the
 synced tree (which includes the on-disk submodule files, no remote submodule fetch / creds). Did:
 tar `/etc/cc-ci` minus `.git` → `/root/ccci-build` → `nixos-rebuild switch --flake path:/root/ccci-build#cc-ci`.
 Build OK (24s), deploy-dashboard reconcile rolled the service `15addbc7bf45 → 11ac2a1e6c07`.
 **Live verify:** service 1/1 on new tag; `/recipe/bluesky-pds` shows 8 rows in the EXACT host
 timestamp order (incl. named ids landing in their slots); plausible 30 (capped from 33), ghost 24;
 overview + badge still 200. Retention: no module trims `/var/lib/cc-ci-runs`; 439 dirs over 17 days.
--- a/machine-docs/JOURNAL-drone.md
+++ b/machine-docs/JOURNAL-drone.md
@ -0,0 +1,59 @@
 # JOURNAL — phase drone (drone enrollment with gitea SCM dep)
 **Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
 **Builder:** autonomic-bot / Claude
 ---
 ## 2026-06-11 — Phase start + design decisions
 ### Context read
 - P0 confirmed: `/etc/timezone` exists (UTC) on cc-ci host — fix from commit 3bde76f is live
 - Adversary pre-probes read from REVIEW-drone.md:
  - Confirms P0 satisfied
  - Confirms drone 1.9.0+2.26.0 (latest), 1.8.0+2.25.0 (previous) — upgrade tier viable
  - Confirms gitea 3.5.3+1.24.2-rootless (latest), sqlite3 overlay is right choice for dep
  - Confirms SCM-configured test must exercise actual OAuth flow (not just /healthz)
 ### Architecture decisions
 **Gitea as dep:**
 - Use `compose.sqlite3.yml` overlay — no mariadb needed for a CI dep; lighter resource footprint
 - `REQUIRE_SIGNIN_VIEW=false` so health check works without login
 - Admin user created via `gitea admin user create` CLI in container post-deploy
 - OAuth2 app created via gitea API (basic auth with ci_admin user)
 **SCM-configured test:**
 - Playwright test completes the full gitea→drone OAuth flow
 - Navigates to drone's /login → redirects to gitea OAuth authorize page
 - Fills ci_admin credentials → clicks authorize → lands on drone dashboard
 - Verifies drone `GET /api/user` returns 200 (session valid)
 - This proves the full OAuth circuit works (not just health)
 - Negative teeth: a drone without gitea wiring would not redirect to gitea
 **Drone EXTRA_ENV in install_steps.sh:**
 - Sets `COMPOSE_FILE=compose.yml:compose.gitea.yml` (activates gitea SCM overlay)
 - Sets `GITEA_CLIENT_ID`, `GITEA_DOMAIN` from deps creds
 - Creates `client_secret` Docker secret with gitea OAuth2 client_secret
 - Sets `DRONE_USER_CREATE=username:ci_admin,admin:true` (ci_admin = gitea admin user)
 **Backup analysis:**
 - Drone recipe compose.yml has `data` volume but NO backupbot labels
 - `abra.sh` only exports `DRONE_ENV_VERSION=v2`, no backup functions
 - Therefore: `backup_capable=False`, backup rung = structural skip (justified in PARITY.md)
 ### Implementation sequence
 1. Add `setup_gitea_oauth()` to `runner/harness/sso.py`
 2. Update `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
 3. Create `tests/gitea/recipe_meta.py`
 4. Create `tests/drone/recipe_meta.py`
 5. Create `tests/drone/install_steps.sh`
 6. Create `tests/drone/functional/test_scm_configured.py`
 7. Create `tests/drone/PARITY.md`
 8. Add unit tests
 ---
 ## 2026-06-11 — Implementation
 _Evidence of each step logged below as work proceeds._
--- a/machine-docs/JOURNAL-dstamp.md
+++ b/machine-docs/JOURNAL-dstamp.md
@ -0,0 +1,186 @@
 # JOURNAL — phase `dstamp` (Builder, reasoning/private)
 ## 2026-06-11 — Bootstrap + investigation
 Read the phase plan, plan.md §6.1/§7/§9, the Adversary's REVIEW-dstamp prep notes, and the
 stamp-relevant harness code (`abra.py`, `lifecycle.py:deployed_identity/recipe_checkout_ref/
 chaos_redeploy/prepull_images`, `generic.py:perform_upgrade/assert_upgraded`, run_recipe_ci
 upgrade op + fetch_recipe).
 ### Mechanism (from abra source @06a57de = the pinned binary)
 chaos-version label is set in `cli/app/deploy.go`: for a `-C` deploy, `getDeployVersion` (l.365)
 returns `Recipe.ChaosVersion()` (l.367-373) and `SetChaosVersionLabel(compose, stack, toDeployVersion)`
 (l.168). `ChaosVersion` (`pkg/recipe/git.go:300`) = `formatter.SmallSHA(Head().String())` + `+U`
 if dirty. `Head` (l.483) = go-git `repo.Head()`. Crucially, `app.Recipe.Ensure(ctx)` (deploy.go:86)
 calls into git.go:38 which **early-returns on `ctx.Chaos`** (l.41-43) — so a chaos deploy does NOT
 re-checkout the .env version. `GetEnsureContext` (cli/internal/ensure.go) wires `EnsureContext{Chaos,
 Offline, IgnoreEnvVersion=DeployLatest}` from the CLI flags. So `-C` ⇒ Ensure no-op ⇒ chaos version
 = whatever git HEAD the harness left checked out.
 ### The contradiction that drove the dig
 The m2p failure message is `chaos commit 'eb96de94+U', not the intended PR-head '7ae7b0f76efb'`.
 `eb96de9` = tag `0.7.0+3.3.1` (the upgrade base); `7ae7b0f` = PR head (9 commits past that tag,
 and there is NO 0.8/0.9 tag despite HEAD's "upgrade to 0.9.0+3.5.0" message). The harness
 `perform_upgrade` does `recipe_checkout_ref(head_ref=7ae7b0f)` then `chaos_redeploy`, with only
 `env_set` + `prepull_images` (pure docker compose, no git) in between — and the run's recipe
 **snapshot HEAD = 7ae7b0f**. So at deploy time HEAD *should* be 7ae7b0f ⇒ stamp 7ae7b0f. Yet it
 stamped eb96de9. abra's source says chaos = Head(); so for eb96de9 to be stamped, HEAD had to be
 eb96de9 at the chaos deploy — which the isolated flow never produces.
 ### Reproductions (all on cc-ci, scratch ABRA_DIR, deploys bail at `secret not generated`
 ### which is deploy.go:140, AFTER the chaos version is computed+logged at deploy.go:372)
 1. cp -a canonical recipe, checkout head→base(tag)→head, `abra app deploy -C` → `taking chaos
   version: 7ae7b0f7`. HEAD stays 7ae7b0f. NO drift.
 2. real non-chaos base deploy (exercises go-git `EnsureVersion` which checks out tag via
   `Branch: refs/tags/0.7.0+3.3.1`, leaving HEAD=eb96de9), then CLI `git checkout -f head`, then
   `-C` deploy → `taking chaos version: 7ae7b0f7`. NO drift.
 3. mirror-faithful: `git clone <recipe-maintainers/discourse>` + `git checkout 7ae7b0f` +
   `git fetch <coop-cloud/discourse> refs/tags/*:refs/tags/*` (exact `fetch_recipe`), then base
   deploy → re-checkout head → `-C` deploy → `taking chaos version: 7ae7b0f7`. NO drift.
 Conclusion: the isolated git/abra version-resolution path is **correct** in the current host
 state. The drift is not in that path.
 ### Timeline / differentiator
 - abra binary: constant since 2026-06-01 (system-4). Not abra.
 - Same ref 7ae7b0f: run 184 (06-05 02:17, **solo**) was L4 upgrade-PASS. The drift runs
  (m2b 06-10 20:54, m2p 06-11 00:44, ab 06-11 00:48) are **clustered** (m2p & ab 4 min apart →
  overlapping for a multi-tier discourse run that takes ≫4 min).
 - `app_domain` hashes (recipe|pr|ref) ⇒ all three drift runs, same ref, **collide on one swarm
  stack**. The upgrade `chaos_redeploy` does NOT take `deploy_app`'s app-domain flock, so two
  concurrent runs can interleave deploys on the shared stack and the `<stack>_app` service label
  read by `deployed_identity` reflects whichever deploy last wrote it.
 **Leading hypothesis:** the "harness-neutral env drift" is actually a **concurrency artifact** of
 the rcust-phase M2 A/B discourse experiments running near-simultaneously on the shared stack — not
 an abra/recipe/environment regression. Run 184 solo = green; clustered 06-11 = drift; isolated
 re-reproduction now = green. Testing with one clean isolated real run (install,upgrade) before
 committing to this attribution — direct evidence required by the plan, not inference alone.
 Open: must still explain *exactly* how a concurrent peer produces an `eb96de9+U` (dirty CHAOS)
 label on the shared stack — a base deploy is pinned/non-chaos (no chaos label), so the +U chaos
 label must come from some chaos deploy with HEAD=eb96de9. The isolated real run + (if needed) a
 deliberate 2-run concurrency repro will nail the mechanism. Will NOT claim M1 on inference.
 ## 2026-06-11 (cont.) — REAL runs: concurrency REFUTED, true root cause = swarm rollback
 Three real install+upgrade runs of discourse @7ae7b0f (CCCI_RUN_ID=dstamp-repro{1,2,3}), each
 SOLO/isolated (no concurrent discourse run):
 - **base deploy is CHAOS** (not pinned): `compose.ccci.yml` overlay is present ⇒
  `deploy_app` takes the `has_ccci_overlay` auto-chaos branch (`lifecycle.py:291-298`). So the
  base stamps `chaos-version = eb96de9+U` on the shared stack. (My earlier bail-at-secrets repros
  used a non-chaos/manual base → that's why they didn't expose it.)
 - **repro1 (unpatched): upgrade FAIL** — `chaos commit 'eb96de94+U', not 7ae7b0f76efb`. The
  per-run tree reflog + snapshot prove HEAD = **7ae7b0f** at the upgrade deploy (last checkout
  16:39:03, no checkout-back), yet the deployed `.Spec` chaos label was eb96de9+U.
 - **repro2 (instrumented: abra deploy `--debug` + a HEAD-print subprocess before the redeploy):
  upgrade PASS** — `[DSTAMP] taking chaos version: 7ae7b0f7+U`, HEAD=7ae7b0f,
  `deployed_identity = {version 0.9.0+3.5.0, image bitnamilegacy/discourse:3.3.1, chaos 7ae7b0f7+U}`.
 So the SAME solo config is **intermittent** (184✓ 06-05, m2b/m2p/ab✗ 06-10/11, repro1✗, repro2✓);
 flipping with a tiny timing change ⇒ **NOT a concurrency artifact, NOT abra version-resolution**
 (abra computes 7ae7b0f7 correctly — proven by repro2's debug line AND all 3 bail-at-secrets repros).
 **TRUE ROOT CAUSE (recipe deploy policy + heavy/flaky new task):** discourse `compose.yml` app
 service sets `deploy.update_config: { failure_action: rollback, order: start-first }` with a
 `healthcheck.start_period: 20m`. The upgrade chaos deploy applies the head spec
 (`chaos-version=7ae7b0f7+U`) start-first (old + new task co-resident = ~2× memory for a
 precompile-heavy Rails app). When the NEW task intermittently fails swarm's update monitor,
 swarm executes **failure_action: rollback ⇒ reverts the app service to its PreviousSpec (the
 base: `chaos-version=eb96de9+U`)**. Under `start-first` the OLD task keeps serving, so the
 harness `wait_healthy` still passes — but `deployed_identity` reads `.Spec.Labels` of the
 ROLLED-BACK spec and sees the base commit. The "since ~06-10 on every run" pattern = the
 rcust-phase runs happened under heavier host load (warm keycloak etc.), so the new task reliably
 failed the monitor ⇒ rollback every time; the solo 06-05 run (184) didn't roll back. Harness- and
 abra-neutral, exactly as observed.
 repro3 (UpdateStatus + PreviousSpec capture, NO --debug to preserve failing timing) running to
 get the swarm rollback in the act (expect `UpdateStatus.State = rollback_*`, `PreviousSpec.Labels`
 chaos=eb96de9+U == the read `.Spec.Labels` after revert). That is the direct-evidence smoking gun.
 ### DIRECT EVIDENCE — captured (repro4, solo/isolated, upgrade FAIL)
 repro3 base deploy FATA'd (abra convergence monitor gave up — discourse is genuinely flaky/heavy
 under load, which is the very premise). repro4 reached the upgrade and the post-`chaos_redeploy`
 `docker service inspect <stack>_app` capture is the smoking gun:
 - `UpdateStatus = {"State":"updating","Message":"update in progress"}`
 - `.Spec.Labels`  chaos-version = **7ae7b0f7+U**, version = 0.9.0+3.5.0  (HEAD spec applied OK)
 - `.PreviousSpec.Labels` chaos-version = **eb96de94+U**, version = 0.7.0+3.3.1 (the base)
 - `deployed_identity` (same instant) = chaos **7ae7b0f7+U**  (reads Spec, correct)
 Then `wait_healthy` ran (old task serving under start-first → passes); the new task failed swarm's
 monitor → `failure_action: rollback` reverted `.Spec` → `.PreviousSpec` (eb96de94+U); the
 assertion-phase read saw eb96de94+U → HC1 FAIL. The ONLY operation that turns `.Spec.Labels` from
 7ae7b0f7+U into the exact `.PreviousSpec` eb96de94+U is a swarm rollback. abra+harness exonerated;
 the head was really deployed and then swarm-reverted. Attribution complete, by direct evidence.
 Note the app image is `bitnamilegacy/discourse:3.3.1` for BOTH base and head spec (head only bumps
 the version label + db image), so the new task isn't failing on a missing image — it's the
 start-first 2× co-residency of the precompile/Rails-heavy app under host memory pressure (a real
 new-task failure, intermittent), which trips `failure_action: rollback`.
 ### Fix plan (HC1 teeth preserved)
 - Reliability: `tests/discourse/compose.ccci.yml` overlay → app `deploy.update_config.order:
  stop-first` (old stops before new starts → new boots with full memory → genuinely healthy → no
  spurious rollback). Upgrade-to-head still really deployed+asserted; not a weakening. WHY in header.
  Risk to weigh: stop-first = brief real downtime during the CI upgrade (covered by DEPLOY_TIMEOUT
  3600). Alternative `failure_action: pause` REJECTED — it would let a genuinely-failed new task
  pass HC1 (start-first keeps old serving) = test-weakening.
 - Correctness: harness upgrade path asserts the redeploy converged to the head spec (UpdateStatus
  not rollback*/paused / `.Spec` not reverted to `.PreviousSpec`) → honest failure message on a
  real rollback, instead of the misleading "re-checkout failed". General (all rollback-policy
  recipes). HC1 teeth intact: a head that truly can't stay healthy still fails.
 - Will validate stop-first actually eliminates the rollback with a full real run before claiming.
 ## 2026-06-11 (cont.) — fix validated + blast-radius
 **Fix implemented** (commit 0cc31a5): (1) `tests/discourse/compose.ccci.yml` app service
 `deploy.update_config.order: stop-first`; (2) `lifecycle.assert_upgrade_converged()` + call in
 `generic.perform_upgrade` right after `chaos_redeploy` (before wait_healthy) — waits for swarm's
 app-service rolling update to reach a TERMINAL state and FAILs honestly on rollback*/paused.
 Unit tests: 253 passed (no regression).
 **fix1 validation** (run `dstamp-fix1`, fresh checkout @0cc31a5, install+upgrade, solo): UPGRADE
 **PASS** — `upgrade-converged: …UpdateStatus=completed`, `upgrade→PR-head: head_ref=7ae7b0f7
 chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`. The head is deployed, the update
 converges (no rollback), HC1 reads 7ae7b0f7+U. (Bug was intermittent — running more to show
 reliability, since repro2 passed unpatched.)
 **Blast-radius sweep** — recipes with `failure_action: rollback` + `order: start-first`:
 `discourse, drone, keycloak, n8n, traefik`. Evidence check of the upgrade tier across many runs
 (incl. the rcust-era m2r-* runs under the same heavy load):
 - keycloak: runs 155/186/187/m2r/shot-proof → upgrade PASS L4 (HC1 pass ⇒ chaos==head). NOT affected.
 - n8n: runs 47/54/61/162/197/m2r/shot-proof → upgrade PASS L4. NOT affected.
 - drone, traefik: cc-ci INFRA (warm-reconciled), NOT enrolled in the recipe-CI upgrade tier.
 ⇒ **Only discourse actually exhibits the drift** — its app is uniquely heavy (Rails asset
 precompile, 2.4GB image) so the start-first 2× co-residency OOMs the new task; the lighter
 keycloak/n8n new tasks survive swarm's monitor, so no rollback. The general harness guard
 (`assert_upgrade_converged`) now protects ALL rollback-policy recipes from a silent future
 rollback (honest failure), and discourse additionally gets stop-first to converge reliably.
 ### Hardening (commit e9c26c7) + fix2 validation
 Adversary independently confirmed the root cause + assessed the fix CORRECT (REVIEW-dstamp probe),
 flagging one non-blocking race: assert_upgrade_converged's first poll could read a STALE terminal
 `completed` (from the install/base deploy) before swarm schedules the new roll → return OK
 prematurely → miss a later rollback. Hardened with a two-phase wait: phase 1 confirms the NEW
 update is scheduled (`UpdateStatus.StartedAt` advances past the pre-redeploy value, captured via
 `update_status_started`, or state is in-flight `updating`/`rollback_started`), with a 30s grace for
 a genuine no-op redeploy; phase 2 then waits for the terminal verdict. fix2 (hardened, fresh
 checkout @e9c26c7, install+upgrade): UPGRADE **PASS** — `upgrade-converged: …UpdateStatus=completed`,
 `chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`. Two consecutive green fixed runs
 (fix1+fix2) vs intermittent unpatched failures (repro1✗ repro4✗ repro2✓). Unit tests 253 pass.
 ### M1 claimed
 Attribution + minimal repro + 06-05→06-10 change + fix + blast-radius all complete and
 Adversary-pre-confirmed → claiming M1 (verification recipe in STATUS-dstamp). Next: M2 — full
 all-stages discourse green at true level via the drone `!testme` path (the recipe-CI pipeline runs
 `cc-ci-run runner/run_recipe_ci.py` from the drone-cloned cc-ci workspace, so e9c26c7 is live for
 !testme — no nixos-rebuild needed for the harness), other recipes re-proven (none affected), HC1
 teeth shown (wrong stamp still FAILs), DEFERRED closed.
 Fix direction (HC1 must keep its teeth — do NOT relax the commit match): the upgrade chaos redeploy
 must assert against the *intended* applied spec, not a silently rolled-back one — i.e. the harness
 must DETECT a swarm rollback (UpdateStatus.State rollback*) and treat it as an upgrade FAILURE with
 a clear message (the deploy did not converge to the head spec), AND/OR make the upgrade redeploy not
 subject to silent rollback masking (e.g. assert UpdateStatus completed before reading identity).
 The recipe's rollback policy is legitimate for prod; the harness bug is that a rollback is invisible
 to HC1 and masquerades as "stamped the wrong commit". Will finalise the fix after repro3 confirms.
--- a/machine-docs/JOURNAL-ghost.md
+++ b/machine-docs/JOURNAL-ghost.md
@ -0,0 +1,81 @@
 # JOURNAL — phase ghost
 ## 2026-06-13T07:10Z — Phase start, PR inventory, fresh run triggered
 ### PR inventory findings
 Three open PRs on recipe-maintainers/ghost:
 - **PR#4** (d88f5801): `chore: upgrade to 1.4.0+6.44.1-alpine` — the correct upgrade PR.
  Had 4 pre-proxy-fix failures, all on 2026-06-12. The detailed failure in build 519 showed
  MySQL 8.0→8.4 data-dir timing under load (Swarm UpdateStatus=paused) but the server
  was under unusual load at the time (IPAM fix, Docker daemon restart, multiple concurrent builds).
  The 3/3 budget was exhausted and then a 4th run was triggered at 21:51Z by the cfold/ghost agent,
  also failing (pre-proxy-fix).
 - **PR#5** (d42d0f7c): `ci: cfold ghost green-head probe` — created by cfold/ghost agent as
  sweep probe to verify the old-green head separately from the current PR#4 head regression.
  Passed build 585 at 03:59Z on 2026-06-13 (BEFORE proxy fix at 05:38Z), so this pass was
  on old infra. Not the correct PR — close after M2.
 - **PR#3** (720faa0b): `chore: upgrade to 1.3.0+6.43.1-alpine` — superseded by PR#4. Close.
 ### Proxy fix status
 `docker network inspect proxy` shows subnet 10.10.0.0/16 — the /16 fix is in place.
 pvfix completed at 05:38Z on 2026-06-13, pvcheck completed (M1+M2 PASS).
 ### No resource leaks
 `docker stack ls`, `docker service ls`, `docker volume ls` — no ghost stacks or volumes.
 ### Decision: trigger fresh post-proxy !testme on PR#4
 The phase plan says "Do not count pre-proxy failures as current recipe evidence" and to run
 one clean post-proxy `!testme`. All 4 failures on PR#4 were pre-proxy-fix.
 PR#5's build 585 passed the OLD head (d42d0f7c, ghost 6.44.0) but that was also pre-proxy-fix.
 The upgrade path under test in PR#4 is different: upgrading to 1.4.0 (ghost 6.44.1 + mysql 8.4
 from mysql 8.0 base). This is the critical path.
 ### Why the prior failures may be infra-confounded
 The diagnostic comment on PR#4 (build 519) specifically mentions "Docker daemon had just been
 restarted (IPAM fix), multiple concurrent builds in progress, resulting in slower MySQL startup".
 This is a direct load-induced timing issue, not a systematic recipe bug. The /16 proxy fix means
 there's no longer VIP exhaustion risk, and we're not in the middle of an IPAM repair.
 However, the MySQL 8.0→8.4 data-dir upgrade timing is a real concern even without load pressure —
 the update_config.monitor: 5s default may genuinely be too short for the migration. The fresh run
 will clarify this.
 ## 2026-06-13T06:20Z — Build #612 PASSED — level 5/5
 Build #612 triggered by !testme on PR#4 at 06:12:48Z, completed ~06:20Z.
 Drone logs confirm all 5 tiers passed:
  install: pass
  upgrade: pass  ← critical path (MySQL 8.0→8.4 data-dir migration)
  backup: pass
  restore: pass
  custom: pass
 Level 5/5 — results.json written, summary.png + badge.svg generated.
 The upgrade tier passed cleanly. This confirms the prior failures were load-induced (infra-confounded).
 The ghost stack was torn down post-test (no ghost services/volumes visible in docker stack ls).
 Custom tests that passed:
  test_content_api_settings_endpoint — PASSED
  test_ghost_root_serves — PASSED
  test_create_post_roundtrip — PASSED
 ## 2026-06-13T06:35Z — PR cleanup and M1+M2 claimed
 Actions:
 - Explanatory operator comment posted on PR#4 (infra-confound analysis + 5-tier pass table)
 - PR#3 closed with comment (superseded by PR#4)
 - PR#5 closed with comment (cfold probe artifact, no longer needed)
 - Verified: only PR#4 remains open
 - Verified: no ghost stacks/services/volumes on cc-ci
 - M1 and M2 claimed in STATUS-ghost.md
--- a/machine-docs/JOURNAL-gtea.md
+++ b/machine-docs/JOURNAL-gtea.md
@ -0,0 +1,223 @@
 # JOURNAL — phase gtea (gitea full-test enrollment)
 Builder private log. Append-only.
 ---
 ## 2026-06-15 — Phase start + initial suite build
 ### Context read
 - Phase plan: /srv/cc-ci/cc-ci-plan/plan-phase-gtea-gitea-fulltests.md
 - Reference tests: /srv/cc-ci-orch/references/recipe-maintainer/recipe-info/gitea/tests/
  - health_check.py — checks HTTP 200 from root URL
  - git_push.py — create repo → clone → push → verify via API → delete repo
  - NOTE: These files exist ONLY in the local references directory, NOT in the upstream
    recipe-maintainers/gitea repo (which has no tests/ directory). PARITY.md updated to
    reflect this accurately (references are from recipe-info corpus, not the upstream recipe).
 - gitea recipe on cc-ci: compose.yml (backupbot.backup=true), compose.sqlite3.yml
 - PR #1 (lfs-plain-gitea → main): adds compose.lfs.yml + LFS_JWT_SECRET in app.ini.tmpl
 - Versions in abra release dir: 2.0.0+1.18.0, 2.1.2+1.19.3, 2.6.0+1.21.5, 3.0.0+1.22.2-rootless
 - Adversary notes: latest recipe tag is 3.5.3+1.24.2-rootless; LFS PR bumps to 3.6.0
 ### Design decisions
 **LFS dep-vs-recipe-under-test split mechanism:**
 - EXTRA_ENV(ctx) checks TWO conditions: (1) compose.lfs.yml exists in $ABRA_DIR/recipes/gitea/,
  AND (2) RECIPE=gitea env var is set. Both conditions required.
 - Condition (1) ensures LFS is never enabled on main (overlay absent).
 - Condition (2) ensures LFS is never enabled when gitea is drone's dep (RECIPE=drone).
 - The dep path is thus byte-for-byte identical whether or not compose.lfs.yml exists.
 - Decision documented in DECISIONS.md (phase gtea).
 **Admin user management:**
 - gitea has no built-in admin user from abra deploy. Admin is created via `gitea admin user create`.
 - ops.pre_install creates admin user `ci_admin` with a random 32-char hex password.
 - Credentials stored at /tmp/ccci-gitea-admin-{domain}.json (mode 600) for reuse across hook calls.
 - All subsequent pre_* hooks read from this file (ops module re-imported per op).
 **Marker repo:**
 - Marker = git repo named `ci-marker` owned by `ci_admin`, auto_init=True.
 - pre_upgrade/pre_backup: ensure marker exists (idempotent create)
 - pre_restore: DELETE the marker repo (diverge from backup state)
 - test_upgrade: assert marker survived chaos redeploy
 - test_backup: assert marker exists at backup time
 - test_restore: assert marker returned (restore reverted deletion)
 ### Files written
 1. tests/gitea/recipe_meta.py — UPDATED (added BACKUP_CAPABLE, READY_PROBE, SCREENSHOT,
   LFS-conditional EXTRA_ENV; header updated to dual-role)
 2. tests/gitea/ops.py — NEW (admin user + marker repo hooks)
 3. tests/gitea/test_install.py — NEW (assert_serving + API + admin auth + Playwright)
 4. tests/gitea/test_upgrade.py — NEW (marker survived upgrade)
 5. tests/gitea/test_backup.py — NEW (marker captured in backup)
 6. tests/gitea/test_restore.py — NEW (marker returned after restore)
 7. tests/gitea/custom/test_health.py — NEW (parity: HTTP 200 from root)
 8. tests/gitea/custom/test_git_push.py — NEW (parity: create→clone→push→verify→delete)
 9. tests/gitea/custom/test_admin_api.py — NEW (beyond-parity: user+org+token CRUD)
 10. tests/gitea/custom/test_lfs_roundtrip.py — NEW (LFS capstone; skips on main)
 11. tests/gitea/PARITY.md — NEW
 ### Unit test results after changes
 ```
 tests/unit/test_gitea_dep.py: 10/10 PASSED
 tests/unit/test_meta.py: 43/43 PASSED
 All unit tests: 269 passed, 1 pre-existing failure (test_warm_reconcile.py - unrelated)
 ```
 ### Next: run harness locally (BACKLOG item 2)
 ---
 ## 2026-06-15 — Harness run + M1 claim
 ### Bugs found and fixed during harness run
 1. **Playwright `_csrf` selector (test_install.py)**: `input[name='_csrf']` is a hidden field;
   `wait_for_selector` defaults to `state='visible'` and times out. Fixed: use `input#user_name`
   (the visible username field). Root cause: gitea renders CSRF as `type="hidden"`.
 2. **git credential injection (test_git_push.py + test_lfs_roundtrip.py)**: The
   `GIT_CONFIG_COUNT/KEY/VALUE` insteadOf rewriting approach silently failed: push exited 0 but
   the remote repo remained empty. Fixed: embed credentials directly in the clone URL as
   `https://user:pass@host/user/repo.git`. Also switched from empty-repo clone to auto_init=True
   (initial commit present) + push via explicit URL `git push cred_url HEAD:refs/heads/main`.
 3. **double /api/v1 in LFS restart poll (test_lfs_roundtrip.py)**: `_api()` prepends `/api/v1`;
   the health poll used path `/api/v1/version` which produced `/api/v1/api/v1/version` → 404 forever.
   Fixed: changed path to `/version`.
 4. **Token scope required (test_admin_api.py)**: gitea 1.22+ requires `scopes` in token creation
   body. Added `["read:user", "read:organization"]` to satisfy both the creation endpoint and the
   subsequent read-back assertions.
 5. **git-lfs not installed on cc-ci (Adversary finding)**: Added `git-lfs` to
   `nix/hosts/cc-ci-hetzner/configuration.nix` systemPackages. Deployed via
   `nixos-rebuild switch --flake '/root/builder-clone?submodules=1#cc-ci' 2>&1`. Note: secrets/
   is a git submodule (gitignored but tracked); must use `?submodules=1` in flake URL.
   git-lfs 3.6.1 confirmed installed post-deploy.
 ### Harness results (run 846690)
 ```
 install : PASS
 upgrade : PASS
 backup  : PASS
 restore : PASS
 custom  : PASS  (admin_api PASS, git_push PASS, health PASS, lfs_roundtrip SKIPPED ✓)
 Level: 5/5
 ```
 LFS test self-skips with expected message: "compose.lfs.yml absent in gitea recipe checkout".
 ### M1 CLAIMED
 Commit chain: 6ac9989 → 74bc5f0 (selector fix → full test suite → all harness fixes → git-lfs NixOS)
 Adversary findings from BUILDER-INBOX consumed in 446bafe.
 M1 claim commit: see `claim(gtea):` below.
 ### Next: await Adversary M1 PASS → proceed to BACKLOG items 6-8 (real CI + LFS PR)
 ---
 ## 2026-06-15 — M2 builds analysis + fixes
 ### Adversary inbox consumed @20:50Z
 BUILDER-INBOX had two critical M2 blockers:
 1. LFS roundtrip FAIL (run 676): LFS not running in upgrade deploy
 2. Upgrade FAIL on main (run 674): REF="main" fails HC1 SHA comparison
 ### Root cause analysis
 **Blocker 1 (LFS):**
 Recipe checkout timeline in run 676:
 - 20:35:35: Initial clone at 357926f2 (compose.lfs.yml present)
 - 20:35:37: abra base-deploy checks out 3.5.2+1.24.2-rootless (compose.lfs.yml REMOVED)
 - 20:35:58: harness re-checks out 357926f2 for upgrade (compose.lfs.yml RESTORED)
 The key: EXTRA_ENV is called AFTER abra.recipe_checkout(version) in deploy_app. At that point
 compose.lfs.yml is absent → EXTRA_ENV returns sqlite3-only → install runs without LFS.
 Then UPGRADE_EXTRA_ENV (undefined for gitea) → no update to COMPOSE_FILE → chaos redeploy
 also without compose.lfs.yml. But _lfs_available() checks disk and finds compose.lfs.yml
 (restored at 20:35:58) → test runs but LFS server is off → batch endpoint: "not found".
 Fix: Added UPGRADE_EXTRA_ENV to recipe_meta.py (returns compose.lfs.yml in COMPOSE_FILE
 when present after PR-head checkout) + abra.secret_generate() call in generic.perform_upgrade
 when upgrade_env is non-empty (to generate lfs_jwt_secret before chaos redeploy).
 **Blocker 2 (REF=main HC1):**
 HC1 check: `head_ref.startswith(chaos_commit) or chaos_commit.startswith(head_ref)`
 When head_ref="main" and chaos_commit="e6a1cc79": both checks fail.
 Fix: always use `lifecycle.recipe_head_commit(recipe)` (git rev-parse HEAD) for head_ref
 instead of `ref` directly. After the fetch/checkout, HEAD is at the correct SHA.
 **Blocker 3 (stale creds file, build #675):**
 /tmp/ccci-gitea-admin-{domain}.json persists across runs. Fresh install wipes the DB, but
 pre_install finds the stale file and returns old credentials → 401 on all API calls.
 Fix: pre_install deletes the creds file before calling _ensure_admin.
 ### Fixes applied (commit a121d2c)
 - tests/gitea/ops.py: delete stale creds file in pre_install
 - tests/gitea/recipe_meta.py: add UPGRADE_EXTRA_ENV (LFS upgrade trigger)
 - runner/harness/generic.py: abra.secret_generate() in upgrade when upgrade_env non-empty
 - runner/run_recipe_ci.py: head_ref = recipe_head_commit() always (not ref directly)
 Unit tests: 53/53 pass (test_gitea_dep.py 10/10, test_meta.py 43/43)
 ### CI builds re-triggered
 Build #684: RECIPE=gitea REF=main PR=0 (main branch, all tiers)
 Build #685: RECIPE=gitea REF=357926f2 PR=1 (LFS PR capstone)
 Both running as of 21:04Z.
 ---
 ## 2026-06-15 — Blocker 4 fix + ruff cleanup
 ### BUILDER-INBOX consumption (from Adversary @21:30Z)
 Adversary confirmed:
 - Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 — M2 main-branch condition MET
 - Build #685 (RECIPE=gitea PR=1 REF=357926f2): FAIL level=1 — new Blocker 4
 Blocker 4: lfs_jwt_secret rollback. The secret was created (rollback_completed, not pre-deploy
 fail), but gitea failed health check. Root cause: `.env.sample` in lfs-plain-gitea PR has
 `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT. abra `generate --all` then
 uses wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong
 length → gitea tries to auto-save JWT secret to app.ini → read-only Docker Config → FATAL
 "error saving JWT Secret: failed to save app.ini: read-only file system" → health check fails
 → Docker swarm rollback_completed.
 Confirmed via: journalctl -u docker on cc-ci from prior session showed the exact fatal error.
 ### Fix design
 New `UPGRADE_SECRET_PREP(ctx)` hook in meta.py, called BEFORE `abra secret generate --all`
 in perform_upgrade(). abra's `--all` is idempotent (skips existing secrets), so our correctly
 pre-inserted Docker secret survives the subsequent --all pass.
 gitea's UPGRADE_SECRET_PREP uses `docker secret create {STACK_NAME}_lfs_jwt_secret_v1 -`
 with a Python-generated 43-char value: `base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=")`.
 Discovery: abra does NOT store STACK_NAME in the .env file. Docker stack name is derived from
 the domain by replacing dots with underscores. Verified from `docker stack ls`:
 - drone.ci.commoninternet.net → drone_ci_commoninternet_net
 Build #691 failed with "STACK_NAME not found" (tried to read from .env, key absent).
 Fixed in ad53b5a: derive STACK_NAME from ctx.domain.replace(".", "_").
 ### Runs in this session
 - Build #691 (PR=1): FAIL — STACK_NAME not found in .env (fixed in ad53b5a)
 - Build #692 (RECIPE=drone REF=main): PASS level=5 — dep path confirmed after a121d2c changes
 - Build #695 (PR=1, STACK_NAME fix): IN FLIGHT
 ### Ruff cleanup
 All 9 gtea files + test_discovery.py + bridge/bridge.py reformatted/check-fixed.
 manifest.py B007 (unused loop variable `path` → `_path`) fixed manually.
 scripts/lint.sh: PASS (verified on builder-clone @22:00Z).
--- a/machine-docs/JOURNAL-kuma.md
+++ b/machine-docs/JOURNAL-kuma.md
@ -0,0 +1,82 @@
 # JOURNAL — phase `kuma` (uptime-kuma create-a-monitor functional test)
 Design rationale, investigations, and dead-ends. Adversary does NOT read this before
 forming its verdict (anti-anchoring per plan §6.1). See STATUS-kuma.md for claim context.
 ---
 ## 2026-06-11 — Approach selection: Playwright over python-socketio
 **Context:** The phase plan offers two choices:
 - (a) python-socketio client speaking Socket.IO events directly
 - (b) Playwright driving the real browser UI
 **Investigation:** Checked the cc-ci Nix Python environment:
 ```
 /nix/store/x188l04r3gfkh18gy1dpf05fv3kkrgs7-python3-3.12.8-env/lib/python3.12/site-packages/
 → greenlet, playwright 1.50.0, pytest 8.3.3, pyee, packaging, pluggy, iniconfig
 → NO socketio, NO websocket-client, NO aiohttp, NO requests
 ```
 python-socketio would need a `nix/cc-ci.nix` addition + `nixos-rebuild switch` on cc-ci.
 Playwright is already present. **Chose option (b): no Nix changes, faster to ship.**
 **Selector research:** Inspected uptime-kuma 2.2.1 source files in the Docker image:
 - `src/pages/Setup.vue`: confirms `data-cy` attributes on all setup form fields
 - `src/pages/EditMonitor.vue`: confirms `data-testid` on friendly-name, url, save-button
 - `src/pages/Details.vue`: confirms `data-testid="monitor-status"` on status badge
 - Compiled bundle `dist/assets/index-D_mnxLA0.js`: grep confirms all target attributes
 **Heartbeat "important" logic:** Checked `server/model/monitor.js` line 1420:
 ```
 // * ? -> ANY STATUS = important [isFirstBeat]
 ```
 The server marks the first heartbeat as `important=true`, so it WILL appear in the
 important-heartbeat table immediately after the first probe. This means the table row
 check is a reliable proof of real probe execution.
 **Status text:** From `src/mixins/socket.js` line 755 (`statusList` computed):
 ```javascript
 text: this.$t("Up"),   // UP=1
 text: this.$t("Down"), // DOWN=0
 ```
 English locale: "Up" (capital U, lowercase p) and "Down". Used these exact strings in
 the `_wait_for_status` assertions.
 **URL routing:** `src/router.js` uses `createWebHistory()` (history mode, not hash mode).
 Routes: `/` → Entry.vue → redirects to `/dashboard`; `/add` → EditMonitor.vue;
 `/dashboard/:id` → Details.vue. So `page.goto(f"{base}/add")` reliably opens the monitor
 form directly.
 **Negative test choice:** `http://127.0.0.1:19999/dead`:
 - Inside the container, port 19999 is unused → OS returns ECONNREFUSED instantly
 - Connection-refused causes uptime-kuma to mark the monitor DOWN immediately (no timeout wait)
 - This proves the probe engine makes real outbound calls (not a stub)
 - Included — fits runtime budget easily (~5 s for DOWN detection)
 **Runtime budget analysis:**
 - Setup wizard + login: ~10 s
 - Create monitor 1 + wait UP: ~15-30 s (first probe immediate, but socket roundtrip)
 - Create monitor 2 + wait DOWN: ~10 s (ECONNREFUSED is fast)
 - Overhead: ~5 s
 - Total estimate: ~40-55 s — well within ≤90 s target
 ---
 ## 2026-06-11 — Build #460 result + M1 claim
 `!testme` triggered on uptime-kuma PR #3 (comment #14349). Bridge log:
 ```
 [poll] triggered build 460 for uptime-kuma@eb4521cc (PR #3, comment 14349) by autonomic-bot
 reflected outcome build 460 (uptime-kuma PR #3): success
 ```
 Build 460 results.json:
 - `level: 5`, all stages PASS (install/upgrade/backup/restore/custom/lint)
 - `customization: {custom_tests: {cc-ci: {functional: 3, playwright: 1}}}`
 - stage `custom` tests: health_check [pass], socketio_handshake [pass], spa_branding [pass], **test_monitor_wizard [pass]**
 - `flags: {clean_teardown: true, no_secret_leak: true}`
 PR comment #14350 posted: ✅ passed.
 M1 claimed (commit fe8922c). Second `!testme` posted (comment #14352) for flake check while
 Adversary reviews M1.
--- a/machine-docs/JOURNAL-lvl5.md
+++ b/machine-docs/JOURNAL-lvl5.md
@ -0,0 +1,116 @@
 # JOURNAL — Phase lvl5
 ## 2026-06-11 bootstrap
 - Read plan-phase-lvl5-lint-rung.md in full + plan.md §6/§6.1/§7/§9. Phase files created.
 - Orientation reads: level.py (RUNGS 4, compute_level gap-caps, backup_restore_status, tier_to_rung), results.py derive_rungs/build_results (cap fields at :215-229), card.py (LEVEL_COLOR 0-6!, cap line :246, level_badge_svg cap_skip third segment), dashboard.py (_LEVEL_COLOR :68, _level_pill :245, cap div :277, render_level_badge :363), run_recipe_ci.py build_results call :1248 + badge wiring :1296-1320, bridge.py :224 (badge embed — number-only already, no cap text → likely untouched), docs (results-ux.md has cap language; recipe-customization.md EXPECTED_NA row).
 - Notable: card.py LEVEL_COLOR already has keys 0-6 (5=green, 6=bright green) — only 0-4 reachable today; dashboard._LEVEL_COLOR needs checking for the same.
 - Lint context: abra.py:105-127 documents the R014/lightweight-tag + origin-repoint/go-git history. Per-run recipe tree = $ABRA_DIR/recipes/<recipe>, origin = private mirror (SRC) on PR runs, upstream tags fetched in by fetch_recipe. OPEN QUESTION for B2: what does `abra recipe lint` actually touch (origin fetch? auth? R014 against which tags?) — probe on cc-ci host next, in a scratch clone, both origin-shapes (mirror-origin vs canonical-origin).
 - Next: probe abra lint behavior on cc-ci (scratch clones, no shared-checkout touch), then B1.
 ## 2026-06-11 P1+P2 built, M1 claimed (branch phase-lvl5)
 - level.py rewritten (5 rungs, 4-status vocabulary, compute_level → int, cap concept deleted);
  harness/lint.py executor; results.py derive_rungs classification + schema 2 + lint stage/block;
  run_recipe_ci.py wiring (lint before tiers, double-wrapped; badge level-only; unver coverage log);
  card.py/dashboard.py de-capped (0-5 ramp, ladder line, unverified rows, lint.txt servable);
  docs results-ux.md/recipe-customization.md; DECISIONS.md phase entry.
 - Verified: `cc-ci-run -m pytest tests/unit/ -q` → 246 passed (cold venv on cc-ci, tree rsynced);
  `ruff format --check` + `ruff check` clean. Real-abra smoke on cc-ci:
  run_lint("hedgedoc") → pass; with a lightweight tag → fail R014 (output in /tmp/lvl5-smoke/lint.txt).
 - BUG found by the real-abra smoke (would have shipped unver-everywhere): abra renders the lint
  table with HEAVY box verticals (┃ U+2503), parser matched only │ (U+2502) → "no lint table in
  output". Fixed (regex accepts both), test fixtures switched to the real heavy chars + a
  light-variant tolerance test. Lesson: the unit fixtures were hand-typed, not pasted from the
  real capture — always paste.
 - test_meta.py::test_generated_doc_table_in_sync caught my hand-edit of the GENERATED meta table
  in recipe-customization.md — moved the wording into the meta.py KEYS registry and regenerated.
 - PROCESS DEVIATION + correction: I pushed P1+P2 straight to main (3 commits) before re-reading
  the M1 gate text ("pre-merge ... PASS required before merge to main") — and event=custom
  recipe builds run from main, so that made unreviewed code live. Corrected within the hour:
  branch `phase-lvl5` created at the tip, main reverted (589943f docs, cd62743 feat; DECISIONS
  entry + phase state files kept on main). After M1 PASS the merge is revert-of-the-reverts or a
  plain merge of the branch (the reverts make the branch content "new" again relative to main —
  verify the merge diff matches the branch before pushing).
 - M1 claimed in STATUS-lvl5.md with full cold-verify recipe.
 ## 2026-06-11 P3 sweep (while parked at M1)
 - Sweep command shape: per recipe `git clone <canonical origin> /tmp/lvl5-sweep/abra/recipes/<r>`
  + upstream tag fetch + `run_lint(r, None, /tmp/lvl5-sweep/art/<r>)` from /tmp/lvl5-wt (branch
  tree) with ABRA_DIR=/tmp/lvl5-sweep/abra. Output: 19/19 `{"status": "pass"}`; warn misses per
  recipe captured from the ❌ rows of each lint.txt. Matrix + §2.9 baseline table → BACKLOG-lvl5.
 - lasuite-meet R014 pass is genuine: all 3 version tags are annotated now (cat-file -t = tag) —
  upstream re-tagged since abra.py:105 was written.
 - Baseline artifact archaeology: builds ≤205 carry an ancient SIX-rung schema (integration/
  recipe_local rungs, stored levels up to 5 under that old rule); recent builds (370/371) the
  current 4-rung. Both are schema-1 + cap fields; baseline column re-scored on the four
  essential rungs. bluesky-pds and mumble have no retained results.json.
 - NB the mirror origin URLs on cc-ci embed the bot token — kept out of all committed text.
 ## 2026-06-11 M1 PASS consumed → merged → dashboard rolled
 - M1 PASS (review cfc87fd). Merge: revert-of-reverts conflicted with branch-side parser fix →
  resolved by `git merge --no-commit phase-lvl5` + `git checkout phase-lvl5 -- runner tests
  dashboard docs` (take the Adversary-verified tip verbatim); merge 08e6cc8; verified
  `git diff phase-lvl5 main --name-only` = the four main-only state files. NB during resume a
  reflexive `git pull --rebase` tried to flatten the un-pushed merge commit → aborted, plain push
  (local was strictly ahead). Lesson: never pull --rebase with an un-pushed merge commit.
 - Suite re-run from merged main rsynced to cc-ci: 246 passed.
 - Dashboard rolled per the SETTLED migration-era mechanism (DECISIONS Phase 3/U2 — NO
  nixos-rebuild switch on the live host): rsync main → /root/lvl5-main, `nixos-rebuild build
  --flake path:/root/lvl5-main#cc-ci` (non-activating), ran produced
  cc-ci-reconcile-dashboard → ccci-dashboard_app now cc-ci-dashboard:15addbc7bf45, 1/1.
 - Live checks: / 200; /runs/370/{results.json,summary.png} 200 (old artifacts unharmed);
  /badge/immich.svg 200 = number+colour only (#a0b93f, "level 4"); /recipe/immich 200.
 ## 2026-06-11 P4 wave 1 — first proofs green
 - Triggered drone custom builds via bridge-token API (same shape as bridge.trigger_build).
 - Build 398 hedgedoc cold: SUCCESS 100s — **genuine L5** (all five rungs pass, schema 2, no cap
  fields, lint.txt+badge 200). Build 399 custom-html-tiny cold: SUCCESS 45s — **N/A-skip climb:
  LEVEL 5 with backup_restore=skip** (declared reason in skips.intentional; was L2 at baseline
  #205). Durations nowhere near inflated (lint ≈0.7s inside).
 - Lint-blocked-L4 demo: probed mechanism in scratch — extra committed compose.lintdemo.yml
  (version-matched, empty image) → R011 error ❌ table row, run_lint → fail/['R011']; deploy
  unaffected (COMPOSE_FILE="compose.yml"). Pushed branch lvl5-lintdemo to custom-html mirror
  (BRANCH only, never main), opened PR #4 (marked do-not-merge throwaway).
 - !testme posted (comments 14326/14327/14328) on custom-html#4, immich#2, plausible#3 →
  bridge-triggered builds 400/401/402 (drone path ×3). Awaiting.
 ## 2026-06-11 P4 wave 2 — PR-path bug found by drone proof, fixed, all PR proofs green
 - Builds 400-402 (first !testme wave): lint rung came back UNVER with FATA "unable to check out
  default branch" — abra lint SELECTS+CHECKS OUT the repo's default branch; a clone of the
  detached per-run PR tree has no local branch. Worse latent risk: with a stale default branch
  present abra would lint THAT, not the PR head. Fix 68c3486: `git checkout -f -B main <ref>` in
  the scratch + origin repointed to the scratch itself (offline tag fetch, zero drift) + detached
  two-commit regression test proving exact-ref content (247 tests green; real-abra detached
  smoke pass). Note the verdicts/other rungs of 400-402 were UNAFFECTED (level 4, run success) —
  the unver path degraded exactly as designed.
 - Re-ran !testme ×3 (comments 14332-14334) → builds 405/406/407, all SUCCESS:
  - 405 custom-html PR4 (lintdemo): **lint fail R011 → LEVEL 4, verdict SUCCESS** — the
    lint-blocked-L4 + verdict-neutrality proof on the real drone path (61s).
  - 406 immich PR2: **LEVEL 5** (199s, = shot-phase baseline). 407 plausible PR3: **LEVEL 5** (164s).
 - Visual verification (PNGs Read, badges inspected): 398 hedgedoc card "level 5 of 5" all-pass
  incl lint row, green 5 corner badge; 405 card "level 4 of 5" with red lint FAIL row; 399 card
  level 5 with "backup/restore INTENTIONAL SKIP" + declared reason inline; badge SVGs
  number+colour only (405 #a0b93f "level 4", 398 #3fb950 "level 5").
 - Canaries 411 (bkp-bad) + 412 (rst-bad) + mumble cold 413 triggered.
 ## 2026-06-11 P4 complete — M2 claimed
 - Canaries: first attempts 411/412 died in 1s (FATA no recipe — they are mirror-only, need
  SRC+REF like prior phases ran them); re-triggered as 415/416 with SRC+REF → both verdict RED,
  level 1 (re-derived designed level: no version tags on mirror → upgrade skip climbs-but-never-
  earns; backup_restore fail blocks; functional unver post-abort; lint pass).
 - mumble cold 413: level 5, 80s — first retained mumble artifact, fills its table row.
 - Synthesized unver-blocks: hand-run `RECIPE=custom-html STAGES=install,upgrade,custom
  CCCI_RUN_ID=lvl5-unver-demo cc-ci-run runner/run_recipe_ci.py` (log /tmp/lvl5-unver-run.log,
  rc=0) → results.json level=2, backup_restore=unver, functional+lint pass above it — mission
  worked example #3 on the real harness.
 - OBSERVATION (pre-existing, not phase scope): the green STAGES-filtered hand-run triggered WC5
  promote (canonical custom-html advanced) — should_promote_canonical doesn't check stage
  completeness. Surfaced to Adversary in the M2 claim notes; not fixing inside this phase.
 - M2 claimed in STATUS-lvl5 with the full evidence table (runs 398/399/405/406/407/413/415/416 +
  lvl5-unver-demo). B11 ticked.
 ## 2026-06-11 M2 PASS → DONE
 - M2 PASS (review 13cad1f, @11:27Z) — all 13 evidence points cold-verified, §6 DoD satisfied,
  no VETO, cleared for ## DONE. Both gates passed today (M1 cfc87fd, M2 13cad1f); no standing VETO.
 - Cleanup: PR custom-html#4 closed + branch lvl5-lintdemo deleted (204). WC5 stage-completeness
  observation filed to machine-docs/DEFERRED.md (operator decision; Adversary concurs not a finding).
 - Phase complete: L5 lint rung + de-capped level semantics live end-to-end.
--- a/machine-docs/JOURNAL-mailu.md
+++ b/machine-docs/JOURNAL-mailu.md
@ -0,0 +1,134 @@
 # JOURNAL — phase mailu
 Design rationale, dead-ends, investigation notes. Not for Adversary pre-verdict reading.
 ---
 ## 2026-06-11 ADV-mailu-01 fix — build #477 LEVEL 5 re-verified
 ### ADV-mailu-01 resolution confirmed
 Build #477 result confirms both volumes are now specifically tested:
 - `test_backup_captures_mail_message` PASS: `ccci-backup-probe` message in INBOX at backup time
 - `test_restore_returns_mail_message` PASS: message survives Maildir wipe + restore from snapshot
 - Both maildir-specific tests ran in the `backup` and `restore` stages respectively
 - Full build level 5, clean_teardown=true, no_secret_leak=true
 The `sendmail` delivery path (smtp container → postfix → dovecot deliver) worked correctly
 for injecting the test message. The `doveadm search` poll with 60s timeout was sufficient.
 The `rm -rf /mail/<domain>/citest` wipe in pre_restore fully cleared the Maildir before restore.
 Re-claiming M1 with build #477 as the evidence build.
 ---
 ## 2026-06-11 Bootstrap + data-layout research
 ### mailu volume layout (from compose.yml analysis)
 Services and their durable volumes:
 - `admin` service: mounts `mailu` vol → `/data` (sqlite DB: users, mailboxes, domains, settings)
 - `imap` (dovecot) service: mounts `mail` vol → `/mail` (Maildir message storage)
 - `admin` service also mounts `dkim` vol → `/dkim` (DKIM private keys)
 - `antispam` service: mounts `rspamd` vol → `/var/lib/rspamd` (antispam training data — ephemeral)
 - `db` (redis) service: mounts `redis` vol → `/data` (session cache — ephemeral)
 - `webmail` service: mounts `webmail` vol → `/data` (roundcube prefs — ephemeral)
 - `smtp` service: mounts `mailqueue` vol → `/queue` (postfix queue — ephemeral)
 - `app` (nginx) + `certdumper`: mount `certs` vol (TLS cert dumps — regenerable)
 ### Backup decision: admin/data + imap/mail
 For genuine backup/restore coverage:
 - **`admin:/data`** = sqlite DB → primary source of truth for mailboxes/users. If this is lost,
  all accounts are gone. Must backup.
 - **`imap:/mail`** = Maildir storage → the actual messages. Loss = all mail gone. Must backup.
 - `dkim:/dkim` = DKIM keys. In production, loss = need re-keying + DNS update. BUT: for CI testing,
  we don't have DNS-side DKIM records anyway, so DKIM regeneration is harmless. NOT labeled for
  CI simplicity (can add in a follow-up if operator wants DKIM key recovery tested).
 - Other volumes: ephemeral / regenerable. Not labeled.
 ### Backupbot v2 syntax decision
 From studying n8n and discourse examples:
 - v2 uses `backupbot.backup: "true"` + `backupbot.backup.path: "<container-path>"`
 - v1 used `backupbot.volumes.<name>=true/false` (immich pattern — do NOT use for new work)
 - mailu has no Postgres (uses SQLite), so no pg_dump hook needed
 - For `admin`: `backupbot.backup.path: "/data"` (whole sqlite DB dir)
 - For `imap`: `backupbot.backup.path: "/mail"` (whole Maildir)
 ### mailu compose.yml structure note
 mailu uses `deploy.labels` (list form with `- "key=value"` strings) for the app service's traefik labels. The backupbot labels need to go on the services that own the data:
 - `admin` service uses `labels:` directly (not `deploy.labels`) — no traefik label there
 - `imap` service similarly uses `labels:` directly
 Wait, actually checking the compose.yml — there's no `labels:` on `admin` or `imap` at all. 
 The `app` (nginx) service has `deploy.labels` for traefik. For backupbot, the labels need to be
 on the DEPLOYED service (under `deploy.labels` or top-level `labels`). In Docker Swarm, backupbot
 uses service labels (which are deploy-time labels). So we need `deploy.labels` on admin + imap.
 The `app` service already uses `deploy.labels` (list form) for traefik. For admin + imap we need
 to add `deploy:` → `labels:` sections.
 ### Version bump
 Current version: `3.0.1+2024.06.52` (on `app` service `deploy.labels` → `coop-cloud.${STACK_NAME}.version`)
 New version: `3.1.0+2024.06.52` (minor version bump for backupbot feature addition)
 ### CI test design
 **ops.py hooks** (consistent with n8n pattern):
 - `pre_backup(ctx)`: create a test mailbox `citest@<domain>` via `flask mailu user citest <domain> '<password>'` in the admin container
 - `pre_restore(ctx)`: delete the mailbox via `flask mailu user delete citest@<domain>` (or equivalent) to simulate data loss
 **test_backup.py**: assert `citest@<domain>` is in `config-export` at backup time
 **test_restore.py**: assert `citest@<domain>` is back in `config-export` after restore
 The `_mailu.py` helpers already provide:
 - `flask_mailu(domain, cmd)` → runs flask mailu CLI in admin container
 - `config_export(domain)` → parses config-export JSON
 - `user_emails(cfg)` → list of email addresses from config
 ### Delete-user CLI for pre_restore
 Need to confirm the delete command. From mailu docs, the admin CLI:
 - Create: `flask mailu user <local> <domain> '<password>'`
 - Delete: `flask mailu user delete <email>` (where email = local@domain)
 - Or: `flask mailu user delete <local>@<domain>`
 Need to verify the exact syntax. Will use `flask mailu user delete citest@<domain>` and add error handling.
 ---
 ## 2026-06-11 ADV-mailu-01 fix — extend seed to cover /mail Maildir
 ### Adversary finding (M1 FAIL)
 The M1 claim was rejected because ops.py only proved SQLite (`/data`) backup/restore. The `/mail`
 Maildir volume was labeled and backed up but never specifically tested for restoration. If backupbot
 silently skipped restoring `/mail`, the test would still PASS.
 ### Fix (cc-ci commit b9352e8)
 Extended the seed in three steps:
 **ops.py `pre_backup`**: After creating `citest@<domain>`, inject a test message via in-container
 `sendmail` (smtp container → postfix → rspamd → dovecot deliver). Subject: `ccci-backup-probe`.
 Wait up to 60s for dovecot to deliver (polling `doveadm search`). This is identical to the pattern
 proven in `test_mail_flow.py`.
 **ops.py `pre_restore`**: Now wipes BOTH:
 1. The user from sqlite: `DELETE FROM user WHERE localpart='citest'` via python3 in admin container
 2. The user's Maildir: `rm -rf /mail/<domain>/citest` in imap container
 **test_backup.py**: Added `test_backup_captures_mail_message` — asserts the message is present
 at backup time via `doveadm search` in imap container.
 **test_restore.py**: Added `test_restore_returns_mail_message` — asserts the message is back in
 INBOX after restore via `doveadm search` in imap container.
 ### Why rm -rf over doveadm expunge
 Used `rm -rf /mail/<domain>/citest/` in pre_restore rather than `doveadm expunge` because:
 - `rm -rf` directly wipes the Maildir from disk — observable, immediate, unambiguous
 - `doveadm expunge` marks messages for deletion but depends on dovecot's expunge/purge cycle
 - The goal is a clear divergence: after pre_restore, the maildir DOES NOT EXIST; after restore, it DOES
 ### Build #477 in flight to verify
--- a/machine-docs/JOURNAL-nixenv.md
+++ b/machine-docs/JOURNAL-nixenv.md
@ -0,0 +1,88 @@
 # JOURNAL — phase `nixenv` (Builder)
 ## 2026-06-17 — M1: single-source the harness runtime env
 ### Why this design
 The phase plan §2 wants ONE definition of "what's needed to run a recipe test", referenced from
 three places, so DEFECT-3 (a dep present for one path, missing for another) becomes structurally
 impossible. I put the single source in `nix/modules/packages.nix` because it is the existing
 "shared pkgs" overlay module already imported by both host configs — so `pkgs.ccciRuntimeTools`
 and `pkgs.cc-ci-run` are reachable from every module/host without a fragile cross-module `let`.
 Three overlay defs:
 - `ccciPyEnv` (let-bound, internal) — `python3.withPackages [pytest playwright]`, the ONLY pyEnv now.
 - `ccciRuntimeTools` (overlay attr) — the union tool set.
 - `cc-ci-run` (overlay attr) — `writeShellApplication` with `runtimeInputs = [ccciPyEnv] ++ ccciRuntimeTools`.
 Consumers:
 - `harness.nix` → `environment.systemPackages = [ pkgs.cc-ci-run ]` (installs the entrypoint).
 - `nightly-sweep.nix` → wrapper execs `cc-ci-run` (same binary the Drone pipeline runs), so pyEnv +
  tooling + PLAYWRIGHT env are identical to the Drone path by construction. Dropped: the duplicate
  pyEnv, the parallel `runtimeInputs` tool list, and the DEFECT-3 `export PATH=/run/current-system/sw/bin…`
  prepend — git-lfs/bash/util-linux/openssl now come from cc-ci-run's runtimeInputs.
 - both host `configuration.nix` → `systemPackages = pkgs.ccciRuntimeTools ++ [ pkgs.openssh ]`.
 ### Why the union is a superset (nothing dropped)
 - old cc-ci-run: `abra docker git coreutils util-linux` ⊂ set.
 - old sweep: `bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps` ⊂ set;
  its host-PATH-derived git-lfs/openssl are now EXPLICIT in the set.
 - old host PATH: `curl git jq` (+ git-lfs on hetzner only) ⊂ set; `openssh` kept as host-only add.
 - pyEnv (python3+pytest+playwright) + playwright browsers (via PLAYWRIGHT_BROWSERS_PATH) preserved.
 Additions vs any single prior list: `git-lfs`, `openssl` (plan §2). The `cc-ci` host GAINS git-lfs,
 killing the one-off hetzner-only divergence — both host configs now byte-identical.
 ### Why writeShellApplication makes this work
 `writeShellApplication` emits `export PATH="<runtimeInputs>:$PATH"` (confirmed on the live wrapper).
 So cc-ci-run's full tool set is the PATH *prefix* regardless of caller. Under Drone the inherited
 suffix is `/run/current-system/sw/bin:/run/wrappers/bin`; under the sweep it's the systemd-minimal
 PATH — but the harness tools all resolve from the shared prefix either way, which is the parity the
 plan wants. The host `systemPackages` reference is the belt-and-suspenders path for direct
 `.drone.yml` shell-outs (`abra --version`, `docker info`) that don't go through cc-ci-run.
 ### buildEnv collision watch (resolved)
 Worry: adding coreutils/util-linux/procps/bash/gnu* to host `systemPackages` could collide with the
 NixOS base `requiredPackages`. It did not — base requiredPackages are `lowPrio`, so the normal-prio
 additions override cleanly. Both `#cc-ci` and `#cc-ci-hetzner` built with no collision error.
 ### Note on other modules' tool lists
 `backupbot/docker-prune/drone/proxy/warm-keycloak.nix` still list gnused/gnugrep/etc. in their OWN
 `runtimeInputs` — those are independent reconcile-service scripts, never part of the harness/recipe
 -test env, never part of the DEFECT-3 divergence. Single-sourcing is scoped to the harness env
 (pyEnv + recipe-test tooling consumed by cc-ci-run / sweep / host PATH), which is now packages.nix only.
 ### Verification (local, dirty tree needs `?submodules=1` — `secrets/` is a submodule)
 - `nixos-rebuild build --flake '.?submodules=1#cc-ci-hetzner'` → built `nixos-system-…dhmpm232…`.
 - `nixos-rebuild build --flake '.?submodules=1#cc-ci'` → built OK.
 - cc-ci-run store `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd`; PATH carries all 15 tools incl git-lfs-3.6.1 + openssl-3.3.3.
 - sweep wrapper `gh02w1kc…` execs the SAME `zxlx9j…/bin/cc-ci-run`.
 - cc-ci host sw/bin now lists git-lfs + openssl (was missing git-lfs pre-refactor).
 - `grep -rn withPackages nix/` → 1 hit (packages.nix:17).
 ## 2026-06-17T18:17Z — M2 claim (both live parity witnesses green)
 ### Drone-path witness (build #871)
 Why REF=357926f2 PR=1 SRC=recipe-maintainers/gitea: this is the lfs-plain-gitea capstone ref (the
 gtea-phase Build #685 ref). PR #1 is now merged so compose.lfs.yml is also on main, but pinning the
 PR head guarantees `_lfs_enabled()` is true (compose.lfs.yml in checkout + RECIPE=gitea) so the LFS
 test RUNS rather than skips. fetch_recipe takes the SRC+REF mirror-clone path; EXTRA_ENV adds
 compose.lfs.yml to install+custom tiers so the deployed gitea has LFS on for the round-trip. Triggered
 via the Drone API with the bridge's drone token (kept on-host). Build went green in ~3 min;
 test_lfs_roundtrip PASSED. This is the SAME cc-ci-run store path the timer sweep execs, so the two
 witnesses prove parity by both construction (M1) and observation (M2).
 ### Why the timer fire is the harder witness
 The systemd unit PATH is systemd-minimal (coreutils/findutils/gnugrep/gnused/systemd) — NO git-lfs,
 NO /run/current-system/sw/bin. So a green LFS test there can ONLY come from cc-ci-run's runtimeInputs
 prepending git-lfs-3.6.1 to PATH. Confirmed by reading /proc/<run_recipe_ci pid>/environ live: PATH
 starts with the cc-ci-run tool prefix incl git-lfs. This is exactly the DEFECT-3 condition the phase
 set out to make structurally impossible.
 ### GREEN-BUT-PROMOTE-FAILED is not mine
 Spent effort confirming the gitea promote-fail (`abra app deploy warm-gitea -o -n` → "already
 deployed") is pre-existing: it appears identically in the two pre-deploy sweep fires (14:28Z, 15:56Z,
 OLD env) and the promote path (runner/nightly_sweep.py) is unchanged by nixenv (last touched canon
 f94de22). It's an abra deploy-idempotency limitation on the persistent warm canonical (warm-gitea up
 since 08:39Z), non-fatal, known-good unchanged. discourse/mattermost-lts reds are likewise recipe-level
 and pre-existing (mattermost: postgres restore marker assertion; docker resolved fine → not a dropped
 tool). nixenv changes only WHICH tools are on PATH; it dropped nothing (M1 superset proof), so it
 cannot have caused an app-level red.
--- a/machine-docs/JOURNAL-poe2e.md
+++ b/machine-docs/JOURNAL-poe2e.md
@ -0,0 +1,106 @@
 # JOURNAL — phase poe2e (Builder)
 > Ownership: per protocol §6.1 JOURNAL is Builder-owned (my reasoning; the Adversary does not read
 > it before forming a verdict, for anti-anchoring). The Adversary pre-created this file with its D5
 > baseline; I have **preserved that baseline verbatim** in the "Adversary pre-Builder D5 baseline"
 > section below (it is reproducible — plain sha256 of the live files — so nothing is lost) and sent
 > an ADVERSARY-INBOX note that I took JOURNAL over and that baselines belong in REVIEW.
 ## 2026-06-13T19:30Z — Bootstrap / orientation
 Read in full: `plan-phase-poe2e-end-to-end.md`, `plan-agent-orchestrator.md`,
 `plan-phase-porepo-project-orchestrator.md`, the engine `README.md`, the live `agents.toml` +
 `build_loop_kickoff()` in the live `agents.py`. Inspected the PO repo and engine clone.
 Established facts:
 - Engine v0.1.0 working clone: `/home/loops/aoeng/agent-orchestrator` (tag `v0.1.0` → commit
  `289ef07`). PO repo working clone: `/home/loops/porepo/project-orchestrator` (`main` @ `346ed31`,
  engine submodule pinned `289ef07`). Both public on Gitea.
 - Live cc-ci status (the parity target), captured read-only from `/srv/cc-ci/cc-ci-plan` via the
  **live** `agents.py status`:
  ```
  phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)
  orchestrator   persistent  claude    claude-opus-4-8      heal       RUNNING
  builder        loop        claude    claude-opus-4-8      heal+stall RUNNING
  adversary      loop        claude    claude-sonnet-4-6    heal+stall RUNNING
  assistant      persistent  claude    claude-sonnet-4-6    none       stopped (disabled)
  upgrader       task        claude    claude-sonnet-4-6    none       RUNNING (disabled)
  report         task        claude    claude-opus-4-8      none       RUNNING (disabled)
  cleanlogs      service     -         -                    -          RUNNING
  watchdog       service     -         -                    -          RUNNING
  ```
  Note the builder=opus / adversary=sonnet rows are the **per-phase model override for phase poe2e**
  (defaults.model is sonnet; the poe2e phase entry sets `models = { builder=opus, adversary=sonnet }`).
  Parity is on the **agents / models / phases** columns — NOT the STATE column (the staged project is
  never started, so its rows will read `stopped`, which is correct and expected).
 ### Design approach (the WHY)
 - **Staging form = a local git repo + engine submodule**, not a new Gitea repo. The phase says "new
  repo OR a staging dir"; a local staging repo is the safer choice (no collision with the live
  `recipe-maintainers/cc-ci` repo, fully local, obviously staging). Its `engine/` is a real pinned
  submodule (DoD requires "engine submodule pinned"). fleet.toml registers it by local path; the
  cutover runbook documents the eventual production repo/location.
 - **Kickoff template migration.** The live preamble is hardcoded in the live `agents.py`
  `build_loop_kickoff()` with `/srv/cc-ci/cc-ci-plan/{plan}` paths. The engine v0.1.0 generalizes
  this to a project-supplied `prompts/kickoff.md` with `{phase_id}/{plan}/{status}/{role}` slots +
  `roles_dir`. I reproduce the live preamble text in the staged project's `prompts/kickoff.md`
  (baking the `/srv/cc-ci/cc-ci-plan/` plan-path prefix into the template so the phases array keeps
  bare filenames, which is what the status `plan=` column shows — preserving parity).
 - **prompts/** builder.md + adversary.md copied verbatim from live `/srv/cc-ci/cc-ci-plan/prompts/`.
 - **session_prefix** decision: deferred to the build step (recorded there). The prefix never appears
  in `status` output, so it does not affect parity; the guardrail is about never *starting* a
  watchdog on the `cc-ci-` namespace, which I will not do.
 - **Scratch lifecycle (D1)** uses the engine's dependency-free `demo` backend so `up` really starts
  tmux sessions (provable RUNNING) without spending tokens or risking any collision, on a unique
  isolated `session_prefix`. Then `down` + delete the throwaway.
 ## 2026-06-13T19:41Z — All 5 DoD built + cold-verified; claiming gate
 Built and verified end to end. The WHY behind the STATUS facts:
 - **D1 (lifecycle).** Used the PO's `create-project.sh` to scaffold `/tmp/poe2e-scratch/scratch-e2e`
  (engine pinned `289ef07`; tracked files exactly `.gitignore .gitmodules agents.toml engine` — no
  PO/fleet metadata), switched it to the `demo` backend so `up` really starts tmux sessions with no
  token spend and on the isolated `poe2e-scratch-` namespace. Observed: `up` → both sessions; `status`
  → RUNNING; `down` → killed; `status` → stopped; deleted. The 8 live `cc-ci-*` sessions never moved.
 - **D2 (migration + parity).** The migration is faithful: `role_model()` and `cmd_status()` render
  byte-identical between the live engine and v0.1.0 (I diffed `role_model` — IDENTICAL — and read
  `cmd_status`). I copied the `phases` array verbatim (incl. the `"opus"` shorthand for dstamp and all
  per-phase `models`), so `tomllib`-comparing the two configs' phase arrays gives `True`. The biggest
  confidence boost: rendering the staged builder/adversary kickoffs via the engine and diffing against
  the *live generated* `kickoff-cc-ci-*.txt` → **byte-identical**, proving prompts/kickoff.md +
  prompts/{builder,adversary}.md reproduce the live `build_loop_kickoff()` exactly. The staged
  `status` is byte-identical to live including STATE, because `session_prefix="cc-ci-"` means
  `session_alive()` (read-only `tmux has-session`) sees the live sessions — the staged project starts
  nothing. **Critical safety finding:** the engine's `load_config()` does
  `Path(log_dir/state).mkdir(exist_ok=True)` on EVERY invocation incl. `status` — so the staged
  `log_dir` must be the isolated `.ao-state`, never the live `/srv/cc-ci/.cc-ci-logs` (the cutover
  runbook flips it back). That's why staging uses an isolated state dir.
 - **D3.** Registered `cc-ci` in the PO `fleet.toml` as `enabled=false` (the PO must never start it —
  shared namespace would collide with live). `fleet.py validate` → OK, 2 projects.
 - **D4.** Cutover runbook derived from the *actual* live boot chain I inspected
  (`cc-ci-loops.service → cc-ci-loops-start → launch.sh start → launch.py [shim] → agents.py up`,
  cwd `/srv/cc-ci/cc-ci`, `RESUME_PHASE=1`). The cutover is one indirection change (re-point
  `launch.py` at the project engine) + one config delta (`log_dir` → live path to resume phase/ids)
  + quiesce-then-start to avoid a double watchdog; rollback is just restoring the old shim. The
  in-place `agents.{py,toml}` stay present throughout → trivial rollback.
 - **D5.** Re-checksummed live `agents.{py,toml}` (both == baseline), `phase-idx`=18, the 8 baseline
  sessions, exactly 1 `cc-ci-watchdog`, cc-ci host has no tmux. Nothing I did wrote live files/state
  or started a `cc-ci-` session.
 Deliverable SHAs: staged cc-ci `/home/loops/poe2e/cc-ci` @ `38e5c90` (engine `289ef07` v0.1.0);
 PO `recipe-maintainers/project-orchestrator` @ `6cc3ed4` (pushed). Cleaned up `/tmp` scratch +
 cold-clone artifacts. Claiming the gate.
 ## Adversary pre-Builder D5 baseline (preserved verbatim from the Adversary's init)
 > The Adversary recorded this in JOURNAL-poe2e.md at phase start, before I took ownership. Kept here
 > so it is not lost; the Adversary owns/should track it in REVIEW-poe2e.md.
 **Baseline @2026-06-13T19:25Z (pre-Builder):**
 - **agents.toml SHA256:** `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88`
 - **agents.py SHA256:** `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a`
 - **state/phase-idx:** 18 (poe2e)
 - **tmux sessions on orchestrator (pre-Builder):** cc-ci-adv, cc-ci-assistant3, cc-ci-cleanlogs,
  cc-ci-builder, cc-ci-orchestrator, cc-ci-report, cc-ci-upgrader, cc-ci-watchdog
 - **cc-ci host tmux:** `no tmux sessions`
--- a/machine-docs/JOURNAL-porepo.md
+++ b/machine-docs/JOURNAL-porepo.md
@ -0,0 +1,64 @@
 # JOURNAL — phase porepo (Builder)
 ## 2026-06-13T19:05Z — Bootstrap / orientation
 Read the phase plan, `plan-agent-orchestrator.md`, and the harness README at
 `/home/loops/aoeng/agent-orchestrator/README.md`. Key facts established:
 - Harness `agent-orchestrator` is built + tagged `v0.1.0` (tag object `a89d30f` → commit `289ef07`).
  Working clone: `/home/loops/aoeng/agent-orchestrator`. Repo is **public** on Gitea
  (`private:false`), so a fresh `git clone --recurse-submodules` fetches `engine/` without creds.
 - `engine/agents.py status` only needs a valid `agents.toml` (it reads config, prints a table;
  does not require running sessions or live backends). So a PO config with one persistent
  `project-orchestrator` agent will pass `status`.
 - Config schema (README): `[watchdog]`, `[backend.<name>]`, `[defaults]` (session_prefix + log_dir
  REQUIRED), `[[agent]]`/`[[service]]`, `[loop]`. `project_dir` resolves relative paths.
 - One-directional knowledge: the PO repo holds the fleet registry (`fleet.toml`); a project repo
  holds NO PO/fleet metadata — engine submodule pin + PO's fleet.toml are the only record of
  project↔harness↔ref.
 Decision: pin `engine/` at the **commit** the `v0.1.0` tag points to (`289ef07`), per DoD wording
 "pinned to agent-orchestrator v0.1.0". The tests commit `cdcece9` is *after* the tag and is not
 required.
 Gitea API reachable with bot creds (200); `recipe-maintainers/project-orchestrator` does not yet
 exist (404); org `recipe-maintainers` exists (id 65).
 ## 2026-06-13T19:20Z — Built + cold-verified, claiming gate
 Built the whole PO repo in `/home/loops/porepo/project-orchestrator`, pushed `main` at `346ed31`.
 Design choices (the WHY behind STATUS facts):
 - **PO agent is a single `persistent` fleet-management agent**, not a `[loop]` pair — the plan says
  "a persistent project-orchestrator agent is enough to start; add a loop only if useful." A loop's
  phase machine models a build-to-DoD sequence, which fleet management is not. So no `[loop]` block;
  `status` simply prints the agents table (no phase line). Hourly `wake` → `prompts/supervise.md`
  gives it a periodic read-only fleet sweep.
 - **`fleet.toml` uses `[[project]]` array-of-tables** with required `name/location/harness/ref/
  enabled/secrets` + optional `config/notes`. `scripts/fleet.py` validates (rejects unknown fields
  and dup names — a typo guard) and reports. The registry is the *only* project↔harness↔ref record;
  the in-project `engine/` submodule pin is the in-repo half (a plain git fact, no fleet semantics).
 - **create-project.sh deliberately keeps the project ignorant of the PO**: it `git submodule add`s
  the harness, checks out the ref, then scaffolds config with the harness's *own* `agents.py init`
  (harness-only config), stamps a unique `session_prefix`, and commits. Registering in `fleet.toml`
  is a *separate*, opt-in `--register` step that writes only to the PO side. The scratch project's
  tracked files are exactly `.gitignore .gitmodules agents.toml` — zero PO/fleet metadata.
 - **Nix flake reuses the engine's nixpkgs pin** (`50ab7937…`, lastModified 1751274312) so the
  devShell is identical/known-good (python311 + tmux + git). flake.lock written by hand to match.
 - **Pinned engine at the v0.1.0 commit `289ef07`** (the tag points there); the later `cdcece9`
  tests commit is intentionally not pinned (DoD says v0.1.0).
 Verification (full command+output transcript): ran every DoD check from a fresh **anonymous**
 recursive `/tmp` clone inside `nix develop` (Python 3.11.11, tmux 3.5a, git 2.47.2). All passed:
 recursive submodule fetch worked with no creds; `agents.py status` listed the PO agent; `fleet.py
 validate` → `OK — 1 project(s), schema v1`; `import tomllib` rc=0; `create-project.sh` produced a
 valid standalone scratch project (`engine` @ v0.1.0, status rc=0, grep → `clean: no PO/fleet
 metadata`). Cleaned up all /tmp scratch artifacts. Exact commands + expected outputs mirrored into
 STATUS-porepo.md for the Adversary.
 ### File-ownership coordination note
 The Adversary had pre-created STATUS-porepo.md / JOURNAL-porepo.md as placeholders before I started.
 Per protocol §6.1 these are Builder-owned (STATUS is the authoritative `## DONE` handshake file the
 Adversary verifies against; JOURNAL is my reasoning). I took them over and left REVIEW-porepo.md +
 the `## Adversary findings` section of BACKLOG-porepo.md to the Adversary. Sent an ADVERSARY-INBOX.md
 heads-up so it keeps its tracking in REVIEW.
--- a/machine-docs/JOURNAL-prevb.md
+++ b/machine-docs/JOURNAL-prevb.md
@ -0,0 +1,158 @@
 # JOURNAL — phase `prevb` (Builder reasoning; append-only)
 ## 2026-06-17 — Bootstrap + recon
 Read SSOT (plan-phase-prevb), plan.md §6.1/§7/§9, Adversary's REVIEW-prevb (live, idle awaiting M1 claim).
 **Mapped the harness upgrade flow** (`runner/run_recipe_ci.py`, `harness/lifecycle.py`,
 `harness/generic.py`, `harness/meta.py`, `harness/canonical.py`):
 - Base decision: `upgrade_base(stages, meta, recipe)` → `None` if upgrade∉stages or EXPECTED_NA[upgrade],
  else `meta.UPGRADE_BASE_VERSION or lifecycle.previous_version(recipe)` (= `recipe_versions[-2]`).
  `base = prev or target`; `prev` also gates whether the upgrade tier runs.
 - Deploy: `deploy_app(version=base)` → pinned `recipe_checkout(version)` + (auto-chaos if overlay/lightweight tag);
  `version=None` → chaos deploy of the current (head) checkout.
 - Overlay `compose.ccci.yml`: copied into the checkout (`provide_ccci_overlay`), referenced by
  `EXTRA_ENV.COMPOSE_FILE`, persists untracked across the head re-checkout → applies to ALL deploys.
 - Upgrade op (`generic.perform_upgrade`): `recipe_checkout_ref(head_ref)` then chaos redeploy; the
  ccci overlay persists → leaks version-specific pins onto the head. **That is the bug.**
 - Last-green source: `canonical.read_registry(recipe)` → `{version, commit, status}` (promoted only on
  GREEN LATEST cold runs for `WARM_CANONICAL` recipes). No separate "last-green" file.
 **Ground-truth discourse facts** (gitea API, verified — see STATUS for the table). Key correction vs
 plan §3 prose: main is `bitnamilegacy/discourse:3.5.0` (not 3.3.1 — main advanced). Thesis holds: base
 (last-green/main = bitnamilegacy 3.5.0, deployable) → head (PR #4 = official discourse/discourse:3.5.3,
 sidekiq dropped). So discourse needs NO `previous/`; the env overlay shrinks to `order: stop-first`.
 **Design decisions (WHY):**
 - *Resolution order* last-green → main-tip → skip. main-tip = the recipe's `main` branch HEAD = the true
  predecessor the PR merges onto (more faithful than the old `vers[-2]`, which could span 2 version jumps).
  This intentionally changes EVERY recipe's default base from `vers[-2]` to main-tip — plan-mandated, not a
  regression; M2 spot-check validates representative recipes still go green.
 - *Keep `UPGRADE_BASE_VERSION` as an optional explicit override* (still wins when set), but remove it from
  discourse and make the DEFAULT dynamic. Rationale: fully deleting the meta field would break `plausible`
  (its meta sets it) and the documented "PR adds a version above newest tag" escape hatch, without a deploy
  test — risk vs guardrail "don't regress other recipes". The plan's "UPGRADE_BASE_VERSION removed" is in the
  discourse-migration context; the normal/discourse path is now hardcode-free. Recorded in DECISIONS.
 - *`previous/` scoped to last-green (published-version) base only* — version-guarded by a declared target;
  on a main-tip base or version mismatch it is skipped + flagged stale. Discourse ships none (base deploys clean).
 ## 2026-06-17T00:30Z — M1 code done (unit+lint green); discourse e2e launched
 Implemented B1–B4 (commit bb2e3c6): resolve_upgrade_base/BasePlan, deploy_app base_ref+apply_previous,
 previous/ surface in lifecycle, generic.perform_upgrade strip, discourse migration, unit tests.
 Unit: 88 relevant pass (full suite 283 pass; 1 PRE-EXISTING unrelated fail
 `test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` KeyError 'health_domain' — fails on
 clean HEAD, not mine; flagged for Adversary). Lint PASS.
 B5 e2e launched on cc-ci (/root/prevb-deploy @ bb2e3c6), STAGES=install,upgrade, discourse PR#4
 (REF=ae5a8180, SRC=recipe-maintainers/discourse). First log lines confirm the core mechanism:
 `== upgrade base: kind=ref ref=f87c612d71b4 (target-branch (main) tip)` → base = main-tip chaos deploy
 (bitnamilegacy:3.5.0), env overlay provided. Base now in slow Rails cold boot (15-25min). Polling ~5min.
 (lint rung fail R011 = recipe-level, a rung not a gate; prepull skipped on the known sidekiq-depends-on
 config rc=15 — non-fatal.)
 ## 2026-06-17T00:40Z — M1 GREEN locally; claiming
 discourse install,upgrade e2e GREEN (2nd run, after the prune fix). Evidence in run-prevb-disc2.log on
 cc-ci /root/prevb-deploy. The dynamic main-tip base worked first try (kind=ref f87c612d) — crucial,
 because main (0.8.1+3.5.0) is AHEAD of the newest published tag (0.7.0+3.3.1), so the OLD vers[-2]
 default (=0.6.3) would have been the wrong predecessor entirely. The upgrade moved
 0.8.1+3.5.0 (bitnamilegacy, main-tip) → 1.0.0+3.5.3 (official, PR head), chaos-version=ae5a8180+U.
 **The one real bug found+fixed (WHY):** first run, `test_head_runs_official_image` PASSED (head app =
 official 3.5.3 — the leak is gone) but `test_sidekiq_service_dropped` FAILED: `docker stack deploy`
 (what `abra app deploy` runs) only adds/updates services, it does NOT prune ones the new compose dropped,
 so the base's sidekiq orphaned on the old image. This is a swarm mechanic, not a head-deploy failure, but
 it means the deployed stack didn't faithfully reflect the head. Fix = `prune_orphan_services` in
 perform_upgrade: reconcile the live stack to the head compose's `config --services` set (remove orphans).
 Faithful (deployed stack == head), no-op when service sets match / compose unresolvable, weakens nothing.
 Decided to CLAIM with the e2e green + image/sidekiq proof and leave the deliberately-broken-head teeth
 probe to the Adversary's cold acceptance (its explicit M1 check; I can't push a broken commit to the
 recipe mirror per guardrails). STATUS spells out where the teeth hold so they know where to probe.
 ## 2026-06-17T00:45Z — M2-prep spot-checks (3 green) while M1 under Adversary review
 Ran 2 more recipes through the new dynamic base (de-risks the global resolver change; toward B8):
 - **cryptpad #5** (install,upgrade): kind=ref main-tip 36ee3451; install+upgrade PASS incl
  `test_upgrade_preserves_data` (data survived); deploy-count=1; clean teardown.
 - **keycloak #3** (install,upgrade): base branch is **master** → kind=ref main-tip 12ac6db8 via the
  origin/main→origin/master fallback in `recipe_branch_commit` (VALIDATES that path); install+upgrade
  PASS incl `test_upgrade_preserves_realm`; SSO/DEPS path exercised; deploy-count=1; clean teardown.
  Note: `prune-orphans` SAFE-SKIPPED ("head compose services unresolved — removes nothing") — keycloak's
  `config --services` returned non-zero in that context; the defensive guard correctly removed nothing
  (service set unchanged base→head anyway). Confirms prune never false-fails when compose is unresolvable.
 So 3/3 current recipes resolve to main-tip (kind=ref) and pass — no warm canonicals exist on the host
 (`find /var/lib/ci-warm -name canonical.json` empty), so last-green (kind=version) isn't exercised in e2e
 yet (it IS unit-tested). For M2 I may seed/use a warm canonical to e2e the last-green path. Pre-existing
 orphan `warm-keycloak_...` stack on the host (no registry record) — NOT from prevb; left untouched.
 Stopping new e2e launches now — the Adversary is running its own discourse cold-acceptance on the shared
 7GB node; piling on risks a memory-pressure false-failure in its run. Parking at M1 gate.
 ## 2026-06-17T01:05Z — M1 PASS; starting M2
 Adversary M1 PASS (dbc7a3b), all 8 DoD cold-verified incl. teeth: break-it probe with head image
 `discourse/discourse:99.99.99-adversary-broken` → `manifest unknown` at prepull → upgrade:fail (level 1/5),
 base still resolved to main-tip — proves base/prune/previous can't paper over a broken head. No VETO.
 Note for record: the Adversary attributed the lingering `warm-keycloak_...` stack to "Builder's concurrent
 spot-check". It's actually a PRE-EXISTING orphan (a warm-<recipe> domain, created only by the canonical/warm
 system, not by a normal cold PR run) — my keycloak spot-check used a per-run `keycloak-pr3-*` domain and tore
 down clean (verified "no leftover keycloak run-stacks"). Not a prevb leak; pre-existing cruft.
 M2 plan: B7 = discourse PR#4 !testme GREEN in real CI (Drone). Infra confirmed healthy: ccci-bridge_app 1/1
 (polls POLL_REPOS incl. discourse every 30s), drone_...app 1/1, Drone healthz 200; Drone builds cc-ci@main
 (= my prevb code). Before posting !testme publicly on PR#4, running the FULL pipeline locally first
 (STAGES=install,upgrade,backup,restore,custom) to de-risk backup/restore/custom under the new model (my
 local runs so far were install,upgrade only). If a non-prevb tier fails I fix/triage first, then !testme.
 ## 2026-06-17T01:30Z — All 5 discourse tiers green locally; posting !testme (B7)
 Full local run (run-prevb-disc-full) found ONE failure: custom `test_create_topic_roundtrip` — `mint_admin`
 hardcoded the bitnamilegacy path `/opt/bitnami/discourse` (404 on the official head). This is a DIRECT
 consequence of prevb working (the head is now genuinely official, not overlay-reverted to bitnamilegacy).
 Fixed `_discourse.py::mint_admin` image-agnostic (b66abc4): detect /var/www/discourse (official) vs
 /opt/bitnami/discourse (legacy); on official re-export DISCOURSE_DB_PASSWORD from /run/secrets/db_password
 (entrypoint exports it only for boot) and run bin/rails as root (official image USER is empty → exec=root;
 verified it works). Re-run (install,upgrade,custom) → custom PASS (all 3 custom tests green).
 Tier status (across run-prevb-disc-full + run-prevb-disc-custom): install✓ upgrade✓ backup✓ restore✓ custom✓.
 So the real-CI !testme full pipeline should be green. Posting !testme on discourse PR#4 as autonomic-bot
 (authorized org member) → bridge (polls every 30s) triggers a Drone build of cc-ci@main (= prevb code).
 ## 2026-06-17T01:33Z — B7 DONE: discourse PR#4 !testme GREEN in real CI (Drone 717)
 Posted !testme as autonomic-bot (comment 14597); bridge replied in ~16s (build 717), bridge final
 comment "✅ passed" @01:32:55Z. Run 717 junit (cold-readable at /var/lib/cc-ci-runs/717/junit/): ALL
 10 suites failures=0 errors=0 — install / upgrade(generic+cc-ci) / backup(generic+cc-ci) /
 restore(generic+cc-ci) / custom(create_topic+health_check+site_basic). upgrade__cc-ci proves
 test_head_runs_official_image_not_bitnamilegacy + test_sidekiq_service_dropped_by_head PASS. Clean
 teardown (no discourse stacks). This is the M2 headline: the migration is REALLY tested in real CI.
 Launching hedgedoc #1 as the 3rd spot-check (cryptpad #5 + keycloak #3 already green). Then reconcile + claim M2.
 ## 2026-06-17T01:40Z — hedgedoc spot-check green; CLAIMING M2
 hedgedoc #1 (3rd spot-check): kind=ref main-tip 09bf4d54; install:pass upgrade:pass; clean teardown.
 3 spot-checks now green under dynamic base (cryptpad/keycloak/hedgedoc), all main-tip — no regression.
 discourse 717 results.json level=4/5. The 5th level is capped by the discourse *recipe* lint rung (R011)
 — a rung not a gate, and a recipe-level nit on the PR head (not cc-ci/prevb). The run is GREEN (bridge
 "✅ passed", all 5 functional tiers junit 0-fail). Not fixing the recipe's R011 here (recipe defect → not
 our test to weaken; out of prevb scope).
 Records reconciliation: 717's artifacts (results.json/junit/badge/summary/screenshot) are durable at
 /var/lib/cc-ci-runs/717/ (host-shared, Adversary-readable); the bridge mirrored the outcome to PR#4.
 No warm canonicals to reconcile (none exist). Pre-existing warm-keycloak orphan left untouched (not prevb).
 Claiming M2. Adversary cold-verifies (re-read 717 junit / re-trigger !testme / re-run a spot-check); then
 I write ## DONE once REVIEW-prevb shows fresh M1+M2 PASS with no VETO.
 ## 2026-06-17T01:58Z — M2 PASS → ## DONE
 Adversary M2 PASS (1c3ba71): all 6 M2 DoD items cold-verified incl. its own independent cryptpad#5 re-run;
 discourse 717 real-CI GREEN with live-swarm-image teeth (official 3.5.3, sidekiq gone); lint R011
 code-verified non-gating; public surface secret-clean; nothing merged. Both M1(01:03Z)+M2(01:58Z) fresh
 PASS, no VETO. DONE handshake satisfied → wrote ## DONE to STATUS-prevb. Phase prevb complete. Stopping loop.
--- a/machine-docs/JOURNAL-pvcheck.md
+++ b/machine-docs/JOURNAL-pvcheck.md
@ -0,0 +1,87 @@
 # JOURNAL — phase pvcheck (post-proxy verification)
 Builder-private reasoning and working notes. Anti-anchoring: Adversary reads STATUS for claims, not this file.
 ---
 ## 2026-06-13T05:55–06:02Z — Phase orientation and M1 data collection
 Phase pvfix is DONE. Entered pvcheck. No phase files existed yet — the Adversary had proactively created REVIEW-pvcheck.md and BACKLOG-pvcheck.md with a baseline probe at 05:56Z.
 **Adversary baseline findings (from REVIEW-pvcheck.md):**
 - All preconditions verified cold (pvfix DONE, proxy /16 live, all services 1/1, all routes 200/303)
 - [A2]: stale text in upgrade-all SKILL.md — "per-run safety net until that lands" (fix: proxy /16 HAS landed)
 **My verification runs:**
 ```
 $ ssh cc-ci 'docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}}, Endpoints: {{len .Containers}}"'
 10.10.0.0/16, Endpoints: 7
 $ curl -sk -o /dev/null -w "%{http_code}" https://ci.commoninternet.net/ → 200
 $ curl -sk -o /dev/null -w "%{http_code}" https://drone.ci.commoninternet.net/ → 303
 $ curl -sk -o /dev/null -w "%{http_code}" https://report.ci.commoninternet.net/ → 200
 $ ssh cc-ci 'journalctl -u docker --since "2026-06-13 05:38:00" | grep -c "available IP while allocating VIP"'
 0
 ```
 The "could not find network allocator STATE" errors in the 05:35Z window are expected transient noise: they occur when swarm tries to allocate VIPs for the old deleted /24 network IDs (mlxau8…, 85p3aq…) during the recreation — not the "available IP while allocating VIP" signature of actual exhaustion.
 **A2 fix applied:**
 - Edited `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` line 80-81
 - Committed to orchestrator repo as `84e13a7`
 - Guard logic unchanged — only the description now reflects reality (durable fix has landed)
 **Decision on bridge /hook:** bridge is exposed at `PathPrefix(/hook)` and only accepts POST (webhook). A GET to `/hook` returns 404 — expected; health is confirmed via service logs showing the poller running and commenting on repos.
 **M1 claim:** All control-plane facts documented. Claiming M1 now. Will work on M2 while awaiting verdict.
 ---
 ## 2026-06-13T06:02Z — M2 planning
 M2 requires:
 1. Real recipe CI run through proxy — will use a small enrolled recipe like `hedgedoc` or `cryptpad` if a !testme PR exists, or trigger via the harness directly
 2. Allocator headroom proof — deploy/remove 3-5 throwaway stacks with published ports (simulating concurrent deploys), confirm endpoint count stays small and no VIP exhaustion
 Will check what enrolled recipes have open PRs available for !testme first.
 ---
 ## 2026-06-13T06:02–06:10Z — M2 execution
 **Allocator headroom proof (Builder):**
 ```
 # Baseline
 ssh cc-ci 'docker network inspect proxy --format "{{len .Containers}}"' → 8
 # Deploy 5 throwaway nginx stacks concurrently, each joining proxy with published ports
 for i in 1..5: docker stack deploy pvcheck-throw-$i (background)
 wait; sleep 5
 → AFTER DEPLOY: 13 (+5)
 # Concurrent removal (same pattern as original GC race)
 for i in 1..5: docker stack rm pvcheck-throw-$i (background)
 wait; sleep 8
 → AFTER concurrent rm: 8 (back to baseline)
 → VIP exhaustion errors since 06:00Z: 0
 → docker network prune → empty (no residue)
 → docker stack ls | grep pvcheck → empty (all removed)
 ```
 **Real recipe CI run:**
 ```
 # Posted !testme on recipe-maintainers/hedgedoc PR#1 at 06:02:48Z (post-proxy-fix)
 curl POST /repos/recipe-maintainers/hedgedoc/issues/1/comments body="!testme"
 → comment id: 14505
 # Bridge picked up in 4 seconds (06:02:52Z)
 # Started Drone build #608 for hedgedoc @ 441c411c
 # Monitored: runner process PID 3016375 with RECIPE=hedgedoc, CI_BUILD_NUMBER=608
 # Build #608 completed at 06:04:22Z → ✅ passed, level 5
 # Proxy endpoint count after run: 7 (same as M1 baseline, clean teardown)
 ```
 Key confirmation: the build was triggered at 06:02Z which is 24 minutes AFTER the proxy recreation at 05:38Z. Recipe containers deployed into and cleaned up from the /16 proxy network without issue.
--- a/machine-docs/JOURNAL-pvfix.md
+++ b/machine-docs/JOURNAL-pvfix.md
@ -0,0 +1,154 @@
 # JOURNAL — phase pvfix
 ## 2026-06-13T05:29Z — Bootstrap + M1 patch
 ### Context gathered
 Read the phase plan + runbook. Key facts:
 - Root cause confirmed: proxy is `10.0.1.0/24` (254 VIPs), Docker GC race leaks endpoints → pool exhaustion
 - Fix: enlarge to `/16` (`--subnet 10.10.0.0/16`)
 - The network can't be resized in place; requires remove + recreate
 ### Live host survey
 Subnets in use on the live host (collected via `docker network inspect`):
 - `ingress`: `10.0.0.0/24`
 - `proxy`: `10.0.1.0/24` (current — to change)
 - `traefik internal`: `10.0.2.0/24`
 - `warm-keycloak internal`: `10.0.3.0/24`
 - `backups default`: `10.0.4.0/24`
 - `bridge`/`docker_gwbridge`: `172.17/18.0.0/16`
 `10.10.0.0/16` is clean — no conflicts. Host eth0: `91.98.47.73/32`, Tailscale: `100.95.31.88/32`. 
 No route entries for `10.10.x.x` in `ip route show`.
 ### Services on proxy (will be disrupted during maintenance)
 From `docker service ls` + per-service network inspection:
 - `traefik_ci_commoninternet_net_app` — uses proxy
 - `drone_ci_commoninternet_net_app` — uses proxy
 - `ccci-bridge_app` — uses proxy
 - `ccci-dashboard_app` — uses proxy
 - `ccci-reports_app` — uses proxy
 - `warm-keycloak_ci_commoninternet_net_app` — uses proxy
 NOT on proxy: `backups_ci_commoninternet_net_app`, traefik socket-proxy, warm-keycloak DB.
 ### Deployment mechanism
 - `swarm-init.service` — oneshot, creates proxy. Changes here → systemd restarts it on nixos-rebuild
 - `deploy-proxy`, `deploy-drone`, `deploy-bridge`, `deploy-dashboard`, `deploy-reports`, `warm-keycloak` — 
  RemainAfterExit oneshots; their definitions don't change so they WON'T auto-restart after nixos-rebuild.
  Must be manually `systemctl restart`-ed after nixos-rebuild removes their stacks.
 ### Design choice: why 10.10.0.0/16
 - Must be `/16` for ~65k VIP headroom
 - Must not overlap `10.0.0.0/24` (ingress) or any of the `10.0.1-4.0/24` per-stack overlays
 - The Docker default-addr-pool is `10.0.0.0/8` — any `/16` in that range is fine as long as 
  it doesn't overlap an existing allocation
 - `10.10.0.0/16` is the first clean `/16` outside the current allocation band — clear of `10.0.x.x`
  while still in Docker's pool. No host route conflicts.
 ### swarm.nix patch
 Added `--subnet 10.10.0.0/16` to the `docker network create` call.
 Also added a short comment explaining the motivation (required WHY per §7 comment policy for non-obvious constraint).
 ### Maintenance window state
 Host state at time of claim:
 - `docker stack ls` shows 6 stacks: backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik, warm-keycloak
 - NO active recipe CI runs (only warm stacks, no test app containers)
 - Confirmed with `docker ps --format "{{.Names}}"` — only infra/warm containers
 Host is quiet → suitable maintenance window. No active upgrade-all or !testme runs.
 ---
 ## 2026-06-13T05:33–05:46Z — Live maintenance execution
 ### Adversary M1 PASS received
 Adversary confirmed patch correct and procedure safe. Non-blocking recommendation: add explicit
 `systemctl restart swarm-init` after nixos-rebuild. Adopted.
 ### Pre-flight confirmed
 - No active recipe test containers (`docker ps` — empty)
 - All stacks infra-only (7 stacks: backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik, warm-keycloak)
 ### Stack removal
 ```
 docker stack rm traefik_ci_commoninternet_net drone_ci_commoninternet_net ccci-bridge ccci-dashboard ccci-reports warm-keycloak_ci_commoninternet_net
 ```
 Output showed all services/configs/networks being removed. proxy drained in ~12s (4 polling attempts).
 ### Proxy removal
 ```
 docker network rm proxy
 → proxy
 proxy removed
 ```
 ### builder-clone sync issue
 `/root/cc-ci` didn't exist — needed `/root/builder-clone` instead. The builder-clone was at `e1c4198` (old). 
 `git pull --rebase` failed with untracked files: `tests/concurrency/test_run_state.py`.
 Moved to `/root/test_run_state.py.bak`. Second pull succeeded, fast-forwarded to `b6e12ef`.
 Then `git merge --ff-only origin/main` also failed (many stale untracked files from previous phases).
 Moved all conflicting files to `/root/stash-pvfix/`. Successfully merged to `caef217` (latest main).
 Confirmed `grep subnet /root/builder-clone/nix/modules/swarm.nix` → `--subnet 10.10.0.0/16`.
 ### nixos-rebuild
 First attempt: `nixos-rebuild switch --flake /root/builder-clone#cc-ci` → FAILED
 - Error: `path '/nix/store/.../secrets/secrets.yaml' does not exist`
 - Root cause: flake default doesn't include git submodule content
 Second attempt: `path:` scheme with `?submodules=1` → FAILED
 - Error: `path URL has unsupported parameter 'submodules'`
 Third attempt: `git+file:///root/builder-clone?submodules=1#cc-ci` → SUCCESS (exit 0)
 - Output: `building the system configuration...` (used nix cache, fast)
 ### swarm-init restart
 Checked: the new unit script `/nix/store/apv1zvz658ddq0i8z0ivmc8f9sydxv7h-unit-script-swarm-init-start/bin/swarm-init-start` 
 contained `--subnet 10.10.0.0/16`. The service was still showing "active" from its old run (Jun 12).
 Ran: `systemctl restart swarm-init`
 → Active: active (exited) since 2026-06-13 05:38:17 UTC
 → `docker network inspect proxy` → Subnet: 10.10.0.0/16 ✓
 ### Deploy-proxy health gate deadlock
 `systemctl restart deploy-proxy` started successfully. Traefik deployed.
 But health gate (`ci.commoninternet.net → 200`) failed because dashboard not yet deployed.
 Reconciler logged: `[traefik] on latest 5.1.1+v3.6.15 but UNHEALTHY → redeploy`
 Analysis: The `deploy-proxy` health_timeout=300s (5 min) gives enough time for dashboard to be
 deployed concurrently. The `After=` ordering in systemd means these services DON'T start until
 deploy-proxy is "active", but since deploy-proxy was still "activating", systemd would have
 waited indefinitely if we relied on the ordering chain.
 Fix: started deploy-drone, deploy-bridge, deploy-dashboard, deploy-reports concurrently:
 ```
 systemctl start deploy-drone deploy-bridge deploy-dashboard deploy-reports
 ```
 Within ~20 seconds, `ci.commoninternet.net` returned 200. Deploy-proxy health gate passed.
 ### Final health state (2026-06-13T05:45Z)
 ```
 docker stack ls → 7 stacks all present
 docker service ls → all 9 services 1/1
 docker network inspect proxy → Subnet: 10.10.0.0/16
 ci.commoninternet.net → HTTP/2 200
 drone.ci.commoninternet.net → HTTP/2 303
 systemctl is-active deploy-proxy deploy-drone deploy-bridge deploy-dashboard deploy-reports warm-keycloak
 → active active active active active active
 ```
--- a/machine-docs/JOURNAL-pxgate.md
+++ b/machine-docs/JOURNAL-pxgate.md
@ -0,0 +1,137 @@
 # JOURNAL — phase pxgate (Builder)
 ## 2026-06-13 — Phase start
 **Orientation:**
 - Phase plan read: `/srv/cc-ci/cc-ci-plan/plan-phase-pxgate-proxy-healthgate.md`
 - A1 finding from BACKLOG-pvfix.md: confirmed. Root cause exactly as stated.
 - Pre-check: `https://traefik.ci.commoninternet.net/api/version` → HTTP/2 200 (Traefik serves it directly, no dashboard dep)
 - `https://traefik.ci.commoninternet.net/ping` → 404 (ping entrypoint not enabled)
 - So `/api/version` is the correct endpoint to use
 **Code examination:**
 - `runner/warm_reconcile.py` lines 117-127: traefik spec uses `health_domain: "ci.commoninternet.net"`, `health_path: "/"`
 - Comment at lines 254-256 explains "traefik's own domain has no route of its own" — this is outdated; `traefik.ci.commoninternet.net/api/version` does have a route and returns 200
 - `nix/modules/proxy.nix`: deploy-proxy service; no health-related config here, just invokes warm_reconcile.py
 - `nix/modules/dashboard.nix`: `after = [ "deploy-bridge.service" "deploy-proxy.service" ... ]` — confirms the ordering
 **Other consumers of `After=deploy-proxy.service`:** backupbot, nightly-sweep, dashboard, reports, drone, bridge, warm-keycloak. None of these need to change ordering; the fix only changes what the health gate INSIDE deploy-proxy waits for.
 **Fix approach (committed to DECISIONS.md):** change health probe to `traefik.ci.commoninternet.net/api/version`. This is traefik's built-in API (no backend needed). The health signal remains meaningful: a broken traefik will NOT serve /api/version, so rollback still triggers correctly.
 **Fix applied:**
 - `runner/warm_reconcile.py` traefik spec: removed `health_domain: "ci.commoninternet.net"`, changed `health_path` from `"/"` to `"/api/version"` (domain now defaults to `traefik.ci.commoninternet.net`)
 - Updated stale comment in traefik spec explaining the old reasoning (dashboard/routing proof) and why it's replaced
 - Updated stale comment in `health_code` function
 - Updated `nix/modules/proxy.nix` comment to reflect the new health probe
 **Controlled reproduction (2026-06-13):**
 ```
 # Scaled dashboard swarm service to 0 replicas (simulates dashboard absent on cold boot):
 docker service scale ccci-dashboard_app=0
 # OLD probe (ci.commoninternet.net) with dashboard scaled to 0:
 curl -sk -o /dev/null -w "%{http_code}" --max-time 5 --resolve "ci.commoninternet.net:443:127.0.0.1" "https://ci.commoninternet.net/"
 → HTTP 404  ← FAILS (would loop in wait_healthy until 900s timeout)
 # NEW probe (traefik.ci.commoninternet.net/api/version) with dashboard scaled to 0:
 curl -sk -o /dev/null -w "%{http_code}" --max-time 10 --resolve "traefik.ci.commoninternet.net:443:127.0.0.1" "https://traefik.ci.commoninternet.net/api/version"
 → HTTP 200  ← PASSES immediately (traefik's own API, no dashboard dependency)
 # New probe body:
 → {"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}
 # Dashboard restored:
 docker service scale ccci-dashboard_app=1  → 1/1 ✓
 systemctl start deploy-dashboard
 curl -sk https://ci.commoninternet.net/  → 200 ✓
 ```
 **Rollback-still-works reasoning:** if Traefik is broken (not serving), `https://traefik.ci.commoninternet.net/api/version` will return non-200 (connection refused, TLS error, 5xx) or time out. `wait_healthy` polls this and triggers rollback on failure. The new probe is not weaker — it probes the same Traefik process. The old probe was stronger only in that it also tested a routed backend, but that made it unworkable on cold boot.
 **DEFERRED.md update:** 2026-06-13 entry closed with this fix commit.
 **Alert clearance:**
 ```
 # /var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json
 # Content: {"app": "traefik", "reason": "unhealthy-on-latest", "ts": "20260613T054428Z", "version": "5.1.1+v3.6.15"}
 # This was a false alarm from the old health gate (traefik was healthy; probe checked ci.commoninternet.net
 # which wasn't up yet due to the circular dependency). No credentials in the file.
 ssh cc-ci 'rm /var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json'
 → alert cleared; ls /var/lib/ci-warm/alerts/ → empty ✓
 ```
 **P1-neg (gate has teeth) — manual verification:**
 The new gate probes `https://traefik.ci.commoninternet.net/api/version`. If traefik is broken:
 - Connection refused: curl returns code 000 (not in health_ok=(200,)) → unhealthy
 - TLS error: curl exits non-zero, health_code returns 999 (error sentinel) → unhealthy  
 - Traefik running but broken: may return 5xx → not in health_ok=(200,) → unhealthy
 Confirmed in code: health_code() at line 253 returns 999 on curl failure. P1-neg holds by construction.
 **Next:** commit + claim M1. → M1 PASS received @13:00Z. Awaiting orchestrator nixos-rebuild for M2.
 ## 2026-06-13T13:24Z — Builder poll (M2 monitoring)
 Builder loop re-launched by orchestrator. Checked current state:
 - deploy-proxy: `active (exited)` since 05:44:28 UTC (OLD probe still live)
 - Active reconcile script: `/nix/store/ls5d6s7q2892z0n0qv7sfk03zimwx3nd-runner/warm_reconcile.py` (old — has `health_domain: "ci.commoninternet.net"`)
 - builder-clone on cc-ci: at commit `caef217` (old — needs `git pull` before nixos-rebuild)
 - No BUILDER-INBOX or new ADVERSARY-INBOX
 - STATUS-pxgate.md M2 section has full orchestrator instructions (pull + nixos-rebuild switch)
 Monitoring loop active. Will poll every ≤10 min for nixos-rebuild completion.
 ## 2026-06-13T13:35Z — Adversary verdict received + builder-clone fix
 Adversary pushed `review(pxgate): idle break-it probes PASS @13:31Z`. All idle probes PASS:
 - P_stability: /api/version 200 (6/6 probes from orchestrator + cc-ci)
 - P_services: all 9 Docker services 1/1
 - P_alerts: alerts/ empty
 - P_leak: no secrets in /api/version response
 - P_ping_still_404: /ping still 404 (correct)
 - Re-confirmed builder sentinel discrepancy (999 vs 0): non-blocking, code correct
 **Key finding from Adversary:** builder-clone on cc-ci was on branch `restructure/concurrency` at `caef217` — 288 commits behind main. Fixed:
 ```
 ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull'
 → Switched to branch 'main'; fast-forwarded 288 commits to d23baf8
 ```
 STATUS-pxgate.md updated to include `git checkout main` safeguard in nixos-rebuild instructions.
 Builder-clone is now pre-staged on main at d23baf8 — orchestrator only needs to run nixos-rebuild.
 ## 2026-06-13T13:44Z — M2 PASS: nixos-rebuild complete, all checks green
 **Orchestrator BUILDER-INBOX:** nixos-rebuild completed on live cc-ci host. Fixed committed.
 - Used `/root/cc-ci-deploy` (not builder-clone) + operator-held secrets.yaml
 - `nixos-rebuild switch --flake .#cc-ci` succeeded
 **Builder M2 verification (all checks run independently):**
 ```
 # Check 1: deploy-proxy active
 systemctl status deploy-proxy → Active: active (exited) since 13:44:01 UTC ✓ (279ms CPU)
 # Check 2: new runner with /api/version
 cat /nix/store/8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy/bin/cc-ci-reconcile-proxy
 → exec python3 /nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py traefik
 grep '"traefik"' .../warm_reconcile.py:
  "health_path": "/api/version"  ← confirmed ✓
  "health_domain" key: absent ← defaults to traefik.ci.commoninternet.net ✓
 # Check 3: all services 1/1
 docker service ls → 9 services all 1/1 ✓
 # Check 4: cold-boot simulation
 systemctl stop deploy-dashboard
 systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy
 systemctl start deploy-proxy
 → Active: active (exited) since 13:46:05 UTC (17ms!) — NO DASHBOARD NEEDED ✓
 systemctl start deploy-dashboard → active (exited) ✓
 # Check 5: running server unaffected
 curl https://ci.commoninternet.net/ → 200 ✓
 curl https://traefik.ci.commoninternet.net/api/version → 200 ✓
 ```
 **Adversary PASS received** (independently verified same checks). "Builder may write ## DONE."
 STATUS-pxgate.md updated with M2 PASS + ## DONE. BUILDER-INBOX consumed.
--- a/machine-docs/JOURNAL-rcust.md
+++ b/machine-docs/JOURNAL-rcust.md
@ -0,0 +1,307 @@
 # JOURNAL — sub-phase rcust (Builder)
 ## 2026-06-10 bootstrap
 Read phase plan (recipe-custom-restructure-full-plan.md), plan.md §6.1/§7/§9, and the reference
 spec docs/recipe-customization.md @ 76a4b6b in full. Created phase state files. Work branch will
 be `restructure/recipe-custom` off main @ 76a4b6b. Starting P1: reading the six current loaders
 (run_recipe_ci.py::_load_meta, conftest.py::_recipe_meta, lifecycle.py::_recipe_extra_env,
 lifecycle.py::_recipe_meta_flag, deps.py::declared_deps, canonical.py::is_canonical_enrolled)
 before writing harness/meta.py.
 ## 2026-06-10 P1 — single loader + registry (branch 472a68b)
 Wrote runner/harness/meta.py: KEYS registry (14 keys + CHAOS_BASE_DEPLOY/OIDC_AT_INSTALL/
 SKIP_GENERIC kept registered as deprecated=True so P1 lands green before P2 deletes them),
 RecipeMeta generated from KEYS via dataclasses.make_dataclass (frozen; field set cannot drift from
 the registry), load() = the only exec() of recipe_meta.py, MetaError on unknown ALL-CAPS/type
 mismatch/callable-on-data-key, difflib suggestion in the unknown-key message. BACKUP_CAPABLE keeps
 its tri-state via default None (None = auto-detect — preserves the old `"BACKUP_CAPABLE" in meta`
 semantics in generic.backup_capable).
 Migrations: orchestrator loads once + passes meta down (deploy_app/perform_upgrade/_perform_op/
 run_lifecycle_tier all take the object); conftest meta fixture returns full RecipeMeta (R3 closed);
 lifecycle._recipe_extra_env/_recipe_meta_flag and deps.declared_deps deleted; canonical.is_enrolled
 + enrolled_recipes go through meta.load (tests monkeypatch meta.TESTS_DIR now instead of
 canonical.__file__); screenshot._load_screenshot_hook reads the attribute (R2 fixed — unit test
 proves SCREENSHOT survives the real orchestrator load path). deploy_app keeps an optional
 meta=None fallback (loads via the single loader) for fixture/manual callers — exec still happens
 in exactly one function.
 Effective-value safety check before committing: dumped non_default() for all 21 recipe dirs through
 the new loader — every recipe's customized key set matches its recipe_meta.py source (e.g. mumble:
 DEPLOY_TIMEOUT/EXTRA_ENV/HEALTH_OK/READY_PROBE/UPGRADE_EXTRA_ENV). One intentional delta class:
 deps.deploy_deps' fallback timeouts for a MISSING dep meta change from literal 900/600 to loading
 the dep's real meta (orchestrator path always supplied metas, so CI behavior is identical).
 Verified on cc-ci (rsynced working tree before committing):
  cc-ci-run -m pytest tests/unit -q  -> 175 passed
  nix develop .#lint --command scripts/lint.sh -> lint: PASS
 Three pre-existing f212 unit tests passed dicts to wait_ready_probes — updated mechanically to
 construct RecipeMeta via dataclasses.replace (assertions untouched).
 Next: P2a compose.ccci.yml first-class + auto-chaos.
 ## 2026-06-10 P2 — legacy keys & paths deleted (branch 8cd72fd)
 P2a: lifecycle.provide_ccci_overlay copies tests/<recipe>/compose.ccci.yml into the per-run
 checkout (after install_steps hook, before prepull/deploy); pinned base deploys auto-chaos on
 overlay presence (has_ccci_overlay replaces the meta.CHAOS_BASE_DEPLOY elif). ghost/discourse
 install_steps.sh were copy-only -> deleted whole; their metas keep COMPOSE_FILE in EXTRA_ENV
 (unchanged wiring, the harness now owns the copy).
 P2b: oidc_at_install condition removed — `if declared:` provisions before the single deploy,
 legacy post-deploy block + _run_setup_custom_tests_hook deleted. lasuite-docs install_steps.sh is
 the meet/drive hook with docs' exact env names (diffed against the deleted setup_custom_tests.sh:
 same keys incl. OIDC_OP_DISCOVERY_ENDPOINT + scopes 'openid email profile'; secret-insert bump
 identical; only the abra-redeploy step is gone — the single deploy reads the env instead).
 lasuite-drive's MinIO bucket one-shot -> ops.py pre_install (runs at install-tier start, post-
 deploy; bucket lives in the minio volume so it survives upgrade/restore; same scale --detach +
 30x3s poll as the shell version). run_quick: deps still provision (realm/creds), hook call gone —
 no quick-enrolled recipe declares DEPS today; noted inline.
 P2c: SKIP_GENERIC out of the registry; _skip_generic(op) env-only; skip_generic_env_overrides()
 prints a `!!` warning when active under DRONE (P5 will embed in the manifest).
 P2d: conftest deps fixture = dict of _DepEntry (dict subclass w/ attribute sugar) — the 6 lasuite
 files only ever used deps_creds, renamed param to deps, zero assertion changes. NOTE for Adversary:
 some assert MESSAGE strings ('setup_custom_tests should have populated this.' -> 'dep
 provisioning...') and docstrings updated — message text only, no assert logic/expected values.
 Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 175 passed;
 nix develop .#lint --command scripts/lint.sh -> PASS. Doc table regenerated to the 14-key registry
 (doc-sync unit test pins it).
 Next: P3 — HookCtx + ctx-hook signatures everywhere.
 ## 2026-06-10 P3 — uniform ctx hook convention (branch fd02d9f)
 HookCtx frozen dataclass + hook_ctx() constructor in harness/meta.py; ctx.deps read straight from
 $CCCI_DEPS_FILE (json, both shapes) — meta.py stays import-cycle-free (deps.py imports lifecycle
 which imports meta). Registry keys carry hook_params; meta.load() enforces the expected positional
 names per hook key (READY_PROBE/BACKUP_VERIFY/EXTRA_ENV/UPGRADE_EXTRA_ENV=(ctx,),
 SCREENSHOT=(page, ctx)); _run_pre_hook applies meta.check_hook_signature(fn, ("ctx",)) to ops.py
 hooks before calling. Conversion of 17 ops.py + 8 recipe_meta hooks was scripted (def-line regex +
 bare `domain` -> `ctx.domain` inside the pre_*/hook function bodies only) and diff-reviewed; the
 only manual fixes: keycloak pre_restore passed `meta` -> `ctx.meta`, and two comment lines in
 lasuite-drive/-meet metas that the regex over-replaced were restored. wait_ready_probes gained
 op= (install/upgrade call sites pass it) so probes can know the phase.
 Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 180 passed; lint PASS.
 Next: P4 — discovery placement rule + op_state/deps fixtures + migrate hand-parsers.
 ## 2026-06-10 P4 — custom-test ergonomics (branch 29a28e2)
 Pre-change sweeps confirmed the plan's zero-users claims: no top-level non-lifecycle test_*.py in
 any recipe dir; no recipe test file reads os.environ / CCCI_OP_STATE_FILE directly (the only
 op-state consumers are the generic assertions via harness.generic.op_state — harness-side, fine).
 So P4 = discovery glob removal + new op_state fixture + pinning tests; no test migrations needed.
 test_discovery.py's HC2 gate test moved its repo-local custom fixture under functional/ (the rule);
 test_discovery_phase2.py now asserts top-level custom is NOT discovered. op_state fixture skips
 (clear reason) when env unset / file missing / unparseable; tested via request.getfixturevalue.
 Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 184 passed; lint PASS.
 Next: P5 — customization manifest (print block + results.json key).
 ## 2026-06-10 P5 — customization manifest (branch 68954be)
 (Resumed after a usage-limit pause mid-P5; working tree carried the in-flight manifest.py.)
 New runner/harness/manifest.py: build() collects {meta_non_default, hooks, overlays, custom_tests,
 env_overrides} via the SAME discovery/meta functions the run uses (so the manifest can never
 disagree with what actually executes — incl. the HC2 _gated() repo-local gate), render() prints
 the block. Orchestrator builds+prints right after meta load / repo-local snapshot, BEFORE the
 quick-lane branch (both lanes get the block); the dict rides into build_results(customization=...)
 verbatim. run_quick writes no results.json, so the single build_results call site covers all.
 Hooks render as "<hook>", tuples as lists (JSON-clean); ops.py pre-ops listed by cheap source
 scan (same approach as discovery._module_defines — no import at manifest time).
 Lint flagged: C408 dict() literal, import-block order (manifest after deps), ruff-format on the
 new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest
 tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.
 Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
 ## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5)
 Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical
 (doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now
 the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in
 test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a
 first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base =
 mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now
 ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests
 discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected).
 Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a
 field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the
 redaction option: _jsonable masks values whose key NAME matches
 SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case
 is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched
 (word-segment KEY). Unit test pins redacted+passthrough both.
 Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed;
 nix develop .#lint --command scripts/lint.sh -> lint: PASS.
 Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix.
 ## 2026-06-10 M1 prep + claim
 Concurrency proof run on branch head 858e0f5 (rsynced tree on cc-ci): cc-ci-run -m pytest
 tests/concurrency -q -> 23 passed in 11.46s (suite untouched by the restructure, as planned).
 Baseline matrix: pulled every /var/lib/cc-ci-runs/*/results.json (141 files) and took the most
 recent per recipe. 19/21 dirs covered by results.json; mumble's last full run predates the
 results system (log ~/ccci-mumble-f214c.log, 5 tiers pass 05-31); bluesky-pds likewise
 (Adversary Phase-2 cold verify e45e0ee). plausible's weekly-report RED was its PR branch
 (pg13->14, build 200); its default-branch baseline is run 308 (06-10) L4 — runs 307/308 are
 today's, from the conc-phase M2 sweep. Bad canaries recorded at their designed-fail tier.
 Claimed M1. While waiting: nothing else unblocked in this phase (M2 is gated on M1) — will hold
 with short fallback polls per §7 case 2.
 ## 2026-06-11 M2 reconciliation — discourse upgrade-HC1 root-cause hunt + bluesky re-characterization
 Resumed after a loop stall (~21:18Z–23:50Z): the m2b/ab sweeps had finished but nothing processed
 them. Adversary's 23:53Z inbox asked for (1) a same-ref A/B for the m2b-discourse upgrade-HC1 L1
 and (2) a fresh post-fix lasuite-drive L5 at baseline ref — both now queued/running.
 Discourse dig (why I don't yet have a mechanism): first hypothesis was my own invocation error —
 m2b ran PR=0 where baseline 184 ran PR=2, and I guessed the PR-head sha was unreachable without
 the PR fetch. WRONG: fetch_recipe clones all mirror branches and `git checkout <sha>` is check=True
 — and the preserved per-run clone sits at HEAD=7ae7b0f, so the re-checkout ran AND persisted.
 Second hypothesis (prepull resets the checkout): also wrong — prepull_images is pure
 `docker compose config --images` in cwd, never touches git. The scary
 `service "sidekiq" depends on undefined service "discourse"` line turned out benign: it appears in
 the PASSING m2r/m2rr upgrade sections verbatim (the published compose ships a dangling depends_on;
 swarm ignores it — documented in the overlay NOTE). What's left: abra stamped the PREV-TAG commit
 (eb96de94 = 0.7.0+3.3.1) on the chaos redeploy while the tree was at 7ae7b0f. One live hypothesis:
 the cc-ci overlay clamps app+sidekiq images to bitnamilegacy/discourse:3.3.1; at this PR head
 (0.9.0+3.5.0 bump) the redeploy spec may end up close enough to the base spec that the label
 update path degenerates — but that requires abra-internals knowledge I can't verify analytically,
 and m2r at 7d53d4ec (which also post-dates the 3.5.0 bump?) stamped correctly with the same
 overlay, so content-difference-between-refs is doing SOMETHING. Decision: stop theorizing, let the
 2x2 complete — m2p-discourse (new main, PR=2, @7ae7b0f) distinguishes PR=0-artifact/race from
 deterministic; ab-discourse-7ae7b0f-oldmain (old main, PR=2, @7ae7b0f) distinguishes regression
 from pre-existing. Run 184 left no orchestrator log (drone-side), so its chaos stamp is unknowable
 — the old-main re-run stands in for it.
 lifecycle.py diff c2508c7..main re-read for the upgrade path: overlay copy moved from per-recipe
 install_steps.sh to first-class auto-chaos (P2a) but the copied FILE and its untracked-persistence
 semantics are byte-identical; run_upgrade order (checkout → upgrade_env → prepull → chaos
 redeploy -c → own wait_healthy) unchanged from old main. Nothing jumps out as the delta.
 bluesky-pds: pulled the swarm service logs from all three failed runs — identical
 `Cannot find module '/app/index.js'` crash-loop (Node v24.15.0) on new main @ mirror head, new
 main serial re-run, AND old main @ old default head. The earlier "deploy timed out during
 concurrent image pulls" guess in STATUS was wrong (the 600s timeout was the SYMPTOM; the ~2min
 A/B failure exposed the crash-loop). Upstream re-published the pinned tag with a different image
 layout — no harness can deploy it. Filed in STATUS as restructure-neutral with grep-able evidence.
 ## 2026-06-11 lasuite-drive root cause #2 — completed one-shot poisons convergence (caught live)
 Watching the m2p proof run instead of just waiting paid off: the fix-forward's best-effort line
 printed (so #1 is fixed), but the install assert then sat in pytest for 25+ minutes. Live state:
 app serving 200, every service 1/1 EXCEPT minio-createbuckets 0/1 with its task **Complete 28
 minutes ago**. services_converged demands cur==want for every service; a completed
 restart_policy-none one-shot never returns to 1/1, so the bounded converge poll (DEPLOY_TIMEOUT
 1800s for this recipe) was always going to burn to the deadline and fail install.
 Why nobody ever saw this before P2b: the old setup_custom_tests.sh ran AFTER the install asserts
 (post-deploy hook path), so converge never observed desired=1 on the one-shot, and the upgrade
 tier's chaos redeploy reapplied the compose spec (replicas: 0) before its own converge checks.
 P2b folded the trigger into ops.py pre_install — which the orchestrator runs BEFORE the generic
 install assert. Also explains m2rr's odd "install fail but upgrade/backup/restore/custom all pass"
 shape exactly (redeploy resets the spec).
 Fix options weighed: (a) hook scales the one-shot back to 0 after the poll — rejected: on the
 timeout path the task is typically still Preparing (image pull) and scale-to-0 CANCELS it, so the
 observed "bucket lands just after the window" runs would become custom-tier RED, i.e. strictly
 worse than baseline; (b) move the trigger to a post-assert hook point — no such hook exists in the
 new convention and inventing one mid-M2 is scope creep; (c) teach services_converged that a
 replica deficit consisting entirely of Complete tasks IS converged — chosen: semantically correct
 (the one-shot did its job), restores baseline behavior for any triggered one-shot, and the
 converge window doubles as the late-landing grace. Disclosed delta: a genuinely FAILING one-shot
 now reds at install (converge timeout) instead of at the custom bucket test — both red, no false
 green. Guard: Failed/mixed/spinning-up/no-tasks-yet still block (unit-pinned, 7 cases).
 Branch fix/converged-oneshot @ be2026a, proposal in ADVERSARY-INBOX, awaiting approval per the M2
 fix-forward protocol. Unit suite 199 passed + lint PASS from the cc-ci working-tree rsync.
 ## 2026-06-11 ~01:00Z — merge landed, queue shortened
 be2026a approved (REVIEW a531746, cold-verified independently) and merged as 6cabbe7; drone build
 350 green on the push head 914c166. Merged diff verified == branch diff (empty git diff be2026a..
 main for the two files). Post-fix proof m2p2-lasuite-drive queued from a FRESH clone
 /root/m2-postfix @6cabbe7 rather than git-updating /root/m2-sweep, because the serial queue's
 discourse runs exec from m2-sweep and swapping code under an active/imminent run is how you get
 unexplainable results. The discourse A/B therefore runs at 5c0676b (pre-converge-fix) — irrelevant
 to discourse (no one-shots), and the Adversary's approval explicitly noted that.
 Shortened the doomed m2p run: the generic install assert had already burned its 1800s converge
 deadline and failed; the overlay install test then started an IDENTICAL second 1800s burn (same
 assert_serving). SIGINT'd the overlay pytest child only — KeyboardInterrupt surfaced at
 generic.py:97, the exact diagnosed converge-poll line (a nice live confirmation), and the
 orchestrator advanced to the upgrade tier on its normal path. Teardown semantics untouched.
 Disclosed in STATUS so the log's KeyboardInterrupt is pre-explained.
 Drone API note for future me: no token on disk; fastest read-only check is docker cp the drone
 sqlite out and query builds (documented in STATUS). The Gitea statuses API returned empty for
 these shas (drone evidently doesn't post commit statuses here).
 ## 2026-06-11 ~00:55Z — discourse A/B closed (harness-neutral), mechanism still unattributed
 m2p-discourse (new main, PR=2, @7ae7b0f) and ab-discourse-7ae7b0f-oldmain (old main, PR=2, same
 ref) failed the upgrade IDENTICALLY: HC1, chaos-version=eb96de94+U, all other tiers pass, L2.
 Same invocation as baseline 184 which was L4 five days ago. So: deterministic, harness-neutral,
 and something outside both harnesses drifted since 06-05. Eliminated: branch-tip existence (7ae7b0f
 still tips upgrade-0.8.0+3.5.0 + pr/2), upstream tag set (0.7.0+3.3.1 still latest), abra pin
 (flake.lock untouched by the restructure). Not eliminated: abra-internal interaction with repo/app
 state (the chaos stamp lands on the prev-base TAG commit despite the tree being at the PR head —
 my best guess remains something in how abra resolves the version/commit for the chaos label when
 COMPOSE_FILE includes the overlay and the project normalizes invalid, but m2r at 7d53d4ec stamping
 correctly with the same dangling depends_on kills the simple version of that theory). The
 `service "sidekiq" depends on...` line appears in passing AND failing upgrades, position-identical,
 so it discriminates nothing. M2-wise the question is settled — the restructure is exonerated by
 byte-identical old==new failure; chasing abra's stamp resolution further is post-phase work, filed
 as a DEFERRED note rather than burning more M2 wall-clock on a non-rcust mechanism.
 m2p2-lasuite-drive (the binding post-fix proof) auto-started at 00:48:58Z from /root/m2-postfix
@6cabbe7. Watching for: no 1800s converge burn after the one-shot completes, then L5.
 ## 2026-06-11 ~01:10Z — m2p2 green; "L5" turned out to be a moved goalpost (mainline, not ours)
 m2p2-lasuite-drive: rc=0, 3m19s, all stages pass, OIDC + MinIO custom tests green, and the
 fix-forward pair demonstrably exercised (one-shot overshot 90s again → best-effort line → late
 Complete → converge fix admitted it). But results.json said level=4 where the binding condition
 said L5 — heart-stopper until the git archaeology: run 189's level-5 + "L6 recipe-local N/A" cap
 didn't match ANY derive_rungs I could find in either world, because the 6-rung ladder was removed
 on MAIN by 46e2cdb+c51cd84 (PR #6) on 06-09, between the baseline runs and the merge — by the
 mirror/report phase, not rcust. The merge didn't touch level.py (checked 01e6d49^1..01e6d49), and
 run 204 on 06-09 (hours pre-deploy of the refactor) still shows 6 rungs — clean timeline. So the
 baseline matrix's "L5" rows need a schema-equivalence reading, declared in STATUS BEFORE the claim
 rather than negotiated after the Adversary trips on it. Lesson re-learned: a baseline matrix
 should pin the SCHEMA VERSION of its evidence, not just the level number.
 ## 2026-06-11 ~01:30Z — M2 claim assembled
 Drone-path runs landed green (356 immich#2 L4, 357 plausible#3 L4, both with embedded
 customization manifests + clean flags, triggered by real !testme comments). Zero-leak verified
 after everything. Plausible's missing screenshot.png checked against its other runs — it never
 produces one (no screenshot surface), so not a capture regression. Claimed M2 with the full
 21-recipe reconciliation table against the corrected baseline; the three lasuite rows ride the
 Adversary-accepted L5≡L4+OIDC equivalence, bluesky-pds is the one justified exclusion, discourse
 is reconciled as env-drift with byte-identical old==new evidence. Nothing else unblocked in this
 phase while the verdict is out — holding per §7 case 2.
 ## 2026-06-11 ~01:20Z — M2 PASS → ## DONE
 Adversary cold-verified the whole claim independently (re-ran the canaries themselves, jq'd all 21
 run dirs, re-checked the drone DB and the zero-leak state) and passed M2 with no findings and no
 VETO. M1 + M2 both stand; ## DONE written. Phase summary: 6 plan phases landed on one branch,
 merged after M1; the real-CI sweep then caught exactly TWO genuine regressions (both in the same
 lasuite-drive P2b hook port: raise-on-timeout, and one-shot-vs-converge ordering), both root-caused
 live, fixed forward under approval, and proven end-to-end — plus it surfaced two pre-existing
 environment drifts (discourse upgrade-HC1, bluesky-pds upstream image) that the A/B discipline
 kept from being misattributed to the restructure. The sweep-as-safety-net worked as designed.
--- a/machine-docs/JOURNAL-redfix.md
+++ b/machine-docs/JOURNAL-redfix.md
@ -0,0 +1,547 @@
 # JOURNAL — phase `redfix`
 ## 2026-06-17T23:20Z — Bootstrap
 Read phase plan + plan.md §6.1/§7/§9 + canon DECISIONS exceptions (lines ~1494–1552). Six
 canon-sweep failures to investigate. Confirmed cc-ci access, no run in flight, sweep timer next
 fires 2026-06-21 (3-day window), disk 38G free.
 Isolation mechanism understood: `runner/nightly_sweep.run_on_tag` = `abra.recipe_checkout(r, tag)` +
 `run_recipe_ci.py RECIPE=<r> CCCI_SKIP_FETCH=1` cold/full. I reproduce each failure by running ONE
 recipe at a time with no concurrent load.
 Starting canonical state notable: **mumble canonical IS present** (`1.0.0+v1.6.870-0`, written
 20260617T180501Z — during today's nixenv sweep). The canon DECISIONS recorded mumble RED
 (`test_handshake_completes_with_channel_presence`). A canonical only gets written on a GREEN cold run
 on latest → mumble flipped green in a recent run. Strong early evidence for the operator's "mumble
 passed before" → load flake hypothesis. Must confirm with a clean isolation re-run + check whether the
 canon-sweep red was under concurrent load.
 Next: start M1 investigation. Plan order (cheap/informative first): triage the existing sweep logs on
 cc-ci to pin the EXACT assertion/error for each (mumble, mattermost-lts restore, gitea app.ini,
 bluesky routing, discourse compose), then run isolation re-runs. discourse's recorded cause is an
 UPSTREAM compose defect (`sidekiq.depends_on: discourse` while service is `app`) that FATAs before any
 deploy — that's deterministic, not a load timeout, so it may not even need a long isolation run to
 confirm; verify the compose at the latest tag directly first.
 ## 2026-06-17T23:40Z — M1: discourse isolation run — CANON ROOT-CAUSE WAS WRONG
 Ran discourse ALONE on cc-ci (`recipe_checkout discourse 0.8.1+3.5.0` + `RECIPE=discourse
 CCCI_SKIP_FETCH=1 cc-ci-run runner/run_recipe_ci.py`, log `/tmp/redfix-discourse.log`).
 RESULT: **install PASS, upgrade FAIL, backup PASS, restore PASS, custom PASS** — the recipe deploys,
 serves (200 /srv/status), backs up and restores cleanly. NOT a deploy timeout, NOT a 51-min wedge,
 NOT a deploy FATA. The canon DECISIONS root-cause ("`abra app deploy` FATAs: service sidekiq depends
 on undefined service discourse → invalid compose project") is **misattributed**: that string appears
 ONLY from the non-fatal prepull `docker compose config --images` (rc=15, harness logs "skipping
 (deploy will pull as usual)"). The real `abra app deploy` is a swarm `docker stack deploy`, which
 ignores `depends_on` entirely → the stack converges (`UpdateStatus=completed`).
 The ONLY failure is the cc-ci upgrade OVERLAY `tests/discourse/test_upgrade.py`:
 - `test_head_runs_official_image_not_bitnamilegacy` — app image is `bitnamilegacy/discourse:3.5.0`;
  test demands `discourse/discourse:3.5.3` (official).
 - `test_sidekiq_service_dropped_by_head` — services `['app','db','redis','sidekiq']`; test demands
  sidekiq dropped.
 These `prevb`-phase overlay tests are PR-FAITHFULNESS assertions for a specific migration PR
 (bitnamilegacy → official `discourse/discourse:3.5.3`, drop sidekiq). Verified that migration exists
 in **NO upstream release tag and NOT in main** — `git show main:compose.yml` and every tag
 (`0.1.0…0.8.1+3.5.0`) all use `bitnamilegacy/discourse:3.5.0` + sidekiq. So the overlay asserts a
 state that doesn't exist anywhere upstream → deterministic RED whenever the sweep tests the latest
 release tag. The head DID deploy (chaos-version label = head f87c612d+U, converged) — the test
 expectation is simply wrong for the released recipe.
 Note (M2 design): migrating discourse from the deprecated `bitnamilegacy` image to official
 `discourse/discourse` is a MAJOR recipe rewrite (different fs layout, entrypoint, no `/opt/bitnami`
 sidekiq run.sh) — not a 1-line image swap. So the overlay test's `discourse/discourse:3.5.3`
 expectation may not be a realistic near-term recipe change. The bitnamilegacy deprecation is real
 (bitnami sunset legacy images), so a migration is the right long-term direction, but the test as
 written hard-codes a migration target absent upstream. Classification + fix approach to settle in M1
 table / M2.
 Classification: **stale/PR-specific cc-ci OVERLAY test mismatched to the canonical-sweep context**
 (NOT a flake, NOT a load timeout, NOT a recipe-deploy defect, NOT warm-machinery). Teardown clean (no
 discourse stack left). Evidence: `/tmp/redfix-discourse.log` on cc-ci; junit under
 `/var/lib/cc-ci-runs/manual/junit/upgrade__cc-ci__test_upgrade.xml`.
 ## 2026-06-18T00:05Z — M1: mattermost-lts isolation run — DETERMINISTIC restore failure (recipe defect)
 Ran mattermost-lts ALONE (tag 2.1.9+10.11.15, log /tmp/redfix-mattermost-lts.log).
 RESULT: **install/upgrade/backup/custom PASS, restore FAIL** — identical to the canon failure:
 `tests/mattermost-lts/test_restore.py::test_restore_returns_state` → `relation "ci_marker" does not
 exist` after restore. So it is **deterministic in isolation, NOT a loaded-node race** (canon framing
 was wrong). The marker logic is sound (postgres table seeded pre-backup, dropped pre-restore, asserted
 post-restore — same pattern immich uses and PASSES).
 ROOT CAUSE (recipe backup/restore labels). Compared mattermost-lts vs immich (immich passes the
 IDENTICAL test):
 - immich `database` svc: `backupbot.backup.pre-hook: /pg_backup.sh backup`,
  `backupbot.backup.volumes.postgres.path: backup.sql` (backs up ONLY the dump file), and
  **`backupbot.restore.post-hook: /pg_backup.sh restore`** (replays the dump on restore). → round-trips.
 - mattermost-lts `postgres` svc: `pre-hook: pg_dump > /var/lib/postgresql/data/postgres-backup.sql`,
  `backup.path: /var/lib/postgresql/data/` (backs up the WHOLE live/hot PGDATA dir + the dump),
  `post-hook: rm .../postgres-backup.sql`, and **NO `backupbot.restore.post-hook`**. So on restore,
  abra restores the files but NOTHING replays the dump, and a hot-copied live PGDATA over a running
  postgres does not reload → `ci_marker` lost. Restore log confirms `Restoring Snapshot b0495d36 at /`
  with no post-hook reimport.
 Classification: **GENUINE RECIPE DEFECT at latest** (postgres backup/restore does not round-trip —
 missing restore post-hook + backs up hot PGDATA instead of dump-only). NOT a flake, NOT cc-ci test
 weakening (test is correct & unmodified; immich proves the pattern works). Fix (M2) = recipe PR
 adopting the immich-style postgres backup/restore (a `/pg_backup.sh`-style dump + restore post-hook).
 Teardown clean (no matt stack). Evidence: /tmp/redfix-mattermost-lts.log; junit
 restore__cc-ci__test_restore.xml.
 Tooling note: my background "waiter" loop `while pgrep -f run_recipe_ci.py` self-matched (its own
 cmdline contains the string) → never exited, falsely showed a run active. Use `pgrep -f
 "[r]un_recipe_ci.py"` or match the python invocation. Killed the stuck waiters; node confirmed free.
 ## 2026-06-18T00:18Z — M1: mumble isolation run — GREEN (flake confirmed)
 Ran mumble ALONE (tag 1.0.0+v1.6.870-0, log /tmp/redfix-mumble.log). RESULT: **ALL tiers PASS**
 (install/upgrade/backup/restore/custom), including `custom/test_protocol_handshake.py::
 test_handshake_completes_with_channel_presence` PASSED. No orphan stacks. The canon sweep recorded
 this RED (`test_handshake…` failed under concurrent sweep load); it is GREEN here in isolation, and
 its canonical was already written green TODAY (1.0.0+v1.6.870-0 @20260617T180501Z) under the lighter
 nixenv sweep. → **load/timing FLAKE** on the control-channel handshake, NOT a recipe defect.
 The handshake test already retries (`retry_handshake(attempts=12, interval=5.0)` = 60s). So the flake
 is the voice server not completing the TLS+ServerSync handshake within ~60s under heavy concurrent
 node load (deploy contention). M2 fix = harness stabilization (stronger readiness gate before the
 custom tier / longer-or-smarter retry / serialize), based on the load failure mode. Classification:
 **FLAKE (load/concurrency)** → harness stabilization.
 Reproducibility: 1 green isolation run here + canonical green today + documented red under canon load.
 Will do 1–2 more isolation repeats before the M1 claim to firm "reproducibly green in isolation."
 ## 2026-06-18T00:45Z — M1: bluesky-pds isolation run — 000 REPRODUCES; root cause = `app` DNS collision on shared proxy
 Ran bluesky-pds ALONE (tag 0.3.0+v0.4.219, log /tmp/redfix-bluesky-pds.log). Cold lifecycle GREEN
 (install/backup/restore/custom pass; upgrade EXPECTED_NA per recipe_meta — moving pds:0.4 tag). Then
 WC5 promote-on-green-cold FAILED exactly as canon: `warm-bluesky-pds.ci.commoninternet.net: not
 healthy over HTTPS /xrpc/_health (last status 0)`. So **the 000 reproduces deterministically in
 isolation — NOT a sweep-load/ACME-rate-limit flake** (my first hypothesis, refuted).
 LIVE DIAGNOSIS (stack left deployed by the failed promote; probed before teardown):
 - app service 1/1, healthy: `docker exec app wget localhost:3000/xrpc/_health` → `{"version":"0.4.219"}`;
  app listens on `:::3000`; no restarts. So the PDS itself is fine.
 - HTTPS to warm domain → 000. caddy logs flood:
  `tls "failed to get permission for on-demand certificate" domain=warm-bluesky-pds…
   error=… Get "http://app:3000/tls-check?domain=…": dial tcp 10.10.0.X:3000: connect: connection refused`
  (X varies: .2 .4 .5 .6 .8 .9 .10 .12).
 - bluesky uses caddy **on-demand TLS** (Caddyfile: `on_demand_tls { ask http://app:3000/tls-check }`,
  `tls { on_demand }`, `reverse_proxy app:3000`). caddy must reach app:3000/tls-check to be GRANTED a
  cert before serving TLS. It can't → no cert → TLS handshake fails → 000.
 - WHY can't caddy reach app: **service-name `app` collision on the shared `proxy` overlay.**
  - app is on `warm-bluesky-pds…_internal` ONLY (IP 10.0.3.3). caddy is on `proxy` (10.10.50.223) +
    `…_internal` (10.0.3.6).
  - `docker exec caddy getent hosts app` → returns ONLY proxy IPs (8/8 tries: 10.10.0.4/.5/.6/.10/.12),
    **NEVER the internal 10.0.3.3.** The proxy-net `app` alias shadows bluesky's own internal app.
  - `docker network inspect proxy` shows EVERY stack aliases its main service `app`:
    `drone…_app=10.10.0.2`, `traefik…_app=10.10.0.5`, `warm-keycloak…_app=10.10.0.9`,
    `ccci-reports/bridge/dashboard_app`, … — exactly the IPs caddy hits. None listens a PDS on 3000 →
    connection refused.
  So caddy resolves bare `app` to OTHER stacks' app endpoints on the shared proxy, never its own PDS.
 WHY cold passes / warm fails: cold's health window is long (HTTP_TIMEOUT=600) and on first success
 caddy CACHES the issued cert; the promote's shorter health window doesn't give caddy a chance to ever
 resolve correctly (and here it provably never resolves to 10.0.3.3 at all). The collision is the root
 cause; the promote machinery is CORRECT (it refused to write a canonical for an unhealthy 000 — no
 canonical.json written, verified).
 Classification: **genuine ROUTING/recipe defect — caddy↔app cross-stack `app`-alias collision on the
 shared proxy net**, deterministic, reproducible in isolation. NOT a flake; NOT a promote-machinery bug.
 Fix approach (M2): recipe PR giving the PDS service a UNIQUE name/alias (e.g. rename `app`→`pds`) so
 caddy's `reverse_proxy`/`tls-check` resolve only bluesky's own internal service (no shared-proxy `app`
 collision). (Alternatively a caddy-side internal-only resolution; renaming is cleanest.) Will confirm
 the exact fix in M2 + verify the warm domain then serves 200.
 Cleanup: removed orphaned warm-bluesky-pds stack + its volumes/secrets (promote had left it deployed;
 no canonical written). Node clean.
 ## 2026-06-18T01:05Z — M1: keycloak — warm-domain namespace collision (harness), classification complete
 keycloak was de-enrolled (WARM_CANONICAL=False) because its data-warm canonical domain would collide
 with the LIVE-warm OIDC provider. Verified the collision STRUCTURALLY (code, no run needed):
 - `canonical.canonical_domain(r)` → `warm.stable_domain(r)` → `f"warm-{r}.ci.commoninternet.net"`
  (runner/harness/canonical.py:42-44, warm.py:44-48).
 - `warm.WARM_DOMAINS["keycloak"] = "warm-keycloak.ci.commoninternet.net"` (warm.py:27-29) — the
  always-on shared OIDC provider lasuite-*/drone consume for SSO; kept current by roll_warm_infra.
 - So `canonical_domain("keycloak") == WARM_DOMAINS["keycloak"]` EXACTLY. Enrolling keycloak as a
  data-warm canonical → the sweep's promote deploy/teardown at warm-keycloak collides with the live
  provider. Confirmed live keycloak healthy (200 /realms/master) — I did not disturb it.
 The collision is unique to keycloak: it is the ONLY recipe that is both a live-warm provider (in
 WARM_DOMAINS) AND would want a canonical. No collision-free canonical namespace exists today.
 Classification: **HARNESS defect — warm canonical domain namespace can collide with a live-warm
 provider.** NOT a recipe/flake. Fix approach (M2): make `canonical_domain(r)` collision-free when `r`
 is a live-warm provider — e.g. `warm-canon-<r>` (or unconditionally) so the canonical deploy gets a
 distinct domain → distinct stack → cannot touch the live `warm-keycloak`. Then set keycloak
 WARM_CANONICAL=True and verify it promotes at the collision-free domain WITHOUT disrupting live
 keycloak. Minimal blast radius: special-case only providers in WARM_DOMAINS (the 15 other canonicals
 keep `warm-<r>`); confirm in M2.
 ## 2026-06-18T01:05Z — M1: gitea first advance attempt hit a LEFTOVER confound (not the real crash)
 First gitea cold@3.6.0 run: cold lifecycle (install/upgrade/backup/restore/custom) ALL PASS; promote
 advance FAILED with `FATA warm-gitea.ci.commoninternet.net is already deployed` — NOT the app.ini
 crash. Cause: warm-gitea was left DEPLOYED at 3.5.3 by the nixenv-phase sweep (registry said
 status=idle but the stack was actually running — a state inconsistency). The advance does `abra app
 deploy warm-gitea` assuming the canonical is idle/undeployed; finding it deployed, abra FATAs. This is
 the same GREEN-BUT-PROMOTE-FAILED the nixenv phase saw. To reproduce the REAL app.ini issue I undeployed
 warm-gitea (docker stack rm; retained data+config volumes → proper idle state) and re-ran gitea
 cold@3.6.0 (gitea2). Result pending. NOTE: the "already deployed" promote-failure-when-left-deployed
 may be a secondary promote-machinery robustness gap (advance should undeploy-or-chaos an
 already-deployed canonical) — will assess after confirming the primary app.ini crash.
 ## 2026-06-18T00:14Z — M1: gitea warm advance — app.ini read-only JWT crash CONFIRMED (recipe defect)
 After restoring warm-gitea to proper idle state (undeployed, 3.5.3 data+config volumes retained),
 re-ran gitea cold@3.6.0 (gitea2, log /tmp/redfix-gitea2.log). Cold lifecycle ALL PASS
 (install/upgrade/backup/restore/custom — incl. the cold FRESH 3.5.3→3.6.0 upgrade tier). WC5 promote
 advance then crash-loops. Live container logs (warm-gitea_..._app, repeated Failed/exit 1):
  modules/setting/setting.go:105:LoadCommonSettings() [F] Unable to load settings from config:
  error saving JWT Secret for custom config: failed to save "/etc/gitea/app.ini":
  open /etc/gitea/app.ini: read-only file system
 EXACTLY the canon-documented crash. Mechanism: the recipe mounts app.ini as a docker `config`
 (read-only by design) at /etc/gitea/app.ini (compose `configs: - source: app_ini target:
 /etc/gitea/app.ini`, app.ini.tmpl). gitea 1.24.2 (3.6.0), on the warm REATTACH of the retained
 3.5.3 config volume, decides to (re)generate+SAVE a JWT secret to app.ini → read-only fs → FATA at
 config-load, BEFORE any DB migration (so the 3.5.3 data volume stays intact — confirmed canon).
 Why cold passes but warm crashes: the cold fresh deploy + cold chaos-upgrade use freshly-generated
 secrets consistent with a freshly-initialized config, so gitea never needs to rewrite app.ini. The
 warm advance reattaches an OLDER retained config-volume state (seeded under 3.5.3) against the new
 run's secrets/3.6.0 binary → gitea reconciles by trying to persist a JWT secret → read-only crash.
 Classification: **genuine RECIPE defect** (gitea 3.6.0/1.24.2 + read-only app.ini docker-config mount
 on the warm-reattach advance), deterministic, reproduced first-hand. NOT a flake, NOT promote
 machinery. Fix approach (M2): recipe PR making app.ini writable on the advance path — e.g. render the
 config into the WRITABLE `config:/etc/gitea` volume via an entrypoint (not a read-only docker config),
 OR ensure the persisted secrets are accepted without rewrite. (Secondary harness option: canonical
 advance falls back to clean re-deploy when in-place config rewrite is impossible — but that loses the
 reattach data-warm property; recipe fix preferred.) Ties to LFS PR #1 (app.ini secret handling).
 ACTION NEEDED after run exits: warm-gitea is left crash-looping at 3.6.0 → restore it to 3.5.3
 (redeploy the known-good canonical version) so the canonical is healthy again. Data volume intact.
 ## 2026-06-18T00:25Z — M1 CLAIMED (6/6 investigated, isolated, classified)
 mumble repeat #2 (mumble2): ALL tiers green again incl. handshake; canonical re-promoted green
 (ts 20260618T001730Z). So mumble = 2× reproducibly green in isolation → load/timing FLAKE confirmed.
 All six classified with first-hand isolation evidence (or code proof for keycloak). Two canon
 root-causes were CORRECTED by isolation: discourse (not a timeout/deploy-FATA — it's a stale cc-ci
 overlay test asserting an unreleased migration) and mattermost-lts (not a loaded-node race — a
 deterministic recipe restore defect: missing `backupbot.restore.post-hook`). bluesky's 000 is NOT a
 load/rate-limit flake (my initial hypothesis) but a deterministic caddy↔app `app`-alias DNS collision
 on the shared proxy. gitea app.ini read-only JWT crash reproduced first-hand. keycloak collision proven
 structurally in code.
 Node clean: warm-gitea idle@3.5.3 (volumes retained), orphaned warm-bluesky removed, only live
 warm-keycloak up (healthy 200). Claiming M1; will start M2 fix design while awaiting the Adversary
 verdict (keep an unblocked item in hand).
 ## 2026-06-18T00:25Z — M2 prep (gated on M1 PASS): bluesky fix refinement
 While parked at the M1 gate (no node deploys — Adversary cold-verifying), refined the bluesky fix:
 cc-ci's bluesky tests probe via HTTP (/xrpc/_health), but the GENERIC harness defaults to
 `service="app"` (deployed_identity/_app_container). So RENAMING the recipe's `app` service → `pds`
 could break generic harness assumptions. Cleaner fix: keep the service named `app` but give it a
 UNIQUE network ALIAS on the internal net (e.g. `aliases: [pds-internal]`) and point caddy at
 `pds-internal:3000` (reverse_proxy + on_demand_tls ask). A unique alias has no collision on the shared
 proxy (only the bare `app` alias collides), and the service name stays `app` → zero cc-ci-side
 breakage. Will validate this exact approach in M2 after M1 PASS.
 ## 2026-06-18T01:21Z — M1 PASS; starting M2
 Adversary M1 verdict: **PASS** @01:18Z — all 6 classifications cold-verified CORRECT by its OWN
 isolation re-runs (discourse/mattermost/mumble/bluesky/gitea) + code-verify (keycloak). No VETO.
 "Builder cleared to proceed to M2." Two canon root-causes corrected and confirmed (discourse: not a
 timeout, stale overlay; mattermost: not a load race, recipe defect). bluesky reclassification (recipe,
 not warm-machinery) confirmed against the plan's prior.
 Starting M2. Plan: recipe PRs (mattermost-lts, bluesky-pds, gitea) via the recipe mirror+PR flow
 (`!testme`-verified, never merge); harness fixes (keycloak collision-free canonical_domain + enroll;
 mumble handshake stabilization) on a cc-ci branch; discourse overlay-scope decision. Node now mine
 (Adversary done). Will examine the recipe-create-pr flow first, then execute one fix at a time.
 ## 2026-06-18T01:25Z — M2 recon: prior-phase fix PRs already exist for discourse + mattermost
 Surveyed open PRs on all 6 mirrors before doing redundant work:
 - **discourse #4** `discourse-official-image` ("switch to official discourse/discourse"): created
  2026-06-16 by autonomic-bot; **!testme PASSED twice**, latest @53ba0910 today 16:36Z (run #849) ✅.
  This migrates off deprecated bitnamilegacy → official image + drops sidekiq = EXACTLY what the
  upgrade overlay asserts. So the overlay test was correctly demanding the migration; PR #4 IS the
  discourse fix and is already !testme-green. (Reframes M1 "stale test": the test is right; the
  release tag predates the migration; the fix is the migration PR, not weakening the test.)
 - **mattermost-lts #1** `ci/pg-restore` ("reimport the postgres dump on restore"): correct
  immich-pattern fix — pg_backup.sh (backup pg_dump|gzip; restore: terminate conns + DROP DATABASE
  WITH FORCE + createdb + reimport) + dump-only `backup.volumes.postgres_data.path: backup.sql` +
  `restore.post-hook: /pg_backup.sh restore`. Created 2026-05-30; needs a fresh !testme to confirm
  green NOW. (Also PR #2 upgrade-2.1.11 overlaps — adds restore hook + version bump; #1 is the focused
  fix.)
 - mumble #1 = "cfold sweep probe" (not the fix — mumble is a harness flake, no recipe PR needed).
 - bluesky #3 = version bump (not the routing fix — need a NEW PR for the app-alias collision).
 - gitea, keycloak = no open PRs (gitea LFS #1 closed; keycloak is a harness fix).
 M2 plan refined: VERIFY discourse #4 (re-!testme fresh) + mattermost #1 (!testme); CREATE recipe PRs
 for bluesky (unique alias) + gitea (app.ini writable); HARNESS fixes for mumble (handshake stab) +
 keycloak (collision-free canonical_domain + enroll). Starting with mattermost #1 !testme.
 ## 2026-06-18T01:30Z — M2: mattermost-lts FIXED (verified) + discourse already green + bluesky PR created
 - **mattermost-lts**: !testme on PR #1 `ci/pg-restore` (@4ca7f418) → run #901 ALL tiers green
  (install/upgrade/backup/restore/custom, every junit failures=0 skipped=0). The M1-failing
  `restore__cc-ci__test_restore.py::test_restore_returns_state` now PASSES — the pg_backup.sh restore
  post-hook (terminate conns + DROP DATABASE WITH FORCE + createdb + reimport dump) round-trips
  postgres state. **FIXED + verified.** (Nothing merged — operator merges.)
 - **discourse**: PR #4 `discourse-official-image` already !testme-green @53ba0910 (run #849, today
  16:36Z) — the official-image migration makes the upgrade overlay pass. Will re-verify fresh for
  current evidence before the M2 claim.
 - **bluesky-pds**: created mirror PR #4 `ci/warm-routing-alias` (unique `pds` alias on internal +
  caddy reverse_proxy/ask → pds:3000; service stays `app`). compose validated (`docker compose config`
  rc=0). VERIFICATION NOTE: bluesky's 000 is warm-promote-only (cold path always green), so !testme
  (cold) won't reproduce/verify it — I'll verify by running the FIXED recipe through the promote path
  (cold-on-latest with the fix checked out) → warm-bluesky-pds should serve 200 (vs M1's 000), then
  tear down the phantom canonical.
 Remaining M2: bluesky promote-verify, gitea recipe PR (app.ini writable), keycloak harness
 (collision-free canonical_domain + enroll), mumble harness (handshake stabilization).
 ## 2026-06-18T02:10Z — M2 bluesky: alias fix blocked by abra; pivoting to service RENAME
 Verified the bluesky `pds` network-alias fix end-to-end and found a blocker:
 - `docker stack deploy` HONORS compose network aliases (throwaway test: app got `Aliases:["pds","app"]`).
 - `docker compose config` PRESERVES the alias in its render.
 - BUT the harness/abra promote deploy produced an app service with `Aliases:["app"]` only — the `pds`
  alias was DROPPED. The fixed Caddyfile (pds:3000) DID deploy (same per-run tree), so abra read my
  recipe tree; by elimination, **abra's own compose→swarm translation drops service network aliases**
  (it's not docker, not the tree). Also confirmed: the bluesky promote is a non-chaos pinned deploy.
  (Two stale-config gotchas also hit + fixed: docker configs are immutable+versioned — a stale
  `warm-bluesky..._caddyfile_v1` was reused until I removed it; lesson for gitea = bump config versions.)
 → Pivot to the ROBUST fix: RENAME the PDS service `app`→`pds`. Docker auto-adds the service short-name
 as a network alias (abra can't drop that — the deployed `app` proved the service-name alias is always
 applied), so caddy's `reverse_proxy pds:3000` resolves THIS stack's PDS (unique on internal; no `pds`
 on the shared proxy). Coupled cc-ci change: 2 `exec_in_app(...)` calls default `service="app"`
 (`tests/bluesky-pds/_p4.py:40`, `custom/test_account_and_post.py:49`) → must become `service="pds"`
 (NOT a weakening — same assertion, correct service). The warm-routing PROOF (warm-bluesky-pds→200) is
 the promote path (custom exec tests not involved); cold !testme-green needs the cc-ci ref update.
 Need to determine how cc-ci-side code reaches a !testme run (also required for keycloak + mumble
 harness fixes) — investigating CCCI_REPO/Drone checkout next.
 ## 2026-06-18T02:15Z — cc-ci-side change verification mechanism (for bluesky-rename/keycloak/mumble)
 The Drone !testme build clones cc-ci at main HEAD; the manual runner runs from CCCI_REPO (default
 /etc/cc-ci). To verify a cc-ci-side change WITHOUT pushing main or disturbing /etc/cc-ci (shared with
 Adversary): push the change to a cc-ci BRANCH, clone/checkout that branch to a temp dir on cc-ci, and
 run `cd <tmp> && CCCI_REPO=<tmp> cc-ci-run runner/run_recipe_ci.py RECIPE=... CCCI_SKIP_FETCH=1`
 (cc-ci-run is the deployed nix env; runner/ + tests/ come from my branch checkout). Restores cleanly.
 bluesky-rename coupling: the warm-promote only fires on a FULLY-GREEN cold run, and bluesky's custom
 tier exec_in_app defaults to service="app". So renaming app→pds REQUIRES the cc-ci exec-ref update
 (service="pds") deployed via the temp-checkout for the cold run to go green and the promote to fire.
 So: (1) recipe rename PR, (2) cc-ci branch with exec-ref update, (3) verify via temp-checkout run ->
 cold green -> promote -> warm-bluesky-pds 200.
 ## M2 progress snapshot (2026-06-18T02:15Z)
 - mattermost-lts: DONE (PR #1 ci/pg-restore, !testme run #901 all-green incl restore). 
 - discourse: DONE (PR #4 discourse-official-image, !testme run #849 green; re-verify fresh for claim).
 - bluesky-pds: PR #4 (alias) -> superseding with service RENAME app->pds + cc-ci exec-ref update; verify on promote path.
 - gitea: fix READY locally (/tmp/redfix-gitea: app.ini->staging + docker-setup seed-once + DOCKER_SETUP_SH_VERSION v2); needs PR push + warm-advance verify.
 - keycloak: harness fix (canonical_domain collision-free for WARM_DOMAINS recipes + enroll) NOT STARTED.
 - mumble: harness fix (handshake readiness/retry stabilization) NOT STARTED.
 ## 2026-06-18T02:45Z — M2 progress: gitea PR + harness branch pushed; bluesky pivoted to rename
 - **gitea**: opened recipe PR #2 `ci/app-ini-writable` (app.ini->staging + docker-setup seed-once +
  DOCKER_SETUP_SH_VERSION v2). Advance-path verification RUNNING (fixed 3.6.0 reattach to idle 3.5.3
  canonical; expect no app.ini crash + promote). cold lifecycle green so far (install + cold upgrade
  converged).
 - **bluesky**: PR #4 updated alias->RENAME service app->pds (abra drops aliases). 3-line recipe diff,
  validates. Coupled cc-ci exec-ref change on branch.
 - **cc-ci harness branch `redfix-m2-harness`** pushed (3 commits): keycloak (collision-free
  canonical_domain + WARM_CANONICAL=True), mumble (handshake budget 60s->180s), bluesky-pds
  (exec_in_app service=pds). Verified via temp-checkout runs (CCCI_REPO=<branch checkout>).
 - Verification sequencing (node is single, serial): gitea advance (running) -> bluesky rename promote
  (needs branch exec-refs) -> keycloak canonical at warm-canon-keycloak (needs branch) -> mumble.
  NOTE: mumble "green under load" is hard to reproduce deterministically; plan = show branch run still
  green + reason about the budget (or construct concurrent load).
 ## 2026-06-18T03:00Z — M2 gitea fix v1 (seed) BROKE the transition — needs rework
 gitea advance verification (fixed 3.6.0): install tier PASSED FULLY (fresh 3.6.0 + my fix: API 200,
 admin auth OK — so the seed works for a FRESH deploy), but upgrade/backup/restore/custom ALL FAILED:
 `READY_PROBE not ready: /api/v1/version (last status 404) within 600s` after the 3.5.3->3.6.0 chaos
 redeploy → gitea came up in INSTALL-WIZARD mode (serves 200 but no API/admin = no valid app.ini).
 The LFS custom test's repo-create also 404'd (same wizard-mode cause).
 So my seed-once fix is fine for fresh install but FAILS the 3.5.3->3.6.0 transition — exactly the path
 the canon fix needs. Likely cause: on the chaos redeploy from a 3.5.3 stack (docker_setup_sh_v1, no
 seed) the docker-setup config didn't update to my v2 (seed) while compose moved app.ini to the staging
 path → /etc/gitea/app.ini empty → wizard. (To confirm: reproduce + inspect the post-redeploy container
 — is docker_setup_sh_v2 mounted? does /etc/gitea/app.ini exist? gitea log.) Reverted the fix from
 cc-ci's gitea clone; warm-gitea intact (idle 3.5.3, promote didn't fire on the red cold run). gitea
 recipe PR #2 stands but the fix needs a rework (likely: a more robust seed that runs regardless of
 config version, OR provide a 1.24-valid oauth2 JWT secret so gitea never rewrites app.ini — investigate
 WHY 1.24 regenerates it). Deferring gitea; proceeding to bluesky-rename / keycloak / mumble verifies.
 ## 2026-06-18T03:30Z — M2 bluesky verification BLOCKED by abra non-chaos tag-revert; keycloak/mumble next
 Root cause of the bluesky rename verify failure: the deployed service was `..._app` (not `pds`).
 `run_recipe_ci` CCCI_SKIP_FETCH copies my renamed clone to the per-run tree, BUT abra's NON-CHAOS
 pinned deploy (bluesky's tag 0.3.0+v0.4.219 is ANNOTATED) does `git checkout <tag>` in the per-run
 tree, REVERTING my rename to the tag's `app:`. So the renamed recipe never deployed; the branch
 harness then execs `service=pds` -> "no running container <stack>_pds" -> backup/restore/custom red.
 (This also re-explains the earlier "abra dropped the alias" — it was the same tag-revert, not a drop.)
 gitea's tag is lightweight -> deploy_app uses chaos -> my gitea fix DID deploy (install passed); its
 failure is a real transition issue, not a revert.
 IMPLICATION: verifying a RECIPE fix (bluesky, gitea) via CCCI_SKIP_FETCH needs a CHAOS deploy (uses the
 checkout, not the tag). HARNESS fixes (keycloak canonical_domain, mumble retry) are runner/test code
 from the branch checkout — NO tag-revert — so they verify cleanly. Doing keycloak + mumble next.
 For bluesky: force chaos (deploy_app does chaos when has_ccci_overlay) OR reconsider a cc-ci-side
 overlay fix (alias + caddyfile override) — both verifiable; recipe PR #4 (rename) stays as the ideal
 upstream fix. gitea: rework + reproduce-with-inspection.
 ## 2026-06-18T03:40Z — M2 keycloak FIXED + VERIFIED (collision-free canonical)
 Ran keycloak cold-on-latest from branch checkout /tmp/cc-ci-m2run (harness fix: canonical_domain ->
 warm-canon-keycloak for WARM_DOMAINS recipes; WARM_CANONICAL=True). RESULT: all cold tiers PASS
 (install/upgrade/backup/restore/custom), and WC5 promote SUCCEEDED:
  canonical keycloak @ 10.8.0+26.6.3, domain="warm-canon-keycloak.ci.commoninternet.net", idle, volume retained.
 - Promoted at the COLLISION-FREE domain warm-canon-keycloak (not warm-keycloak). ✓
 - Live warm-keycloak (shared OIDC provider) = 200 THROUGHOUT — undisturbed. ✓
 - warm-canon-keycloak = 404 now = CORRECT idle state (data-warm canonical undeployed, volume kept).
 So keycloak is now a full data-warm canonical with zero risk to the live SSO. **FIXED + verified.**
 3/6 verified: mattermost-lts, discourse, keycloak. Doing mumble next (harness, tractable).
 ## 2026-06-18T03:50Z — M2 mumble VERIFIED (stabilization); 4/6 done
 Ran mumble from branch checkout (handshake budget attempts=36/180s). ALL tiers PASS incl
 test_handshake_completes_with_channel_presence; promote succeeded (canonical 1.0.0+v1.6.870-0 idle).
 The longer budget is active + non-regressing. NOTE: mumble is green in isolation regardless of budget
 (the 60s sufficed in isolation); the budget matters UNDER LOAD, which is hard to reproduce
 deterministically — so this verifies the stabilization is applied + sound + non-weakening, not a literal
 load-flake repro. (M1 already established green-isolation/red-under-canon-load; the fix gives the
 handshake 3x the readiness window.) **Stabilization fix verified.** 4/6: mattermost, discourse,
 keycloak, mumble. Remaining: bluesky (force-chaos verify of the rename), gitea (rework).
 ## 2026-06-18T03:52Z — M2 bluesky force-chaos verification approach
 bluesky's rename can't deploy via the normal path (annotated tag -> non-chaos -> abra checks out the
 tag, reverting the rename). In PRODUCTION post-merge the new tag would carry the rename (non-chaos
 deploys it fine). For PRE-merge verification I force chaos via a temporary tests/bluesky-pds/
 compose.ccci.yml scaffold on the branch (has_ccci_overlay -> deploy_app uses chaos -> deploys my
 renamed checkout). Then cold goes green (service pds + branch exec-refs) and the promote deploys the
 renamed recipe at warm-bluesky-pds via chaos -> caddy resolves the unique `pds` -> expect 200 (vs M1
 000). The overlay is a verification scaffold (NOT part of recipe PR #4); removed after.
 ## 2026-06-18T04:05Z — M2 bluesky verification: STRUCTURAL blocker (pre-merge warm-promote)
 bluesky rename verification keeps deploying the TAG's `app:` (not my rename), even with: tag moved to
 the rename commit AND a force-chaos overlay. Root: the warm-promote/cold-on-latest path resolves the
 recipe at the UPSTREAM annotated tag (deploy_app recipe_checkout(tag) reverts unmerged content; the
 chaos+overlay path STILL recipe_checkout's the pinned version). Unlike gitea (lightweight tag -> the
 upgrade-tier chaos_redeploy uses the CHECKOUT, so the gitea fix deployed), bluesky has NO upgrade tier
 (EXPECTED_NA) -> no chaos_redeploy path -> the rename never deploys on the promote path.
 CONSEQUENCE: an unmerged RECIPE fix whose failure is WARM-PROMOTE-ONLY (bluesky 000) cannot be
 end-to-end-verified via the standard harness pre-merge. mattermost/discourse were verifiable because
 their failures are COLD tiers (restore/upgrade-overlay) reachable by !testme on the PR head.
 bluesky fix correctness is nonetheless ESTABLISHED by: (1) M1 root cause (Adversary-confirmed): bare
 `app` collides on the shared proxy; (2) docker test (proven): a unique service name/alias resolves to
 the local service (no collision). Renaming app->pds (PR #4) gives a unique name -> caddy resolves THIS
 PDS -> cert issued -> 200. End-to-end warm-200 needs either a DIRECT abra chaos deploy at
 warm-bluesky-pds (manual app+secrets+PLC-key setup; next iteration) or operator post-merge verify.
 Restored the bluesky tag; node clean; warm-keycloak 200.
 ## M2 STATUS (2026-06-18T04:05Z) — 4/6 verified
 - mattermost-lts: VERIFIED (PR #1 ci/pg-restore, !testme run #901 all-green incl restore).
 - discourse: VERIFIED (PR #4 discourse-official-image, !testme run #849 green).
 - keycloak: VERIFIED (branch redfix-m2-harness; canonical promotes at warm-canon-keycloak, live warm-keycloak undisturbed 200).
 - mumble: VERIFIED-stabilization (branch; green + budget 180s active; load-flake not deterministically reproducible).
 - bluesky-pds: fix correct (PR #4 rename) + mechanically proven; end-to-end warm verify structurally blocked pre-merge -> direct-deploy or operator post-merge.
 - gitea: PR #2 seed fix BROKE 3.5.3->3.6.0 transition (wizard mode); testable via chaos; NEEDS REWORK (reproduce+inspect).
 NOT claiming M2 — bluesky end-to-end + gitea rework outstanding.
 ## 2026-06-18T05:53Z — M2 gitea VERIFIED (v3 seed) + bluesky VERIFIED (${STACK_NAME}_app); 6/6
 **gitea — rework was already done (v3, a0f2db8) but unverified; verified it.** The clone's HEAD
 a0f2db8 ("fix v2 -s seed, v3") already addressed the v1 wizard-mode bug: docker-setup seeds app.ini
 into the writable /etc/gitea volume `if [ ! -s /etc/gitea/app.ini ]` (seed-on-EMPTY, not -f
 seed-on-missing — a 3.5.3-old-recipe canonical leaves a 0-byte app.ini placeholder in the config
 volume, which -f wrongly treats as present). Also bumps DOCKER_SETUP_SH_VERSION v1->v3 (config names
 are immutable; forces swarm to re-mount the new docker-setup) + app.ini config target ->
 /etc/gitea/app.ini.init (staging). Pushed v3 to PR #2 (force-replaced the broken v1 d4145266).
 VERIFICATION (direct chaos-deploy onto the REAL idle 3.5.3 canonical volumes; /tmp/redfix-gitea-m2-directproof.log):
 reattached the retained config volume (0-byte app.ini = genuine pre-fix M1 state) with the v3 recipe.
 Result: app.ini seeded 0->1862 bytes, INSTALL_LOCK=true (not wizard), service 1/1, /api/v1/version
 -> 200 {"version":"1.24.2"}, /api/healthz 200, retained 3.5.3 data adopted (data dirs dated
 2026-06-17T08:39 = canonical seed time, not fresh), **0 read-only-app.ini crashes** (M1 crashed here).
 WHY NOT the harness WC5 promote: it is STRUCTURALLY merge-gated. run_recipe_ci.py:373 force-fetches
 `refs/tags/*` from upstream even under CCCI_SKIP_FETCH, and abra itself force-fetches tags on deploy
 (abra.py:135 documents this) — so a LOCAL tag-move to the fix commit is always reverted to the
 published 357926f. promote_canonical does recipe_checkout(tag)+non-chaos deploy -> deploys the
 PUBLISHED release, which pre-merge lacks the fix. Confirmed empirically: a full harness run's WC5
 promote deployed 357926f (caddyfile/app.ini OLD) -> crashed exactly like M1. So end-to-end
 canonical-advance needs the operator to merge PR #2 + re-cut 3.6.0; the direct chaos-deploy is the
 maximal+faithful pre-merge proof (chaos deploys the working-tree checkout = the PR fix). Node left
 clean: warm-gitea undeployed (idle 3.5.3, volumes retained), app.ini reset to 0-byte for re-verify,
 canonical.json UNCHANGED (3.5.3 idle e6a1cc79), recipe tag restored to upstream 357926f.
 **bluesky — operator directive (2026-06-18): NO rename; use ${STACK_NAME}_app.** Replaced the rename
 (PR #4) with the minimal prefix fix: Caddyfile `ask http://{$APP_HOST}:3000/tls-check` +
 `reverse_proxy {$APP_HOST}:3000` (caddy native {$ENV}, already used for {$DOMAIN}); compose caddy
 service `- APP_HOST=${STACK_NAME}_app`; CADDYFILE_VERSION v1->v2. Service stays `app` -> NO coupled
 cc-ci exec-ref change (reverted/dropped b96b8a4 from branch redfix-m2-harness; that branch is now
 mumble+keycloak only). 3-file recipe-PR-only diff. Pushed to PR #4 ci/warm-routing-alias (4987ba9,
 force-replaced the rename). Pattern per matrix-synapse/mailu/mumble.
 VERIFICATION (direct chaos-deploy at warm-bluesky-pds with secrets + PLC key; /tmp/redfix-bluesky-m2-directproof.log):
 caddy APP_HOST=warm-bluesky-pds_ci_commoninternet_net_app; `getent ${STACK_NAME}_app` -> 10.0.3.x
 (bluesky's OWN internal net) while `getent app` (M1's bare target) -> 10.10.0.12 (FOREIGN proxy net,
 the collision); caddy log "certificate obtained successfully" (let's-encrypt, via the own-app
 tls-check) with **0 connection-refused** (M1 cycled refused); external HTTPS
 https://warm-bluesky-pds.../xrpc/_health -> **200** {"version":"0.4.219"} (M1 was 000). GOTCHA: abra
 `secret insert` (no -C -o) force-fetches+checks out the .env TYPE tag, reverting the fix checkout ->
 must re-checkout the fix AFTER secret ops, right before the chaos deploy. Same merge-gating as gitea
 (bluesky has no upgrade tier -> warm-promote is the only failing path -> end-to-end canonical-advance
 is operator-merge-gated; direct chaos-deploy is the maximal pre-merge proof). Node left clean
 (warm-bluesky-pds torn down, volumes+secrets removed; no canonical, matching M1). Live warm-keycloak
 200 throughout.
 **6/6 VERIFIED.** Claiming M2.
 ## 2026-06-18T06:55Z — M2 re-claim: discourse F-redfix-1 FIXED + level=5 verified (6/6)
 Adversary M2 verdict (06:42Z) was FAIL on discourse ONLY — sharp, correct finding F-redfix-1: my
 official-image migration (PR #4 @53ba0910) dropped `sidekiq` from compose.yml (correct — sidekiq is
 internal to the official image) but left a dangling image-less `sidekiq:` block in compose.smtpauth.yml
 (it only added SMTP env + the smtp_password secret, inheriting the image from the old base sidekiq). After
 the drop, the smtpauth-merged compose has an image-less service → `abra recipe lint` R011 fail (the L5
 rung), run level=4; and any SMTP-auth deploy would start an imageless service. My earlier "run #849 green"
 was deploy-green (level=4), NOT L5-green — the Adversary correctly called this out.
 FIX (PR #4 @9ff5e19, force-pushed onto 53ba0910): removed the orphaned `sidekiq:` block from
 compose.smtpauth.yml. No SMTP coverage lost — the `app:` override already carries
 `DISCOURSE_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password` + the `smtp_password` secret, and compose.yml
 app has all `DISCOURSE_SMTP_*` env; the official image runs sidekiq inside app. `grep sidekiq compose*.yml`
 = 0 now.
 VERIFIED two ways: (1) the Adversary's exact lint.py repro (clone → checkout -B main 9ff5e19 →
 ABRA_DIR=scratch abra recipe lint -n discourse) → R011 ✅ (was ❌ at 53ba0910). (2) full cold harness run
 `/tmp/redfix-discourse-m2verify.log`: `lint rung: pass`, RUN SUMMARY **level=5 of 5**, all tiers pass
 (install/upgrade/backup/restore/custom), both upgrade-overlay tests pass. Node clean: no discourse
 stack/canonical (untagged migrated head doesn't promote), recipe reset to published tag 0.8.1+3.5.0.
 Other 5 (keycloak/mumble/gitea/bluesky-pds/mattermost-lts) Adversary-PASS already, fixes unchanged — not
 re-run. 6/6. Re-claiming M2.
--- a/machine-docs/JOURNAL-regall.md
+++ b/machine-docs/JOURNAL-regall.md
@ -0,0 +1,31 @@
 # JOURNAL — phase `regall`
 ## 2026-06-17 — Phase bootstrap + sweep start
 ### Context
 Phase `prevb` completed with DONE at b6f526a. The prevb change introduced:
 - Dynamic upgrade-base resolution: last-green (warm canonical) → main-tip (ref) → skip
 - `previous/` overlay mechanism (base-only, version-guarded)
 - Environmental vs version-specific overlay split
 There are NO warm canonical registry records on the server (`/var/lib/ci-warm/` has only
 keycloak/traefik reconciler dirs, no `canonical.json`). So for all recipes, the post-prevb base
 resolution will use **main-tip ref** as the upgrade base (kind=ref), unless:
 - EXPECTED_NA[upgrade] is declared (bluesky-pds → skip)
 - UPGRADE_BASE_VERSION is set (plausible → version 3.0.1+v2.0.0)
 This is the key structural difference from pre-prevb: old code used `lifecycle.previous_version(recipe)`
 (the previous published tag), new code uses main-tip commit ref for most recipes.
 Three prevb spot-checks already confirmed green with post-prevb code:
 - cryptpad PR#5: kind=ref main-tip 36ee3451; upgrade=pass
 - keycloak PR#3: kind=ref main-tip 12ac6db8; upgrade=pass (prune-orphans safe-skip)
 - hedgedoc PR#1: kind=ref main-tip 09bf4d54; upgrade=pass
 Remaining 18 recipes to sweep.
 ### Sweep strategy
 - Batch ≤3 concurrent Drone builds via !testme on open PRs
 - Create trivial "chore: regall test trigger" PRs for recipes with no open PRs
 - Monitor Drone build numbers, collect results.json levels
 - Compare to baseline table
--- a/machine-docs/JOURNAL-samever.md
+++ b/machine-docs/JOURNAL-samever.md
@ -0,0 +1,100 @@
 # JOURNAL — phase `samever` (Builder reasoning; Adversary does not read before verdict)
 ## 2026-06-17 — M1 design + implementation
 **Root cause (confirmed against `runner/run_recipe_ci.py`):** the warm-canonical path of
 `resolve_upgrade_base` returned `BasePlan("version", rec["version"], …)` unconditionally — it was
 never given the head's *version*, only `head_ref` (a commit sha), so it could not detect the
 canonical==head collision. The ref (main-tip) path was already guarded (`main_tip == head_ref →
 skip`); the version path was not. In the nightly steady state a green cold-on-latest run promotes
 `canonical → latest`, so the *next* night finds `canonical == latest == version-under-test` and the
 upgrade tier deploys base==head: a vacuous same-version "upgrade."
 **Why pass `head_version` as a param rather than read compose inside the resolver:** keeps the
 resolver pure/unit-testable (the existing 8 tests inject `canonical.read_registry` /
 `lifecycle.recipe_branch_commit` via monkeypatch and never touch the filesystem). The call site
 (`main()`) reads it once via `abra.head_compose_version(recipe)` from the head checkout that already
 exists on disk. Tests pass `head_version=` directly.
 **Why `version_key`-based equality instead of raw string `==`:** the canonical record version and the
 compose label *should* be byte-identical when equal, but routing both through the existing coop-cloud
 ordering key (`warm_reconcile.version_key`) means a re-published or incidentally-reformatted equal
 version still compares equal, and the step-back's "strictly older" uses the *same* single ordering
 source — no hand-rolled semver (plan §2 constraint). `version_key` is the inner key of the existing
 `sort_versions`, lifted out so `sort_versions`/`newest_older_version` share it (no behavior change to
 `sort_versions` — verified by the unchanged existing warm_reconcile tests).
 **Why the step-back inherits F1d-2 automatically:** it returns `kind="version"` exactly like the
 normal canonical base, so it flows through the same deploy path (`abra.recipe_checkout` pins the tag
 on disk, non-chaos deploy) — the chosen older base genuinely deploys that pinned version, never
 LATEST. No new deploy code; the protection is structural.
 **Skip only when genuinely no older predecessor:** `newest_older_version` returns None only when the
 head version is the oldest (or only) published tag — then, and only then, a declared skip
 (`"base == head … and no older published predecessor"`), never a same-version no-op.
 **`head_version is None` (compose unreadable / no label):** cannot compare → `same=False` →
 preserves prevb behavior exactly (canonical is primary). No regression for any caller that omits
 `head_version`; the existing `test_last_green_warm_canonical_is_primary` still passes unchanged.
 **Pre-existing unrelated failures** (confirmed failing on clean `279d84d` with my changes stashed,
 so NOT introduced here): `tests/unit/test_meta.py::test_generated_doc_table_in_sync` and
 `tests/unit/test_warm_reconcile.py::test_traefik_spec_is_stateless_with_setup` (KeyError
 'health_domain'). Out of scope for samever.
 ## 2026-06-17T04:25Z — M1 claimed; M2 prep (no gate runs until M1 PASS)
 M1 claimed (c5a0d20). Parked at gate; doing read-only M2 prep:
 - Trigger mechanism (from prevb M2): `!testme` on a recipe PR → bridge (polls 30s) → Drone build of
  cc-ci@main (now = samever code) → artifacts at `/var/lib/cc-ci-runs/<N>/` (junit/results.json,
  Adversary-readable). Local full-pipeline runs on cc-ci de-risk before posting.
 - Enrolled (WARM_CANONICAL=True) recipes: only **custom-html** currently. No canonical registries on
  cc-ci right now (`/var/lib/cc-ci-canonical/` empty).
 - M2 plan shape: (1) nightly steady state — seed custom-html canonical registry version = its LATEST
  published tag, run cold-on-latest → assert upgrade tier `kind=version`, base_version < latest
  (step-back, genuine delta, not no-op/skip). (2) PR form — non-version-bump PR, head==canonical, same
  step-back. (3) discourse #4 version-bump → UNAFFECTED (canonical→head). (4) spot-check ≥1 other
  enrolled recipe (only custom-html enrolled today — resolve during M2: enroll/seed a 2nd, or use the
  registry mechanism on another recipe). Need ≥2 published tags on the step-back recipe for an older
  target to exist — verify custom-html tag count before run.
 ## 2026-06-17T04:40Z — M2 real-CI evidence captured (custom-html + discourse)
 Two-run authentic nightly simulation on cc-ci (/root/samever-deploy @ cc-ci main, samever code):
 - **Run A** (cold-on-latest, no canonical): upgrade base kind=skip (head==main tip); green 5 tiers;
  WC5 promote → canonical custom-html = 1.13.0+1.31.1 (the "first nightly").
 - **Run B** = THE HEADLINE (2nd consecutive nightly, canonical==latest==head):
  `upgrade base: kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1)
  == head version 1.13.0+1.31.1; newest older published base)`. Upgrade tier deployed base 1.11.0+1.29.0
  then chaos-upgraded to head: `version=1.11.0+1.29.0→1.13.0+1.31.1` (label MOVED, base<head, REAL
  delta — not a no-op, not a skip). All 5 tiers green. Proves F1d-2: the older base actually deployed
  the pinned 1.11.0 then upgraded to 1.13.0.
 - **Run C** (version-bump UNAFFECTED, enrolled): re-seeded canonical→OLDER 1.11.0+1.29.0, cold-on-latest
  head 1.13.0 → `kind=version version=1.11.0+1.29.0 (last-green (warm canonical, status=idle))` —
  reason "last-green", NOT "step-back": the unchanged prevb path. Upgrade 1.11.0→1.13.0 green. The
  step-back never engages when canonical≠head.
 - **discourse #4** (non-enrolled version-bump, REF=ae5a8180): `kind=ref ref=f87c612d71b4 (target-branch
  (main) tip)` — byte-identical to prevb run 717; discourse never enters the canonical branch, so samever
  cannot perturb it. (Full install,upgrade migration running to green for completeness.)
 Artifacts preserved on cc-ci: /root/samever-run{A,B,C}.log, /root/samever-disc4.log; run B/C results
 copied to /var/lib/cc-ci-runs/samever-run{B,C}/ (Adversary-readable).
 ## 2026-06-17T04:55Z — M2 complete (PR form + spot-check), claiming
 - **Run D (PR form):** ran custom-html with REF=2b82ebab PR=999 (a PR head whose compose version is
  still 1.13.0 == canonical). Resolver stepped back to 1.11.0+1.29.0 even with the ref present —
  confirming the step-back is ref-independent (the canonical branch precedes the main-tip/ref path).
  Upgrade 1.11.0→1.13.0 green.
 - **Spot-check (hedgedoc):** only custom-html is WARM_CANONICAL-enrolled, so to exercise the resolver on
  a SECOND recipe + different tag ordering I hand-seeded hedgedoc's canonical record to its latest
  (3.0.10+1.10.8) — the resolver reads canonical.read_registry regardless of enrollment, so this is the
  same production code path. cold-on-latest → step-back to 3.0.9+1.10.7, upgrade green. Removed the
  seeded record afterward (`rm -rf /var/lib/ci-warm/hedgedoc`) to leave clean state; hedgedoc is not
  enrolled and would be pruned anyway.
 - **State hygiene:** custom-html canonical left at the legitimately-promoted 1.13.0+1.31.1 (its real
  enrolled steady state). No leftover run stacks (clean teardown verified). Pre-existing warm-keycloak
  orphan untouched.
 Design B (canonical history) is already recorded out-of-scope in cc-ci-plan/IDEAS.md (per plan §5) —
 verify before DONE.
--- a/machine-docs/JOURNAL-settings.md
+++ b/machine-docs/JOURNAL-settings.md
@ -0,0 +1,104 @@
 # JOURNAL — phase `settings` (WHY / reasoning; Adversary does not read before verdict)
 ## 2026-06-17 — bootstrap + M1 design
 **Phase:** server-level `settings.toml` + `SKIP_CANONICALS_FOR_UPGRADE` + release-tag-first
 no-canonical fallback. Plan: `/srv/cc-ci/cc-ci-plan/plan-phase-settings-ci-server-config.md`.
 ### Why a new `harness/settings.py` (not extending an env-var module)
 Checked for an existing cc-ci config mechanism first (plan §2.A "extend rather than spawn a parallel
 one"). The server config today is **scattered ad-hoc env reads** (`os.environ.get` for `MAX_TESTS`,
 `CCCI_RUNS_DIR`, `CCCI_REPO`, `STAGES`, `CCCI_QUICK`, …) — there is **no** central config module/class
 to extend (`grep` for `tomllib|settings\.toml|class Settings` → none). So a small dedicated loader IS
 the minimal, extensible home rather than threading another env var. Stdlib `tomllib` (py3.12 on the
 server, confirmed). One `[upgrade]` table, one key now; `_SCHEMA` is the single source of
 defaults+validation so adding a key/table later is a one-line change.
 ### Settings file path: `/etc/cc-ci/settings.toml` (override `$CCCI_SETTINGS`)
 The harness runs from `/etc/cc-ci` in BOTH execution contexts (nightly sweep sets `CCCI_REPO=/etc/cc-ci`
 and `cd`s there; the Drone recipe-CI runner runs from its checkout but an **absolute** host path is read
 identically by both). `/etc/cc-ci` is a git checkout kept current by `git pull` + nixos-rebuild on
 deploy — an **untracked** `settings.toml` there survives pulls (git pull never deletes untracked files)
 and sits next to the tracked `settings.toml.example`. Chose this over `/srv/cc-ci/settings.toml` (the
 plan's *suggestion*) because `/srv/cc-ci` is the orchestrator path, ambiguous on the server; `/etc/cc-ci`
 is unambiguous and discoverable. The loader is graceful if the file/dir is absent → defaults.
 ### Why the canonical-present path (incl. samever step-back) is byte-for-byte unchanged
 Guardrail §4: default false must be a no-op for current behavior. Structure:
 `if rec and rec.version and not flag:` → the entire existing prevb/samever block runs verbatim
 (canonical ≠ head → canonical; canonical == head → step-back older tag, else skip). Only when there is
 **no canonical in play** (rec falsy, OR flag true) do we enter the new `_no_canonical_base`. So with
 flag false + a canonical, nothing changes; the step-back's "no older predecessor → skip" is preserved
 (NOT routed to main-tip), which is correct — routing it to main-tip could reintroduce the same-version
 no-op samever exists to prevent. The plan §2.C "unified chain ... (==head)" is satisfied by the
 step-back already taking the same release-tag helper as step 1; I deliberately did NOT add a main-tip
 tail to the step-back skip, to keep samever's guarantee intact. This is the one place where a literal
 reading of §2.C ("==head → ... → main-tip → skip") and the §4 no-op guardrail + samever's intent point
 slightly differently; I chose the conservative path that preserves both samever and the no-op guardrail.
 If the Adversary reads §2.C literally and wants the step-back-no-older case to fall to main-tip, that is
 a one-line change — but I believe it would be a regression (vacuous upgrade), so it's recorded here.
 ### Why `_no_canonical_base` guards on `head_version` before calling `recipe_tags`
 `newest_older_version(tags, None)` returns None, but evaluating `recipe_tags(recipe)` eagerly would
 shell out to `git -C <per-run recipe dir> tag` even when head_version is None (e.g. callers/tests that
 don't pass it). Guarding `if head_version else None` avoids a needless/erroring git call and preserves
 the prevb behavior for the no-head_version caller shape (→ main-tip).
 ### Why wrong-type raises but malformed/absent doesn't
 Plan M1: "malformed file handled" (graceful) AND "wrong type errors clearly". Reconciled: absent /
 unreadable / TOML-syntax-error → WARN + all-defaults (a red file degrades to today's behavior, can't
 crash CI). A syntactically-valid file with a **known key of the wrong type** → `TypeError` (a typo'd
 value should be loud, not silently mis-parsed). bool-is-int-subclass handled: `1`/`0` for a bool key is
 rejected, not coerced.
 ### Pre-existing, OUT OF SCOPE: dashboard lint drift on main
 `scripts/lint.sh` reports `dashboard/dashboard.py` + `tests/unit/test_dashboard.py` would be reformatted
 by the pinned ruff — confirmed present at HEAD f68f1c5 (`git show HEAD:...` through pinned ruff), NOT in
 my diff. Not touched by this phase (narrow scope). Recorded in DECISIONS as an observation. My 5
 phase files are format-clean + `ruff check` clean.
 ### Verification (commands + output)
 - `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_upgrade_base.py
  tests/unit/test_settings.py -q` → **32 passed**.
 - full unit suite `pytest tests/unit/ -q` → **315 passed**.
 - `ruff check runner/ tests/unit/ bridge/ dashboard/` → All checks passed.
 - `ruff format --check` (pinned) on my 5 files → all formatted.
 ## 2026-06-17 — M2 prep (read-only; not advancing past M1 gate)
 Server canonical registry (`/var/lib/ci-warm/<recipe>/canonical.json`, status all `idle`):
 - **WITH canonical** (16): cryptpad, custom-html, custom-html-tiny, drone, ghost, gitea, hedgedoc,
  immich, lasuite-docs, lasuite-drive, lasuite-meet, mailu, matrix-synapse, n8n, plausible, uptime-kuma.
 - **warm dir but NO canonical.json** (candidates for M2 evidence (a) "recipe without a canonical →
  newest release tag < head"): **keycloak, alerts, traefik**.
 M2 plan (after M1 PASS):
 - (a) pick a no-canonical recipe WITH published release tags (keycloak has many) → show
  `resolve_upgrade_base` returns a release-tag base, not raw main-tip. Likely via a harness dry-run /
  targeted invocation on the server reading the live settings (absent file → default false).
 - (b) drop a scratch `/etc/cc-ci/settings.toml` with `skip_canonicals_for_upgrade = true`, show a
  canonical-bearing recipe (e.g. gitea/ghost) now resolves to the release-tag base (canonical bypassed),
  then remove the scratch file → restore default false.
 - Deploy: ensure `/etc/cc-ci` is at the phase commit (git pull); settings.py is pure-python loaded at
  runtime from the checkout, so no nixos-rebuild needed for the harness to pick it up (the `cc-ci-run`
  wrapper execs python on the checkout's runner/). Confirm on server.
 ## 2026-06-17 — M1 PASS + M2 verified live, claimed
 M1 Adversary cold-PASS (REVIEW-settings.md @17:00Z, no VETO). Advanced to M2.
 Deployed phase commit to `/etc/cc-ci` via `git pull --ff-only` (HEAD 99d6bbc); no nixos-rebuild needed
 (pure runner python read at runtime; the nightly sweep runs from /etc/cc-ci and Drone reads the same
 absolute settings path). Added `scripts/show-upgrade-base.py` — a faithful, lightweight live probe that
 calls the DEPLOYED `resolve_upgrade_base` against live settings + canonical registry + recipe tags,
 avoiding a heavy per-recipe deploy/test/teardown while still proving the real resolution decision on the
 server. Chose this over full `cc-ci-run runner/run_recipe_ci.py` runs (samever's approach) because my
 change is purely in base RESOLUTION, not tier execution — the BasePlan is the whole claim.
 Evidence-(b) recipe choice: scanned all 16 canonical recipes; only `gitea` has canonical≠head
 (3.5.3 vs 3.6.0), making it the cleanest bypass demo — flag false reads the canonical
 ("last-green (warm canonical, status=idle)"), flag true bypasses to the release-tag path
 ("no-canonical fallback: newest release tag older than head 3.6.0..."). The resolved version is 3.5.3
 both ways (the canonical happens to equal the newest predecessor tag), so the REASON string is the proof
 of bypass — honest and matches the plan wording "ALSO resolve to that release-tag base (canonical
 bypassed)". All other recipes are in steady state (canon==head) where step-back and the fallback share
 the same helper and so coincide. Server restored to steady state (settings.toml absent → false).
--- a/machine-docs/JOURNAL-shot.md
+++ b/machine-docs/JOURNAL-shot.md
@ -0,0 +1,105 @@
 # JOURNAL-shot.md — Builder journal, phase `shot`
 ## 2026-06-11 ~01:17–01:35Z — phase open, P1+P2 in one sweep
 Read the phase plan + plan.md §6.1/§7/§9. Enumerated enrolled recipes (19). Pulled per-recipe
 latest-run data off cc-ci (`results.json` screenshot field + PNG size for all ~190 run dirs),
 scp'd 18 PNGs to /tmp/shot-audit/ and Read every one of them.
 Findings vs the orchestrator pre-audit: all four 4801-2B suspects are indeed blank frames
 (immich pure white, lasuite-meet white, n8n off-white, cryptpad grey). keycloak 8.7KB is a
 "Loading the Administration Console" spinner — NOT a sparse login page as §2 guessed.
 lasuite-docs/drive ~5.9KB are lone spinners. Two surprises: (1) mattermost-lts 242KB, classed
 healthy by size, is actually the brand splash/loading screen, not the login form — size
 heuristics lie in both directions; (2) mumble serves a real web page (mumble-web client per
 compose.mumbleweb.yml, deployed since Phase 2 for HTTP health) showing its connecting spinner —
 so mumble is fixable, not an N/A.
 plausible root cause: traced via Drone sqlite (no python3 on host; ran alpine+sqlite3 against
 the drone data volume). Build 357 log t=73s: capture failed, last status=500 after 45s. Cross-ref
 tests/plausible/functional/test_health_check.py: `/` 500s via auth_controller under
 DISABLE_AUTH=true — permanent, not an init race. So the default landing capture can never work;
 plausible needs a SCREENSHOT hook to a path that renders (will probe /login, /sites on a live
 deploy during P3).
 bluesky-pds: null because install fails at level 0 (upstream image breakage, already in
 DEFERRED.md from rcust) — capture gated on deploy_ok, correctly skipped. N/A while upstream broken.
 custom-html nginx-welcome: verified no install-time seeding exists for this recipe (custom-html-tiny
 has install_steps.sh; custom-html only seeds in pre_backup/pre_upgrade ops, after capture). The
 nginx default page IS the honest fresh-install view. Leaving OK; flagged in matrix for Adversary.
 Adversary opened REVIEW-shot.md with its own cold pre-audit (4f3a747) before my first push —
 good: my visual reads agree with theirs on every overlapping row.
 Design thinking for P3 (next iteration): default-path improvement = after goto(domcontentloaded),
 try a bounded `wait_for_load_state("networkidle")` (~10-15s cap) and/or wait for a non-trivial
 painted body, then screenshot; then a blank-detect (PNG < ~6KB or near-uniform) → one retry with
 a longer settle. Keep total ≤ ~60s worst case, all inside the existing capture() try/except so R7
 (cosmetics never block) is preserved. Unit tests: blank-detector pure function + retry logic with
 a fake page. Per-recipe hooks only for plausible (500 root) + whatever the re-audit still shows.
 ## 2026-06-11 ~05:45-06:00Z — plausible root cause was a 62-char SECRET_KEY_BASE; M1 PASSed meanwhile
 M1 PASS (ae10b55) with a watch-list. P3 done in two commits: ce50f64 (harness settle+blank-retry,
 6 unit tests, 205 pass, lint PASS) and b98a471 (plausible fix). The plausible story changed under
 probing: three live probes (shot-probe{,2,3}-plausible) showed / and every HTML route 302→/register
 which 500s; app logs gave the smoking gun: `(ArgumentError) cookie store expects conn.secret_key_base
 to be at least 64 bytes`. Our EXTRA_ENV value — comment claimed "64-char" — measures 62. So every
 page render 500'd while /api/* (no cookie store) passed all tiers. NOT auth_controller/DISABLE_AUTH
 as the old comments claimed; corrected both stale comments. Fix = 68-char value; verified
 shot-fix-plausible run: install pass, screenshot.png 64132B = real registration page (empty fields,
 placeholders only — same safe shape the Adversary blessed for n8n/uptime-kuma). No hook needed.
 P4 started: !testme posted 05:56:32Z on immich#2 + plausible#3 (drone builds 370+371 running,
 concurrent). Manual full proof run keycloak launched (shot-proof-keycloak). Remaining queue:
 mattermost-lts, cryptpad, lasuite-meet, lasuite-docs, lasuite-drive, n8n, mumble.
 ## 2026-06-11 ~06:05-06:30Z — proof sweep underway; A1 fixed; mumble is the holdout
 Proofs verified visually so far (each level matches its baseline): drone 370 immich L4 234KB real
 onboarding card (was 4801B); drone 371 plausible L4 64KB registration page (was null); keycloak L4
 real sign-in form (was loading spinner); cryptpad L4 real landing w/ document picker (was grey blank);
 lasuite-meet L4 real product landing (was white blank); mattermost-lts L2(=m2r baseline L2) — real
 page but it's the desktop-or-browser interstitial, so per the watch-list I added the first
 SCREENSHOT hook (80e5713, → /login + public settle()); re-run pending.
 A1 (blank-retry could regress a larger frame): fixed in 7ad7d1f — retry goes to a temp path and
 only replaces via os.replace when >= first; regression test [9999,4801]→9999. 207 unit, lint PASS.
 mumble: proof run still spinner after settle+retry (7980B). Probing live what mumble-web does over
 90s (it printed real mumble-web HTML while up; suspect autoconnect overlay that never resolves
 because the websocket voice path may not be browser-reachable). Orchestrated probe2 running.
 Also in flight: n8n + lasuite-docs proofs from the A1-fixed tree. Queue: lasuite-drive, mattermost
 re-run; then ghost/hedgedoc/etc. healthy-class citations + dashboard/card check + runtime compare.
 ## 2026-06-11 ~06:40-07:15Z — mattermost solved via click-through; mumble settled as best-available; M2 assembled
 mattermost: hook v1 (/login) produced a byte-identical interstitial PNG — mattermost shows the
 desktop-or-browser chooser on ANY first-visit route. Hook v2 clicks "View in Browser" (best-effort,
 suppress) → shot-proof3 PNG is the genuine "Log in to your account" form at L2=baseline. That's
 watch-list item 3 satisfied the hard way.
 mumble: three live probes. probe4 (90s DOM+console watch): localization loads, NO errors, NO failed
 requests, connect-dialog selectors match nothing, page stays at loading-container forever. orch5:
 websockify serves everything (its own 404s on /ws,/websocket; config.local.js = untouched sample, no
 autoconnect). Conclusion: the pinned mumble-web:0.5 client never paints for an anonymous visitor —
 not a capture bug, not fixable harness-side without changing the deploy (guardrail says upstream).
 Filed DEFERRED (6104a99); claiming the loader frame as documented best-available. Voice = the
 recipe's function and is protocol-tested; the Adversary may still want a different disposition —
 their call at the gate.
 Ops lessons this stretch: 3 simultaneous run launches race on abra catalogue fetch (lasuite-drive
 died "unable to update catalogue"; reran solo green) — stagger launches. Backgrounded one-shot ssh
 launchers with `cd X && nohup A & nohup B &` only cd for the first — give each its own cd.
 M2 evidence: 10 fixed-class proof runs (table in BACKLOG-shot P4, every PNG Read by me), 2 of them
 real !testme drone builds (370/371, durations 198s/166s vs 199s/209s baselines — plausible FASTER
 since capture stops burning its 45s fail window), healthy-class cited from P1, dashboard grid/card/
 badge all 200. Claiming M2.
 ## 2026-06-11 ~07:20Z — phase complete
 M2 PASS (2b54adb): 18/18 PNGs independently Read, both !testme proofs confirmed genuine via bridge
 logs, durations/levels/R7 all verified, mumble N/A-variant agreed (Adversary reversed its M1 stance
 on the new DOM evidence), bluesky-pds N/A re-confirmed. Wrote ## DONE. Loop ends.
--- a/machine-docs/REVIEW-aoeng.md
+++ b/machine-docs/REVIEW-aoeng.md
@ -0,0 +1,183 @@
 # REVIEW — phase aoeng (Adversary log)
 Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-aoeng-engine.md`
 Deliverable repo: `recipe-maintainers/agent-orchestrator` on git.autonomic.zone
 ---
 ## Adversary orientation @2026-06-13T18:23Z
 Pre-build orientation complete. Key facts noted for cold verification:
 **DoD items to verify (from phase plan):**
 1. `recipe-maintainers/agent-orchestrator` exists; `main` pushed; `v0.1.0` annotated tag present.
 2. **No cc-ci hardcoding:** `grep -rIE 'cc-ci|/srv/cc-ci|recipe|upgrad' <repo> --include='*.py'` on a clean /tmp checkout returns only generic/example/comment hits.
 3. `python3 agents.py selftest` passes; `python3 agents.py status --config agents.example.toml` prints sane table; `agents.py --help` documents verbs.
 4. Example project smoke run: bring up + tear down in isolated sandbox (own `session_prefix`, throwaway sessions), using ONLY files in repo.
 5. Nix: `flake.nix`+`flake.lock` committed; `nix develop -c python3 -c 'import tomllib'` succeeds; `tmux`/`git` on PATH in devShell.
 6. README documents: schema + verbs + AI-PO usage + `nix develop`.
 **Specific hardcoding to watch for in the ported agents.py (from source analysis):**
 - `log_dir` default `/srv/cc-ci/.cc-ci-logs` → must be project-rooted / config-driven
 - `session_prefix` default `cc-ci-` → must require from config (no implicit default)
 - `build_loop_kickoff()` hardcoded `*** cc-ci SUB-PHASE ***` preamble → must be template file from config
 - `handoff.repo` default `/srv/cc-ci/cc-ci` → must be config-driven
 - `cwd` fallback `/srv/cc-ci-orch` and `/srv/cc-ci-orch/cc-ci` → must be config-driven
 - `on_complete.run = "upgrader"` → must be generic task name from config
 - `opencode.preamble` has `/srv/cc-ci/.testenv` → must be config-driven
 **Guardrails to enforce:**
 - Do NOT modify live launch system at `/srv/cc-ci/cc-ci-plan/agents.py`, `agents.toml`, `cc-ci-plan/state/`, or running tmux sessions
 - New repo must be separate from cc-ci tree
 **Repo state at orientation:** `recipe-maintainers/agent-orchestrator` EXISTS on Gitea but is EMPTY (Builder created shell; no content yet)
 ---
 ## Verdicts
 ### ALL DoD items: PASS @2026-06-13T18:41Z
 Cold verification from clean `/tmp/agent-orchestrator-check` clone. No gate claim was formally
 posted in STATUS-aoeng.md before I ran these checks — the Builder pushed all deliverables without
 a formal claim step; I ran the full DoD suite independently on discovery.
 **Cold checkout:**
 ```
 git clone https://…@git.autonomic.zone/recipe-maintainers/agent-orchestrator.git \
  /tmp/agent-orchestrator-check
 ```
 ---
 #### DoD-1 — Repo + main + annotated tag: PASS
 - Repo `recipe-maintainers/agent-orchestrator` exists on git.autonomic.zone ✓
 - `main` branch present and pushed (commit `289ef07`) ✓
 - `v0.1.0` is an annotated tag (`git cat-file -t v0.1.0` → `tag`, not `commit`) ✓
 - Tag message: "agent-orchestrator v0.1.0 — first generic harness release"
 ---
 #### DoD-2 — No cc-ci hardcoding: PASS
 Exact DoD-2 command on clean /tmp checkout:
 ```
 grep -rIE 'cc-ci|/srv/cc-ci|recipe|upgrad' /tmp/agent-orchestrator-check --include='*.py'
 ```
 → **zero hits** (not even comment hits — pristine)
 Extended check across all file types (.py, .toml, .md, .sh, .nix):
 ```
 grep -rIE 'cc-ci|/srv/cc-ci' /tmp/agent-orchestrator-check/ \
  --exclude-dir=.git --include='*.py' --include='*.toml' --include='*.md' --include='*.sh' --include='*.nix'
 ```
 → **zero hits**
 All specific hardcoding points flagged at orientation are confirmed gone:
 - `session_prefix` — required from config, errors hard if absent
 - `log_dir` — required from config, no path default
 - kickoff preamble — template file from `[loop].kickoff_template`, no built-in text
 - `handoff.repo` — config-driven under `[loop].handoff`
 - cwd fallbacks — none; `project_dir` in config
 - `on_complete.run` — generic task name from `[loop].on_complete`
 - opencode preamble — config field `preamble` (no path default)
 Break-it — missing session_prefix:
 ```toml
 [defaults]
 log_dir = "/tmp/test"; backend = "demo"
 [backend.demo]
 bin = "echo test"; prompt_delivery = "exec"
 ```
 `python3 agents.py status` → `ERROR: config error: [defaults].session_prefix is required` ✓
 ---
 #### DoD-3 — selftest + status + help: PASS
 ```
 python3 agents.py selftest
 ```
 Output:
 ```
  PASS: footer_ui idle footer is idle
  PASS: footer_ui active footer is active
  PASS: limit banner + idle footer is not active
 ```
 ```
 python3 agents.py status --config agents.example.toml
 ```
 Output (sane table):
 ```
  phase: demo1 [1/2]  plan=examples/PLAN-demo1.md  (in progress)
  AGENT     KIND     BACKEND  MODEL    WATCH  STATE
  builder   loop     demo     default  none   stopped
  adversary loop     demo     default  none   stopped
  watchdog  service  -        -        -      stopped
 ```
 ```
 python3 agents.py --help
 ```
 → Documents all verbs: up/down/status/watchdog/logs/phase/selftest/init + --config option ✓
 ---
 #### DoD-4 — Smoke run: PASS
 ```
 cd /tmp/agent-orchestrator-check && bash smoke.sh
 ```
 Output:
 ```
 == sanity: 'status' on the shipped example config ==
 == bring up isolated sandbox (ao-smoke-678978-) ==
 [agents 18:40:02] starting ao-smoke-678978-builder (demo, kind=loop, phase=smoke)
 [agents 18:40:02] starting ao-smoke-678978-adversary (demo, kind=loop, phase=smoke)
  up: ao-smoke-678978-builder
  up: ao-smoke-678978-adversary
  kickoff assembled OK (template + role prompt)
 == tear down ==
 [agents 18:40:02] killing ao-smoke-678978-builder
 [agents 18:40:02] killing ao-smoke-678978-adversary
  down: ao-smoke-678978-builder
  down: ao-smoke-678978-adversary
 SMOKE PASS
 ```
 Verified: isolated `session_prefix` (`ao-smoke-<PID>-`), throwaway tmpdir, no leftover sessions,
 kickoff template + role prompt assembled correctly.
 ---
 #### DoD-5 — Nix present + works: PASS
 - `flake.nix` and `flake.lock` both committed ✓
 - `nix develop -c python3 -c 'import tomllib; print("tomllib OK")'` → `tomllib OK` ✓
  (devShell banner: "Python 3.11.11, tmux 3.5a, git version 2.47.2")
 - `nix develop -c sh -c 'which tmux && tmux -V && which git && git --version'`:
  - `/nix/store/…/tmux-3.5a/bin/tmux` — `tmux 3.5a` ✓
  - `/nix/store/…/git-2.47.2/bin/git` — `git version 2.47.2` ✓
 ---
 #### DoD-6 — README: PASS
 README covers all four required areas:
 - **Schema** — complete config reference: `[watchdog]`, `[defaults]`, `[backend.<name>]`,
  `[[agent]]`, `[[service]]`, `[loop]` with all fields, types, and examples ✓
 - **Verbs** — "The driver: verbs" section lists all 8 verbs with args/description ✓
 - **AI-PO usage** — "Driving the harness from an AI project-orchestrator" dedicated section:
  5-point contract (one config, isolation by prefix, state on disk, one-directional knowledge,
  submodule pin), plus minimal project layout scaffold ✓
 - **`nix develop`** — "Nix" section with devShell usage and `nix develop`/`nix flake check`
  commands documented ✓
 ---
 ### Summary
 All 6 DoD items PASS at 2026-06-13T18:41Z on commit `289ef07` (v0.1.0 tag).
 No findings. No veto. Phase aoeng is DONE.
--- a/machine-docs/REVIEW-aotest.md
+++ b/machine-docs/REVIEW-aotest.md
@ -0,0 +1,217 @@
 # REVIEW — phase aotest (Adversary log)
 **Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-aotest-verify.md`
 **Deliverable repo:** `recipe-maintainers/agent-orchestrator` on git.autonomic.zone
 ---
 ## Adversary orientation @2026-06-13T18:44Z
 **Mission:** Verify the agent-orchestrator harness runs a real project generically on BOTH
 claude and opencode backends, fully isolated, with a committed test suite.
 **DoD items to verify (from phase plan):**
 1. Unit tests PASS — run from clean /tmp checkout inside `nix develop`
 2. claude smoke test PASSES via the harness (isolated, cleaned up)
 3. opencode smoke test PASSES or SKIPs with clear, justified reason recorded here
 4. No leftover `aotest-*` tmux sessions or held ports after the run; live cc-ci sessions
   (cc-ci-orchestrator/watchdog/assistant3) untouched
 5. Test suite + runner committed and documented in README
 **Key guardrails for my verification:**
 - Must use a non-`cc-ci-` session prefix (aotest-* is correct)
 - opencode port must ≠ 4096 (the live cc-ci port)
 - Do NOT touch live launch system: `/srv/cc-ci/cc-ci-plan/agents.py`, `agents.toml`,
  `cc-ci-plan/state/`, or running tmux sessions
 - Verify from COLD START: fresh shell, /tmp checkout, no cached state
 **Repo state at orientation:** v0.1.0 (commit `289ef07`) — no tests/ dir present yet.
 Awaiting Builder to push the aotest deliverable.
 **Code orientation @2026-06-13T18:44Z (from clean /tmp/ao-adv-check clone):**
 Key functions the unit tests MUST exercise (from reading agents.py 929 lines):
 - `load_config`: session_prefix required → hard die; log_dir required → hard die; defaults merge;
  project_dir resolution; agents inherit defaults; services inherit defaults
 - `build_loop_kickoff`: reads `[loop].kickoff_template`, fills `{phase_id}/{plan}/{status}/{role}`,
  then appends `<roles_dir>/<role>.md`. No project text in code — must test slot substitution.
 - `phase_done`: reads `status_basename` from `handoff_repo(cfg)`, looks for `done_marker` line;
  skips DONE_PLACEHOLDER_RE lines. Must test: file absent → False, no marker → False, marker present
  → True, placeholder line → False.
 - `phase_advance_check`: auto-advance on DONE marker; idempotent when SEQUENCE-COMPLETE exists;
  appending a phase clears SEQUENCE-COMPLETE marker and resumes.
 - `_parse_reset_epoch`: AM/PM handling (12pm=12:00, 12am=00:00), 24h format, invalid hour/minute
  returns None, no match returns None. Takes the LAST match.
 - `_parse_waiting_until`: footer_ui branch uses last non-empty line only; non-footer scans whole
  pane. ISO-8601 with Z suffix. Invalid format returns None.
 - `pane_active`: claude backend uses `active_re` match; opencode uses `footer_ui` branch (only
  last line of 3 matters); limit banner + idle = not active (tested in selftest).
 **Live smoke isolation requirements (DoD verification):**
 - claude smoke: session prefix must be `aotest-` (NOT `cc-ci-`), isolated log dir under /tmp
 - opencode smoke: port must ≠ 4096 (live cc-ci port is 4096), own server, own prefix
 - Post-run: `tmux ls | grep aotest` → zero results; live sessions intact
 **Specific break-it checks I will run:**
 1. `tmux ls | grep aotest` before AND after — no leakage
 2. `ss -ltn | grep 4096` — opencode test must NOT use this port
 3. Check cc-ci sessions: cc-ci-orchestrator, cc-ci-watchdog, cc-ci-assistant3 still present
 4. Try to interrupt the live smoke mid-run (if isolatable) — cleanup still fires
 5. Unit test edge cases:
   - load_config with missing session_prefix → expect die()
   - load_config with missing log_dir → expect die()
   - phase_done with ## DONE followed only by placeholder → expect False
   - _parse_reset_epoch("resets Jun 16, 12pm") → 12:00 (NOT 24:00 which is invalid)
   - _parse_reset_epoch("resets Jun 16, 12am") → 00:00 (not 12:00)
   - _parse_waiting_until with footer_ui=True: only last non-empty line checked
 6. Confirm selftest (DoD-3 of aoeng) still passes after any test infrastructure changes
 ---
 ## Verdicts
 ### ALL DoD items: PASS @2026-06-13T19:00Z
 Cold verification from clean `/tmp/ao-adv-check` clone (fresh git clone before pulling the
 Builder's STATUS — verdict formed independently). Commit verified: `cdcece9a9ac64b458103194025f2c22ba830ce15`.
 ```
 rm -rf /tmp/ao-adv-check
 git clone https://...@git.autonomic.zone/recipe-maintainers/agent-orchestrator.git /tmp/ao-adv-check
 git -C /tmp/ao-adv-check rev-parse HEAD
 # → cdcece9a9ac64b458103194025f2c22ba830ce15  ✓ matches claimed commit
 ```
 ---
 #### DoD-1 — Unit tests PASS (clean /tmp, nix develop): PASS
 ```
 cd /tmp/ao-adv-check && nix develop -c python3 -m unittest discover -s tests -p 'test_*.py' -v
 ```
 ```
 Ran 51 tests in 0.062s
 OK
 ```
 51 tests, rc=0. Coverage confirmed:
 - `TestConfigLoad` (12 tests): session_prefix required die, log_dir required die, defaults merge,
  explicit session override, per-agent override wins, relative/absolute dir resolution, log_dir
  resolved, state_dir created, service session named, backend_of resolves, backend_of unknown dies,
  env AGENT_MODEL override single-invocation
 - `TestExampleConfig` (1 test): shipped `agents.example.toml` loads with expected shape
 - `TestKickoff` (5 tests): slot fill ({phase_id}/{plan}/{status}/{role}), correct role prompt
  appended, no unrendered slots, agent_prompt dispatches correctly, role_model phase override
 - `TestPhaseMachine` (8 tests): phase_done detects marker, rejects placeholder, false when no
  marker, false when file missing; cur_idx reads state file; advance on DONE; sequence-complete
  idempotent (no re-stop on 2nd call); append-phase clears SEQUENCE-COMPLETE and resumes;
  custom done_marker respected
 - `TestLimitParsing` (8 tests): PM, AM+minutes, 12am=midnight, invalid hour=None, no match=None,
  picks last match, unparsable fallback, within-6h window uses banner, >6h falls back
 - `TestWaitingUntil` (5 tests): non-footer finds marker anywhere, non-footer None without marker,
  footer ignores marker not in last line, footer honors marker as last line, bad timestamp=None
 - `TestActivityDetection` (8 tests): claude active_re (esc to interrupt, Running tool, spinner),
  claude idle not active; opencode active footer, idle footer, active-only-at-top ignored,
  log_grace fallback via mtime
 ---
 #### DoD-2 — claude smoke PASSES via harness: PASS
 ```
 cd /tmp/ao-adv-check && nix develop -c bash tests/smoke_claude.sh
 ```
 ```
 === claude backend smoke (isolated: prefix=aotest-c-681472-) ===
 [agents] starting aotest-c-681472-probe (claude, kind=persistent, model=claude-haiku-4-5)
  PASS: session aotest-c-681472-probe created via agents.py (pane command: claude)
  PASS: claude TUI attached + alive (driven entirely by agents.py)
  PASS: agents.py status reports probe RUNNING
  PASS: agents.py down cleanly removed the session
 === CLAUDE BACKEND SMOKE: PASS ===
 ```
 Confirmed: isolated prefix `aotest-c-<pid>-` (not cc-ci-), temp sandbox log_dir, pane command
 is `claude` (TUI alive), status RUNNING, down cleans up. Cleanup trap on EXIT/INT/TERM.
 ---
 #### DoD-3 — opencode smoke PASSES via harness (dedicated port ≠ 4096): PASS
 ```
 cd /tmp/ao-adv-check && nix develop -c bash tests/smoke_opencode.sh
 ```
 ```
 === opencode backend smoke (isolated: prefix=aotest-o-681566- port=4097) ===
  PASS: dedicated opencode server listening on :4097
 [agents] starting aotest-o-681566-probe (opencode, kind=persistent, model=default)
  PASS: session aotest-o-681566-probe created via agents.py (pane command: opencode)
  PASS: opencode TUI attached + alive (driven entirely by agents.py)
  PASS: agents.py status reports probe RUNNING
  PASS: agents.py down cleanly removed the session
 === OPENCODE BACKEND SMOKE: PASS ===
 ```
 Confirmed: dedicated server on `:4097` (script has hardcoded guard refusing `4096`); isolated
 prefix `aotest-o-<pid>-`; TUI attached; cleanup kills server AND does `pkill -f "opencode serve.*--port ${PORT}"` + waits for port to free.
 ---
 #### DoD-4 — No leftover aotest-* sessions or ports; cc-ci sessions intact: PASS
 Post-run isolation check (after full suite via run.sh):
 ```
 tmux ls | grep '^aotest-'
 # → (no output)  ✓
 ss -ltn | grep ':4097 '
 # → (no output)  ✓
 tmux ls | grep -E 'cc-ci-orchestrator|cc-ci-watchdog|cc-ci-assistant3'
 # → cc-ci-assistant3, cc-ci-orchestrator, cc-ci-watchdog  ✓
 ```
 run.sh isolation sanity block output:
 ```
 >>> ISOLATION SANITY
  PASS: no leftover aotest-* tmux sessions
  info: live cc-ci sessions present: cc-ci-orchestrator cc-ci-watchdog cc-ci-assistant3
 ```
 ---
 #### DoD-5 — Test suite + runner committed and documented: PASS
 Files at commit `cdcece9`:
 - `tests/test_unit.py` — 51-test stdlib unittest suite ✓
 - `tests/smoke_claude.sh` — isolated live claude smoke ✓
 - `tests/smoke_opencode.sh` — isolated live opencode smoke ✓
 - `tests/run.sh` — runner: unit always, live smokes when available, isolation sanity ✓
 README `## Testing` section (lines ~321–351):
 - Documents `nix develop -c ./tests/run.sh` as the canonical invocation ✓
 - Explains what each layer covers (unit vs live vs isolation) ✓
 - Documents skip conditions (backend bin/creds absent) ✓
 - Documents useful env vars (CLAUDE_BIN, AOTEST_MODEL, AOTEST_OC_PORT, AOTEST_OC_CREDS) ✓
 - Notes safety by construction (non-cc-ci prefix, non-4096 port, cleanup trap) ✓
 ---
 ### Full suite summary (run.sh output)
 ```
 SUMMARY:  unit=PASS  claude=PASS  opencode=PASS  isolation=PASS
 ALL RUN TESTS PASSED (skips are OK)
 ```
 rc=0. Verified at commit `cdcece9`, clean /tmp clone, nix develop (Python 3.11.11, tmux 3.5a).
 ---
 ### No findings. No veto. Phase aotest is DONE.
 All 5 DoD items PASS at 2026-06-13T19:00Z on commit `cdcece9`.
--- a/machine-docs/REVIEW-bsky.md
+++ b/machine-docs/REVIEW-bsky.md
@ -0,0 +1,238 @@
 # REVIEW-bsky.md — Adversary verdicts for the `bsky` sub-phase
 Phase SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md`.
 Gates: **M1** (root cause + green fix PR), **M2** (operator handoff complete → `## DONE`).
 This file is append-only; the Builder reads it, never writes it.
 ---
 ## Baseline recon @2026-06-11 (cold, pre-claim — NOT a verdict)
 Established independently from the live recipe checkout on cc-ci
 (`~/.abra/recipes/bluesky-pds`, HEAD `b2d86ef`, tag `0.2.0+v0.4-4-gb2d86ef`) so I am
 ready to verify the Builder's root-cause claim without anchoring:
 - `compose.yml`: app `image: ghcr.io/bluesky-social/pds:0.4` — a **moving minor tag**.
  Version label `coop-cloud.${STACK_NAME}.version=0.2.0+v0.4`.
 - Recipe **overrides the image entrypoint** via `entrypoint.sh.tmpl` (mounted as a config
  at `/entrypoint.sh`, `entrypoint: dumb-init --`, `command: /entrypoint.sh`). That script
  ends with `exec node --enable-source-maps index.js` — a **relative** `index.js`, resolved
  against the image's WORKDIR.
 - Known symptom (rcust/shot evidence, DEFERRED.md): app crash-loops
  `Cannot find module '/app/index.js'` (MODULE_NOT_FOUND) under Node v24.15.0. Consistent
  with: image WORKDIR `/app`, but `index.js` no longer present there → upstream
  restructured/rebuilt whatever `:0.4` now resolves to.
 Verification angles I will hold the Builder's M1/M2 to (per phase plan §3 gates):
 1. Root-cause evidence reproduces — I independently inspect the live image
   (`docker run --entrypoint sh ... -c 'ls; node --version'` / crane/skopeo) and confirm
   `index.js` is absent from the assumed WORKDIR at the OLD pin, and present/working at the
   NEW pin.
 2. The fix is in the **recipe mirror PR**, not the harness; diff minimal + each line
   justified against upstream bluesky-social/pds changelog; version label bumped per recipe
   convention; **no test/gate weakening** anywhere in cc-ci.
 3. The green run is genuinely the **PR head via the drone `!testme` path** (not a local
   hand-run) — full lifecycle incl. lint, level recorded under de-capped semantics.
 4. Screenshot real + credential-free (I Read the PNG myself); never shows generated creds.
 5. DEFERRED entries closed with pointers; operator handoff in STATUS-bsky.md.
 No gate CLAIMED yet — awaiting Builder's first `claim(...)` on a bsky gate.
 ## Pre-claim recon update @2026-06-11T11:45Z (cold image probe — NOT a verdict)
 Independently reproduced BOTH halves of the root cause via `docker run` on cc-ci:
 - `ghcr.io/bluesky-social/pds:0.4` (current moving tag, digest …2324702f): **Node v24.15.0**,
  WORKDIR `/app`, ships **`index.ts`** only — no `index.js`. The recipe's entrypoint
  `exec node --enable-source-maps index.js` therefore fails with exactly
  `Cannot find module '/app/index.js'`. Symptom reproduced. ✔
 - `ghcr.io/bluesky-social/pds:0.4.219` (Builder's proposed pin): **Node v20.20.2**,
  WORKDIR `/app`, ships **`index.js`** (`package.json` `main: index.js`). The recipe's
  existing entrypoint resolves the file → addresses the crash at the image level. ✔
 Open scrutiny points I will hold the M1 claim to (NOT yet judged — no gate CLAIMED):
 - **§2.2 upgrade-preference:** `0.4.219` is the latest patch of the *previous* 0.4 line,
  not an upgrade to current stable (`:0.4` now = 0.5.1). The plan prefers upgrading unless
  research justifies otherwise. Need: a genuine DECISIONS.md justification (e.g. 0.5.x
  moved to a TS entrypoint requiring an entrypoint rewrite / larger blast radius) — I'll
  read it only AFTER my own verdict, and check it against upstream changelog.
 - Pin should be exact/immutable (0.4.219 looks like a full patch tag — verify it's not
  itself moving; digest-pin would be strongest).
 - Fix must land on the recipe MIRROR PR and be proven green via the drone `!testme` path
  at PR head — not a local hand-run; no cc-ci harness/gate weakening.
 Still no gate CLAIMED (STATUS-bsky: "none claimed yet — working M1"). Idling for the claim.
 ## Pre-claim recon @2026-06-11T11:55Z — EXPECTED_NA['upgrade'] premise (cold, NOT a verdict)
 Builder added a harness change: `EXPECTED_NA['upgrade']` suppresses the upgrade-tier base
 deploy for bluesky-pds ("no deployable base"). I independently checked the premise on the
 live recipe checkout:
 - Published recipe tags: ONLY `0.1.1+v0.4` and `0.2.0+v0.4`. **Both** pin
  `ghcr.io/bluesky-social/pds:0.4` (the moving tag that now resolves to the broken
  0.5.1/index.ts image). So every published base would crash identically → there is no
  deployable previous published version. Premise holds. ✔
 - Logic: the PR fix (pin 0.4.219) is the FIRST deployable published version; before it,
  NO published version deploys, so a "previous published → PR" upgrade path cannot exist.
  Genuinely N/A, not a dodge. (Post-merge, future PRs WILL have a deployable base → tier
  re-activates; operator handoff should note this.)
 STILL must hard-verify when M1 is CLAIMED (do NOT pre-judge):
 - The NA is **scoped to bluesky-pds only** (per-recipe EXPECTED_NA declaration, not a
  global loosening of the upgrade tier for all recipes) — read the diff.
 - install / backup-restore / functional / lint tiers are NOT suppressed.
 - N/A recorded honestly with reason and handled correctly under de-capped level semantics
  (doesn't silently inflate the level nor falsely block); the 6 new upgrade_base() unit
  tests actually have teeth.
 - §9 alternative ("deploy base minimally via overlay, then upgrade to latest") is correctly
  rejected here: latest-deployable == PR head == 0.4.219, so there's no version delta to
  test and an overlay base would be synthetic — N/A is the honest call, not the overlay.
 ---
 ## M1 — PASS @2026-06-11T12:30Z  (root cause + green fix PR + screenshot)
 Verdict formed COLD from my own clone + live cc-ci probes, BEFORE reading JOURNAL.md
 (anti-anchoring respected). Sources: phase plan §3 (SSOT), the code/git history, the
 verification info in STATUS-bsky.md, and my own re-runs below. Every M1 acceptance item
 independently reproduced.
 ### 1. Root cause reproduces ✔
 Cold `docker run` on cc-ci of both images:
 - `ghcr.io/bluesky-social/pds:0.4` (current, digest …2324702f/871194d2): `@atproto/pds`
  **0.5.1**, **Node v24.15.0**, `/app/index.ts` — **NO index.js**. The recipe's
  entrypoint `exec node --enable-source-maps index.js` ⇒ `Cannot find module
  '/app/index.js'`. Symptom reproduced exactly.
 - `:0.4.219` (the fix pin): `@atproto/pds` **0.4.219**, **Node v20.20.2**, `/app/index.js`
  present (`package.json main:index.js`) ⇒ entrypoint resolves. Fix sound at image level.
 - Upstream registry `cc-ci-plan/upstream/bluesky-pds.md` matches my probes (moving `:0.4`
  tracks main; 0.4.x keeps classic layout; env interface stable across 0.4.x → no
  migration). `:0.4` is demonstrably a MOVING tag upstream republished.
 ### 2. PR #2 minimal + justified, unmerged ✔
 Gitea API: PR #2 **open, merged=false, mergeable=true**; base main b2d86ef, head
 **f7b6c8df** (branch upgrade-0.3.0+v0.4.219). Diff = **1 file, +2 −2** on compose.yml only:
 image `:0.4`→`:0.4.219`, version label `0.2.0+v0.4`→`0.3.0+v0.4.219`. No
 test/harness/recipe-test weakening in the PR. `:0.4.219` is an **exact** (non-moving)
 version tag — newest 0.4.x exact tag preserving the recipe's `index.js` layout, so §2.2's
 "exact-version tag … unless research justifies otherwise" is met (0.5.x restructured to a TS
 entrypoint requiring a recipe entrypoint rewrite — the same-series re-pin is the minimal
 correct fix). NOTE (not a finding): pursuing the 0.5.x upgrade later is a reasonable
 operator follow-up; the re-pin is the right minimal fix now.
 ### 3. Green run 427 via the GENUINE drone !testme path, at PR head ✔
 - PR #2 comment **14342** `!testme` → bridge swarm log (ccci-bridge_app):
  `[poll] triggered build 427 for bluesky-pds@f7b6c8df (PR #2, comment 14342) by
  autonomic-bot` → `reflected outcome build 427 (bluesky-pds PR #2): success` → PR comment
  **14343** "✅ passed @ f7b6c8df". Real poll→drone→reflect, not a hand-run.
 - run-427 recipe checkout = PR head `f7b6c8d "chore: upgrade to 0.3.0+v0.4.219"`,
  compose.yml line 6 image=`:0.4.219`, version label `0.3.0+v0.4.219`.
 - `results.json`: **level=5**, ref=f7b6c8dfb81c, pr=2; rungs
  install/backup_restore/functional/lint=**pass**, upgrade=**skip**;
  `skips.intentional.upgrade`=declared reason, `skips.unintentional`=[];
  flags clean_teardown+no_secret_leak=true; schema=2.
 ### 4. No gate weakening (the EXPECTED_NA['upgrade'] harness change) ✔
 - Premise true (cold): BOTH published recipe tags (0.1.1+v0.4, 0.2.0+v0.4) pin the broken
  moving `:0.4` ⇒ no deployable upgrade base. Genuine structural N/A, not a dodge.
 - `upgrade_base()` (e9745c8) returns None only when `upgrade ∈ EXPECTED_NA`, declared
  **per-recipe** in `tests/bluesky-pds/recipe_meta.py`. NOT a global loosening — unit test
  `test_expected_na_other_rung_does_not_suppress` proves a DIFFERENT-rung EXPECTED_NA does
  not suppress the upgrade base. The tier records `"skip"`, never `"pass"`.
 - **Negative control run 423** (same PR head, pre-EXPECTED_NA): base 0.1.1+v0.4 deploy →
  **install=fail** → level **0**. Proves the harness has TEETH: it goes red when a base IS
  attempted against the broken tag; 427's level 5 is solely the legitimate base-suppression,
  not a masked failure. A synthetic overlay base (0.4.219→0.4.219, zero delta) would be a
  meaningless green — N/A-skip is the honest call.
 - Level math (`compute_level`, pure): install=pass(1) · upgrade=skip(climbs) ·
  backup_restore=pass(3) · functional=pass(4) · lint=pass(5) ⇒ **5**. Consistent with the
  lvl5 de-cap semantics (skip climbs; only fail/unver block).
 - Unit tests COLD on cc-ci (fresh clone HEAD cba53b6): **253 passed** (6 new in
  test_upgrade_base.py, with teeth). Repo lint COLD: `lint: PASS` (exit 0).
 ### 5. Screenshot — real + credential-free ✔
 Published `…/runs/427/screenshot.png` (HTTP 200, 29274 B) is **sha256-identical** to the
 on-disk capture. I Read the PNG: the genuine PDS landing page — Bluesky ASCII butterfly,
 "This is an AT Protocol Personal Data Server (aka, an atproto PDS)", "/xrpc/" pointer,
 Code/Self-Host/Protocol links. **No credentials** (no admin password / invite / secret).
 Default capture suffices — no SCREENSHOT hook needed.
 ### 6. No secret leak ✔
 Independent scan of published artifacts (results.json, summary.html, lint.txt, junit) for
 the PDS-generated secrets (admin password / jwt / plc rotation key) and high-entropy
 strings: the ONLY matches are recipe SOURCE secret-NAME references (`- pds_jwt_secret`
 etc.) and one abra lint WARN naming `pds_admin_password` (length policy) — no secret VALUE
 exposed. Only high-entropy token = the 40-char commit SHA. clean_teardown confirmed (no
 swarm secret/stack residue for the run).
 **M1 PASS. No VETO.** Builder cleared to proceed to M2 (operator handoff). M2 will get a
 fresh cold pass: independent re-trigger/confirm green at PR head, PNG re-Read, level/baseline
 reconciliation, DEFERRED entries closed with pointers, and the operator summary checked —
 plus I will then consult JOURNAL/DECISIONS to contextualise (noting it there).
 ---
 ## M2 — PASS @2026-06-11T15:48Z  (operator handoff complete)
 Fresh Adversary cold pass. Verdict formed from the plan (§3 M2 SSOT), the code/deliverables,
 the STATUS-bsky verification info, and my OWN independent re-trigger — BEFORE reading
 JOURNAL.md (anti-anchoring respected; I may consult it after, noting so).
 ### 1. Green at PR head — independently RE-TRIGGERED ✔ (the decisive proof)
 I posted `!testme` on PR #2 myself (comment **14344**, 15:46:21Z). Bridge:
 `[poll] triggered build 435 for bluesky-pds@f7b6c8df (PR #2, comment 14344) by
 autonomic-bot`. Fresh **build 435** results.json: **level=5**, ref=f7b6c8dfb81c (PR head),
 pr=2; rungs install/backup_restore/functional/lint=**pass**, upgrade=**skip**
 (skips.intentional.upgrade=declared reason, skips.unintentional=[]); clean_teardown +
 no_secret_leak=true. Recipe checkout = PR head `f7b6c8d`, image `:0.4.219`. Identical rung
 profile to run 427 → reproducibly green, not a one-off.
 - **Real stages, not a no-op:** junit shows install/backup(generic+cc-ci)/restore
  (generic+cc-ci) and FOUR live functional tests — `test_health_check`,
  `test_describe_server`, `test_session_auth`, `test_account_and_post`. A no-op could not
  pass account-creation/post/session-auth against a live PDS. (Wall-clock ~70s is plausible:
  lightweight 2-service recipe, image cached on host.)
 ### 2. PNG independently Read ✔
 Fresh build 435 screenshot.png sha256 == run 427's (bdb71d3e…) == the image I Read at M1:
 genuine PDS landing page (Bluesky ASCII butterfly, "AT Protocol Personal Data Server",
 /xrpc/ pointer, upstream links), **no credentials**. Deterministic, real.
 ### 3. Level under new semantics + baseline reconciled ✔
 level=5 under the de-capped ladder (upgrade=skip climbs; only fail/unver block). Old Phase-2
 baseline ("full lifecycle green", e45e0ee, pre-results era) is genuinely unreproducible —
 the moving-tag republish broke ALL published recipe versions; the PR restores deployability.
 Reconciliation recorded in the DEFERRED closure + the M2 claim. Independently corroborated:
 **0.5.x has NO release tag** (upstream git: 0 `0.5.x` tags, highest v0.4.219 + anomalous
 v0.4.5001; ghcr `0.5.0/0.5.1/v0.5.1` all absent) — so an exact-version pin REQUIRES 0.4.x.
 This fully resolves the §2.2 "prefer upgrade" scrutiny: re-pinning to 0.4.219 (newest exact)
 is not "old over new" — there is no exact 0.5.x tag to upgrade to; 0.5.x lives only on the
 moving tag the recipe must never pin. Justified.
 ### 4. DEFERRED entries closed with pointers ✔
 machine-docs/DEFERRED.md: ✅ RESOLVED @2026-06-11 (phase bsky). Explicitly closes BOTH the
 re-pin follow-up AND the rcust M2 baseline-exclusion note, with pointers to PR #2 / run 427 /
 negative control 423 / upstream registry / DECISIONS. Original entry preserved (append-only).
 ### 5. Operator summary ✔
 STATUS-bsky "Operator summary": crisp + complete — what was wrong (moving tag → index.ts vs
 recipe's index.js; broke both published versions), what the PR changes (2-line re-pin
 0.4.219 + label bump; why not 0.5.1 = no release tag + entrypoint migration), and a 5-step
 post-merge runbook (merge → publish version → drop EXPECTED_NA + set
 UPGRADE_BASE_VERSION="0.3.0+v0.4.219" → no canonical to reseed → never re-pin :0.4).
 Corroborated: ci-warm has NO bluesky entry (only custom-html/keycloak/traefik) → "nothing to
 reseed" is true.
 ### 6. PR left OPEN ✔
 PR #2 head f7b6c8df, state=open, merged=**false** (re-confirmed at re-trigger). The phase is
 done WITH the PR open — merging is the operator's, post-merge reseeding documented not done.
 **M2 PASS. No VETO.** Both M1 (@369f4f4) and M2 are fresh Adversary PASSes; no gate
 weakening, no secret leak, screenshot real, PR unmerged. The Builder is cleared to write
 `## DONE` to STATUS-bsky.md. (Post-verdict I will consult JOURNAL/DECISIONS only to
 contextualise — it does not change this verdict.)
 ### Post-verdict consult (does NOT change the verdict)
 Read DECISIONS.md bsky entries after writing M2 PASS. Fully consistent: pin-choice entry
 REJECTS 0.5.1 (no release tag + index.ts migration) AND digest-suffix pinning (abra
 survey/upgrade tooling chokes on `tag@digest`) → exact-version tag 0.4.219 chosen (satisfies
 plan §2.2 "digest-pinned OR exact-version tag"). EXPECTED_NA entry matches the harness
 behaviour I verified. No contradiction, no new finding.
--- a/machine-docs/REVIEW-canon.md
+++ b/machine-docs/REVIEW-canon.md
@ -0,0 +1,637 @@
 # REVIEW-canon — Adversary verdicts for the `canon` (canonical-sweep) phase
 SSOT for what is being verified: `/srv/cc-ci/cc-ci-plan/plan-phase-canon-canonical-sweep.md`.
 Gates: **M1** (machinery works locally, each piece proven) and **M2** (proven end-to-end in real CI),
 plus the operator-required **samever-orthogonality** proof. `## DONE` only after fresh PASS on both.
 ---
 ## Orientation @ 2026-06-17T06:18Z — Adversary online for canon phase; no gate claimed yet
 Prior phase `samever` is DONE + Adversary-verified (M1 1310a95, M2 199f5b6, no VETO). The `canon`
 phase has **not** been bootstrapped by the Builder yet: no STATUS-canon.md / BACKLOG-canon.md, no
 `claim(`/`status(canon` commits, no inbox. I am idling per liveness protocol and will verify promptly
 when M1 is CLAIMED (watchdog will ping on the claim).
 ### Independent COLD baseline of the claimed starting state (§1) — captured before any canon work
 Verified from my own clone + a cold `ssh cc-ci`, NOT from the Builder:
 - **Enrollment:** exactly **one** recipe sets `WARM_CANONICAL = True` → `custom-html`. (`grep -rl
  'WARM_CANONICAL *= *True' tests/*/recipe_meta.py` → 1 hit.) Matches §1 "only custom-html enrolled".
 - **canonical.json records on cc-ci:** exactly **one**, for `custom-html`:
  `/var/lib/ci-warm/custom-html/canonical.json` =
  `{recipe: custom-html, version: 1.13.0+1.31.1, commit: 2b82ebabde74a9d9b1fd4cb49722a7037b18a176,
  status: idle, ts: 20260617T050314Z}`, retained volume `warm-custom-html_..._content` present.
  - **NOTE — plan §1 is now slightly stale.** The plan (authored 04:43Z) says "ZERO canonical.json
    records exist." That was true at authoring, but the just-completed **samever M2** e2e
    (custom-html two-run) wrote this record at **05:03:14Z**. So there is now exactly one canonical,
    produced by samever's promote path. This is *favorable* evidence for canon M1(A) — the promote
    path already demonstrably writes a real, reusable record + retains the volume for custom-html —
    but the Builder must NOT cite custom-html's pre-existing canonical as proof of canon's *new*
    work (tagged-gate, trigger, all-enrolled, mirror-sync). I will require fresh, canon-attributable
    evidence for each M1/M2 sub-claim.
 - **Timer:** `nightly-sweep.timer` enabled+active, daily `OnCalendar` (NEXT 2026-06-18 03:00:24 UTC),
  last fired 2026-06-17 03:09:20 UTC exit 0. So the timer plumbing works; the job was a near-no-op
  (only custom-html enrolled). Phase must (F) move this to **weekly** and (M2) prove a real fire
  advances canonicals, not exit-0 on an empty set.
 ### What I will adversarially probe when claimed (from the plan, not the Builder's narrative)
 - M1(A): a canon-attributable green cold run writes canonical.json AND `--quick` warm-reattach reuses
  it; promote now ALSO requires a **release tag** — feed an UNTAGGED state, confirm NO promote.
 - M1(C): mirror-sync is *faithful upstream sync only* — never pushes our changes to mirror `main`,
  never disturbs unrelated PRs. Will diff before/after on a mirror.
 - M1(D): trigger keyed on **latest release tag vs canonical version**, NOT commit — new untagged
  commits on `main` with same tag ⇒ SKIP; newer tag ⇒ run cold on that tag.
 - M1(B): all ~21 recipes enrolled; warm-volume disk budget recorded (not silently dropped).
 - M2: full sweep promotes greens / leaves reds intact / skips unchanged; **run-twice ⇒ skip-all**
  determinism; real (non-hollow) timer fire; tagged-promote proof (untagged green ⇒ no promote).
 - samever orthogonality: (a) no-new-tag ⇒ SKIPPED; (b) new-tag ⇒ canonical(older)→new, real delta,
  promote; step-back NEVER fires in the sweep. Construct scenarios if the live set doesn't cover both.
 - §2.G: if plausible's canonical lands at 3.0.1, `UPGRADE_BASE_VERSION` retired cleanly (key +
  resolver branch + docs + tests) AND plausible still resolves base 3.0.1 dynamically + passes — else
  kept with a recorded DECISIONS reason. Will re-derive, not trust.
 - Guardrail: NO AI at runtime (pure script + timer).
 ## Pre-claim code read @ 2026-06-17T06:41Z — M1 still IN PROGRESS (M1.2 not yet committed)
 Builder has landed 4 of 5 M1 items (27e0628 M1.1, 136100f M1.3, f8c0e53 M1.4+M1.5). M1.2 (the
 release-tag trigger `sweep_decision` + mirror-sync wiring into `nightly_sweep.sweep()`) is **not yet
 committed** — M1 is correctly not-yet-claimed. Read the landed code (NOT JOURNAL); points to scrutinize
 when claimed:
 - **M1.1 (27e0628):** `should_promote_canonical` gained `tagged` param; caller computes
  `tagged = warm_reconcile.is_released_version(recipe, head_version)`. ⚠️ PROBE: the gate checks
  `head_version` (code under test) but `promote_canonical` records `latest_version(recipe_tags(recipe))`
  (newest tag). Confirm these can't diverge — e.g. a manual latest run where `main` sits on a tagged
  commit OLDER than `latest` tag would gate on the older tag yet promote the newer. In the sweep path
  (D) the tag is checked out so head==tag; verify the manual/`RECIPE=<r>` path too.
 - **M1.4 (f8c0e53):** root cause = sweep service ran the nix-STORE runner copy (no `tests/`) so
  `TESTS_DIR` missing → `enrolled_recipes()=[]`. Fix sets `CCCI_REPO=/etc/cc-ci` + `cd` + execs
  `$CCCI_REPO/runner/nightly_sweep.py`. ⚠️ PROBE at M2: confirm `/etc/cc-ci` actually exists on cc-ci,
  has runner/ AND tests/, and is git-pulled before nixos-rebuild (else still hollow). The fix also
  means sweep-logic ships via checkout pull, NOT a store rebuild — verify deploy procedure pulls it.
 - **M1.5 (f8c0e53):** `OnCalendar` daily → `Sun *-*-* 03:00:00`, Persistent kept. Trivial; verify the
  deployed timer shows the weekly schedule after M2.1 nixos-rebuild.
 - **M1.3 (136100f):** enroll all 21 — verify the count is exactly the `used-recipes.md` set and that
  fixtures (custom-html-*-bad, concurrency, regression) were NOT enrolled.
 - **Still owed for M1 claim:** M1.2 `sweep_decision(recipe, latest_tag, canon_version)` →
  run|skip:no-new-version|skip:never-released keyed on `version_key` NOT commit; mirror-sync via
  `open-recipe-pr.sh --reconcile-only` (faithful, vendored); cold-run ON THE TAG. Unit tests for all.
 ---
 ## M1: PASS @ 2026-06-17T07:12Z — machinery cold-verified (claim 626badd, code @ d4cc9e4)
 Verified from a COLD start: my own clone for code/pure-logic, a fresh independent clone on cc-ci
 (`/tmp/adv-canon` @ 626badd) for the unit suite, and a cold `ssh cc-ci` for live state. I did NOT
 read JOURNAL-canon.md before forming this verdict. Every M1 sub-claim re-derived against the plan,
 not the Builder's narrative.
 **M1.1 tagged-promote gate (§2.A) — PASS.**
 - Code: `should_promote_canonical` returns `is_enrolled and overall==0 and not quick and not ref and
  tagged`; caller computes `tagged = is_released_version(recipe, head_version)`; `promote_canonical`
  now records the TESTED `head_version` (commit d4cc9e4), not a re-derived `latest_version`. My prior
  PROBE (head_version-vs-latest_version divergence on a manual `RECIPE=<r>` run) is CLOSED by d4cc9e4
  — read the diff, it promotes exactly the tested version.
 - Unit: ran `tests/unit/test_promote.py` myself in the fresh cc-ci clone — all 6 pass, each gate
  clause individually exercised (`test_no_promote_when_untagged` asserts `tagged=False → False`;
  all-conditions asserts `tagged=True → True`). Not hollow.
 - Live PROMOTE: re-derived `git rev-list -n1 1.13.0+1.31.1` = `df2e27339f983a25da548fc8b8d56e9af8645f83`
  and `/var/lib/ci-warm/custom-html/canonical.json` records EXACTLY that commit + version
  `1.13.0+1.31.1`, status idle, retained volume `warm-custom-html_..._content` present. So the promote
  recorded the tag's own commit (correcting samever's earlier `2b82eba` merge-commit record) — the
  divergence fix is live-proven, not just unit-tested.
 - Live UNTAGGED → NO PROMOTE: independently confirmed `1.13.1+1.31.1` is `NOT-A-TAG` in the custom-html
  clone → `is_released_version` returns False → gate blocks. canonical.json is unchanged (still
  df2e273). The full live tagged-vs-untagged e2e is M2.4; at M1 the code + unit + live-not-a-tag +
  unchanged-canonical chain is sufficient.
 **M1.2 release-tag trigger + faithful mirror-sync (§2.C/§2.D) — PASS.**
 - `sweep_decision` re-derived directly (no pytest) — truth table exactly right and VERSION-keyed, not
  commit-keyed: new>canon→run; equal→skip no-new-version; older→skip; no tag→skip never-released; no
  canon→run(seed). The function takes only (latest_tag, canon_version) — it CANNOT see commits, so new
  untagged commits on `main` can never trigger a run. That IS the operator's refinement.
 - `scripts/recipe-mirror-sync.sh` read in full: pins an explicit coopcloud `upstream` remote, force-
  syncs mirror `main := upstream/main` + all tags, pushes NOTHING of our own. PR close is gated on
  `git merge-tree --write-tree NEW_MAIN_SHA <pr-head>` == upstream `MAIN_TREE` (i.e. the PR's merge is
  a no-op because it's already in upstream) → close; otherwise "left as-is". Faithful, never merges,
  never disturbs unrelated PRs.
 - `nightly_sweep.sweep()` wiring read: per enrolled recipe `mirror_sync → fetch_recipe →
  sweep_decision → run_on_tag` (checkout the release tag + `CCCI_SKIP_FETCH=1` so head IS the tag →
  tagged-gate passes; REF popped → cold → promote allowed). Pure script.
 **M1.3 all recipes enrolled (§2.B) — PASS.** My `grep -rl 'WARM_CANONICAL = True'` set is EXACTLY the
 21 `used-recipes.md` rows (incl. `uptime-kuma`, the lone `external` row — correctly enrolled for
 CI/canonical even though excluded from weekly upgrade). Fixtures (`custom-html-*-bad`, `concurrency`,
 `regression`) NOT enrolled.
 **M1.4 hollow-sweep fix — PASS (code; live is M2.1).** `nix/modules/nightly-sweep.nix` exports
 `CCCI_REPO=/etc/cc-ci`, `cd`s there, and execs `$CCCI_REPO/runner/nightly_sweep.py` — the checkout WITH
 `tests/`, replacing the store copy whose missing `tests/` caused `enrolled_recipes()=[]`. Root cause
 correctly addressed in code. ⚠️ CARRIED TO M2: `/etc/cc-ci` is currently STALE — `git -C /etc/cc-ci`
 HEAD is `e60415d` (Phase-3 era), canon code NOT yet there. M2.1 deploy MUST `git -C /etc/cc-ci pull`
 before `nixos-rebuild`, else the deployed timer stays hollow. I will verify the pull + a real fire at
 M2.5.
 **M1.5 weekly timer (§2.F) — PASS (code).** `OnCalendar = "Sun *-*-* 03:00:00"`, `Persistent = true`.
 Deployed-timer schedule verified at M2.
 **Guardrail NO-AI-at-runtime — PASS.** grep of `nightly_sweep.py` / `warm_reconcile.py` /
 `recipe-mirror-sync.sh` for anthropic|claude|openai|llm|gpt|ai_ → only one code COMMENT match, zero
 calls. Pure script + systemd timer.
 **Full unit suite — PASS.** Ran `cc-ci-run -m pytest tests/unit/` in the fresh independent cc-ci clone
@ 626badd → **295 passed in 5.60s**, matching the claim. Enrolling 21 recipes broke nothing.
 **Minor narrative note (not a defect):** the claim cites proof-A ts `065027Z` but live canonical ts is
 `065532Z`; promoting the same tag again yields the same version+commit (only ts moves), so this is a
 benign re-run, not a divergence — the recorded version/commit are correct either way.
 **Verdict: M1 PASS.** No VETO. All M1 DoD items cold-verified; the deployed-state items (M1.4 live,
 M1.5 timer schedule) are honestly scoped by the Builder to M2 and I will hold them there. (Consulted
 JOURNAL-canon.md only AFTER writing this verdict: no surprises — confirms the proof-A/C sequence.)
 ---
 ## Pre-claim observation @ 2026-06-17T07:23Z — M2.1 deploy verified live (NOT a gate verdict)
 Builder inbox: M1 PASS consumed; M2.1 deploy done; M2.2 full sweep started (long, serial, hours).
 M2 NOT yet claimed — no formal verdict here, just an opportunistic READ-ONLY check that resolves my
 two carried-to-M2 code-only probes (favorable; I'll still re-verify the live proofs at the M2 claim):
 - **/etc/cc-ci now at `3bdd5d1`** (current main; was stale `e60415d` Phase-3 era), with `tests/` +
  `runner/nightly_sweep.py` present → the deploy DID `git -C /etc/cc-ci pull`. My M1.4 "deploy must
  pull or stays hollow" risk is cleared.
 - **Deployed timer:** `systemctl cat nightly-sweep.timer` → `OnCalendar=Sun *-*-* 03:00:00`,
  `Persistent=true` (weekly, live). M1.5 deployed-schedule probe cleared.
 - **Deployed code path is the non-hollow one:** the in-flight sweep (PID 1620630) runs
  `nightly_sweep.sweep()` from `/etc/cc-ci/runner`, and `run_recipe_ci.py` runs from
  `/etc/cc-ci/runner/` — i.e. the checkout WITH `tests/`, not the store copy. Root cause fixed live.
 STILL OWED at the M2 claim (I will cold-verify, not trust the sweep log): canonicals actually promoted
 for greens / reds left intact / no-new-tag skipped (M2.2); run-twice→skip-all (M2.3); live tagged-vs-
 untagged (M2.4); real timer fire advances canonicals via full main() incl. roll (M2.5); samever never
 fires in-sweep (M2.6); disk budget recorded (M2.7); §2.G UPGRADE_BASE_VERSION retirement (M2.8).
 Staying read-only while the sweep is in flight (single node).
 ---
 ## Pre-claim finding @ 2026-06-17T08:40Z — M2.2 sweep: PASS-labelled but promotes mostly FAILING (evidence captured)
 NOT a verdict (M2 unclaimed). Read-only capture from `/root/canon-verify/_sweep.log` so the evidence
 survives log growth. Per-recipe promote outcomes observed (alphabetical sweep, ~7 recipes deep):
 - bluesky-pds: cold rc=0; `WC5 promote failed: abra app deploy warm-bluesky-pds… failed (1)` → NO canonical; logged `PASS (promoted)`.
 - cryptpad: cold rc=0; `canonical cryptpad advanced to known-good 0.6.0+v2026.5.1` → canonical WRITTEN. ✓ (the only real promote so far)
 - custom-html: SKIP no-new-version (pre-existing canonical). ✓ expected.
 - custom-html-tiny: cold rc=0; `WC5 promote failed: warm-custom-html-tiny… not healthy over HTTPS / (404)` → NO canonical; logged `PASS (promoted)`.
 - discourse: cold rc=142 (deploy timeout — the 51m wedge I flagged) → `FAIL (canonical unchanged)`. Legit red.
 - drone: cold rc=0; `WC5 promote failed: …warm-drone… timed out after 600 seconds` → NO canonical; logged `PASS (promoted)`.
 - ghost: cold rc=0; `WC5 promote failed: abra app new ghost… failed (1)` → NO canonical; logged `PASS (promoted)`.
 - gitea: promote in progress at capture.
 Live `/var/lib/ci-warm/*/canonical.json` = {cryptpad, custom-html} only. NET NEW this sweep = 1 (cryptpad).
 Leftover warm volumes w/ NO registry record: drone, gitea, custom-html-tiny (partial-promote residue).
 **DEFECT-1 [adversary] (results-label):** `nightly_sweep.sweep()` line ~119 sets
 `results[r] = "PASS (promoted)" if rc==0 else "FAIL …"`. Because `promote_canonical` is non-fatal
 (swallows its own exception so it "never fails a green run"), a FAILED promote still yields rc=0 →
 the summary asserts "PASS (promoted)" when NO canonical was written. The per-recipe results log — the
 DoD's evidence that "canonicals actually promoted for the green recipes" — is therefore UNTRUSTWORTHY.
 Repro: `grep "WC5 promote failed" _sweep.log` vs `grep "PASS (promoted)" _sweep.log` — failed promotes
 appear in BOTH. Fix direction: label from "does a canonical record now exist at the tested version",
 not from rc.
 **DEFECT-2 [adversary] (promote path failing broadly):** 4 of 5 completed promotes FAILED across 4
 modes (warm `app deploy` failed(1) / timed-out 600s / unhealthy-404 / `app new` failed(1)). Cold CI is
 green for each, so this is specifically the WARM-CANONICAL promote deploy failing — the exact
 end-to-end step this phase exists to make real. Root cause TBD (node contention on the long serial
 run / unclean cold-test teardown / discourse residue / flat 600s warm timeout) — Builder's to diagnose.
 **Determinism risk (M2.3):** every recipe left without a canonical (bluesky-pds, custom-html-tiny,
 drone, ghost, discourse…) will `sweep_decision(latest, None) → run` on a second sweep, NOT skip — so
 run-twice ≠ skip-all until promotes actually succeed. I will hard-test this at the M2 claim.
 Sent the Builder a BUILDER-INBOX heads-up (ba28a88). When M2 is claimed I will cold-verify, per recipe,
 that a canonical record exists at the tested tag version (not trust the PASS label), and re-run the
 determinism no-op myself. If promotes are still failing / mislabelled, M2 FAILs.
 ## Pre-claim note @ 2026-06-17T09:11Z — fix f94de22 validated by Builder; M2 re-run in flight (NOT a verdict)
 Consumed ADVERSARY-INBOX (Builder ~09:10Z): DEFECT-1/DEFECT-2 fix validated live — custom-html-tiny
 PROMOTED (1.2.0+2.43.0, was 404) and ghost PROMOTED (1.4.0+6.45.0-alpine, was app-new dirty-tree FATA);
 label now derives from "canonical record exists at tested version". 7 canonicals claimed (cryptpad,
 custom-html, custom-html-tiny, ghost, gitea, hedgedoc, immich). Full sweep re-run in flight. M2 unclaimed.
 Staying read-only off the node (sweep in flight, single node).
 **bluesky-pds "documented RED" — must scrutinise at M2 claim, two ways it could be wrong:**
 1. The conservative direction is CORRECT per guardrail (no force-promote; prior known-good kept). But I
   must confirm bluesky has NO stale/partial canonical written, and that it is recorded as an exception
   in DECISIONS (plan §2.B: "don't silently skip" / §4 "documented exception"), not just left silent.
 2. **The real risk:** Builder says warm health fails because traefik doesn't route the WARM domain
   (`warm-bluesky-pds…` → 000) though internal localhost:3000 = 200, and "cold domain worked." I must
   verify this is genuinely bluesky-SPECIFIC and not a warm-canonical-deploy machinery defect (warm
   domain label/overlay/router rule) that could equally hit other recipes — if the warm-domain routing
   is systemically flaky, a recipe could intermittently fail to promote (or, worse, a health probe could
   pass spuriously). At claim I will: (a) confirm OTHER promoted recipes (custom-html-tiny, ghost, immich)
   actually answered 200 over HTTPS on THEIR warm domains during promote (grep ready-probe lines), and
   (b) independently curl a couple of the live warm canonical domains. If warm-domain routing is broadly
   unreliable, the promote evidence is suspect and M2 is not done.
 ## Pre-claim observation @ 2026-06-17T09:34Z — read-only sweep-progress peek (NOT a verdict)
 Sweep re-run still in flight (proc 1712141 from `/etc/cc-ci/runner`); 7 canonicals on disk. Captured
 from `_sweep.log` so it survives log growth:
 - **DEFECT-1 fix is LIVE and honest:** `sweep: bluesky-pds rc=0 (GREEN-BUT-PROMOTE-FAILED
  (canonical=none, expected 0.3.0+v0.4.219))` — the label no longer claims `PASS (promoted)` on a
  failed promote. Favorable; I will still confirm the label matches the on-disk registry per recipe at
  claim before closing DEFECT-1.
 - `cryptpad / custom-html / custom-html-tiny` → `SKIP no-new-version` (latest tag == canonical). The
  skip path works for promoted recipes.
 - `discourse rc=143 → FAIL (red; canonical unchanged)` — legit red (timeout/SIGTERM), canonical kept.
 - **NEW — `sweep: mirror-sync drone rc=128 (non-fatal — continuing)`:** drone's faithful mirror-sync
  FAILED (git rc=128) yet the sweep proceeded to RUN drone against the un-synced mirror. SCRUTINISE at
  claim: plan §2.C requires the mirror be reconciled to upstream FIRST; a swallowed sync failure means
  the recipe may be tested against a stale mirror (wrong tags/version) — the trigger (D) and tagged
  promote then rest on un-synced state. Is rc=128 a benign "already up to date / no upstream" case or a
  real sync failure? Must check what drone's sync hit and whether the tested tag is genuinely upstream's.
 - **DETERMINISM (M2.3) — central risk crystallising:** bluesky-pds (promote-failed) and discourse (red)
  both end `canonical=none`, so a 2nd sweep → `sweep_decision(latest, None) → RUN`, NOT skip. Plan M2.3
  literally requires run-twice → "SKIPS every recipe." That can hold ONLY if every enrolled recipe
  actually promoted. Red/promote-failed recipes legitimately re-run (no known-good to protect) — which
  is arguably correct behaviour but is NOT "skip every recipe." At the M2 claim I will require the
  Builder's determinism evidence to honestly reconcile this with §3/§5: either (i) every recipe promotes
  so run-twice is a true no-op, or (ii) a reasoned, plan-consistent argument that the no-op property
  applies to the promoted set and red recipes correctly retry — and I'll judge it against the plan, not
  accept a partial skip-all relabelled as success.
 ## Pre-claim observation @ 2026-06-17T10:20Z — TWO concurrent sweeps (transient process state, captured)
 Read-only `ps` on cc-ci caught a non-serial condition while M2 is mid-development (NOT a verdict; M2
 unclaimed):
 - PID **1712141** = OLD sweep (started 09:10:40, code f94de22) — WEDGED: child PID 1720589
  (`run_recipe_ci.py`, started 09:33:58, alive ~46 min) is the drone cold-dep self-deadlock the
  lock-release fix (655a999) addresses. The old sweep process is still ALIVE, holding cold-test locks.
 - PID **1736506** = NEW sweep (started 10:16:27, code 655a999), already cold-testing recipe 1.
 So at 10:20Z two `nightly_sweep.sweep()` ran simultaneously. This violates §4 SERIAL and, more
 pointedly, **invalidates the documented precondition of `release_app_locks()`** ("serial sweep → no
 concurrent run relies on these locks") — the wedged old run still holds drone/gitea locks, so the two
 can collide. **Any M2 promote/determinism/log evidence from a sweep that overlapped the wedged one is
 non-serial and I will not accept it.** Canonical count is 8 (drone now promoted → lock-release fix
 works), so the fix itself is good; the issue is the leftover concurrent process. Sent BUILDER-INBOX
 asking the Builder to kill the wedged old sweep, confirm a clean single serial run, and regenerate M2
 evidence. **SCRUTINY CARRIED TO CLAIM:** confirm the claimed M2 sweep ran with exactly ONE sweep
 process and no overlap (check run start time vs old-sweep kill time); and verify `release_app_locks()`
 cannot free a lock still guarding a live app under any interleaving the in-flight guard permits.
 **Update @ 10:24Z:** Builder consumed the alert and acted correctly — SIGKILLed both sweeps + the
 wedged drone child, cleared stale `/run/lock/cc-ci-app-*.lock`, confirmed no leftover warm-*/dep stacks,
 **discarded drone's concurrency-tainted canonical** (promoted by a standalone validation at 10:06:45
 that overlapped the wedged old sweep), kept the 7 single-run canonicals, and relaunched ONE clean serial
 sweep (pid 1741209, code 655a999) as the M2.2 evidence run. Concurrency window was ~10:06–10:24 (old
 sweep 1712141 alive 09:10→killed 10:24). **CARRIED TO CLAIM:** independently confirm each of the 7 kept
 canonicals (cryptpad, custom-html, custom-html-tiny, ghost, gitea, hedgedoc, immich) has a ts OUTSIDE
 the concurrency window and was produced single-run — do NOT take the Builder's accounting on faith;
 check `canonical.json` ts per recipe vs the 09:10–10:24 overlap. And confirm the claimed sweep (1741209)
 ran start→finish with no second sweep process alive.
 ## Pre-claim observation @ 2026-06-17T10:47Z — clean serial sweep progress (NOT a verdict)
 ONE sweep proc confirmed (serial intact). Transient `_sweep.log` lines captured before rotation:
 - **CONCERN — `drone rc=0 GREEN-BUT-PROMOTE-FAILED (canonical=none, expected 1.9.0+2.26.0)` in the
  CLEAN serial run.** Drone promoted under the discarded tainted validation but FAILS to promote
  clean-serial — and it no longer hangs (returns cleanly), so the lock-release fix (655a999) cured the
  46-min deadlock but drone's warm promote still fails for a DIFFERENT reason (likely warm gitea-dep
  provisioning or warm deploy/health). Net: the lock fix is necessary-but-not-sufficient for drone;
  drone will lack a canonical → hits both promote-evidence and determinism (run-twice) at the claim.
  Builder will see it in their own running log; their diagnose. I'll require drone to either promote
  clean or be a recorded DECISIONS exception (like bluesky) at claim — a silent no-canonical is not OK.
 - **FAVORABLE — `gitea RUN — new release 3.6.0+1.24.2-rootless > canonical 3.5.3+1.24.2-rootless;
  cold-testing tagged release 3.6.0…`** — a LIVE instance of the new-release-tag trigger advancing an
  existing canonical (older→newer TAGGED), i.e. exactly the M2.6 samever-orthogonality path (2):
  canonical(older)→new tagged, real delta, promote-if-green. If gitea promotes to 3.6.0 this is strong
  M2.6 evidence (no constructed scenario needed). VERIFY AT CLAIM: gitea's canonical advances 3.5.3→3.6.0
  with the new tag's own commit, and samever's same-version step-back NEVER fired in the run (the tag
  trigger guarantees vX→vY, Y>X, so no vX→vX). Watch that gitea actually promotes (not GREEN-BUT-FAILED).
 - SKIPs (cryptpad/custom-html/custom-html-tiny/ghost = no-new-version) and discourse rc=143 red:
  consistent with prior runs.
 ## Pre-claim note @ 2026-06-17T10:59Z — two more Builder fixes; M2-evidence-sweep recency criterion
 Builder landed ca89d44 (promote clears stale warm-stack on FRESH SEED only — fixes the failed-promote
 secret residue, e.g. drone's gitea `client_secret_v1` blocking `abra app secret insert` on retry;
 correctly does NOT teardown when a canonical exists → retained volume safe) and d072d7e (de-enroll
 keycloak — structural collision with the live-warm OIDC provider on `warm-keycloak.ci...`; thorough
 DECISIONS entry; enrolled now 20 + 1 documented exception). Both reasonable. The residue fix is the
 likely root cause of the clean-serial drone promote-fail I flagged.
 **M2-EVIDENCE RECENCY CRITERION (new, checkable):** the in-flight sweep pid 1741209 launched ~10:16 —
 BEFORE ca89d44 (10:51) and d072d7e (10:54) — so its parent-process enrolled set still includes keycloak
 and its sweep logic predates the residue fix (only per-recipe run_recipe_ci.py picks up new code if
 /etc/cc-ci is pulled mid-run; nightly_sweep.sweep()'s enrolled list + decisioning is fixed at launch).
 Therefore the authoritative M2.2 sweep I accept MUST be one launched with /etc/cc-ci at a HEAD that
 contains BOTH fixes, enrolled=20 (keycloak absent), single serial proc. At claim: check the evidence
 sweep's launch time vs these commit times, and confirm drone now PROMOTES (residue fix) or is a recorded
 exception. Also verify ca89d44's fresh-seed teardown can't nuke a shared/retained volume (guarded by
 `if not read_registry(recipe)` — only when no canonical exists, so nothing known-good to lose; confirm).
 ## Pre-claim verification @ 2026-06-17T11:12Z — fresh-seed-teardown × live-keycloak footgun: MITIGATED
 Identified a real footgun in ca89d44: the fresh-seed branch does `teardown_app(canonical_domain(recipe))`
 for any enrolled recipe lacking a canonical. For keycloak, `canonical_domain` == the LIVE shared OIDC
 provider domain `warm-keycloak.ci...` — so a fresh-seed keycloak promote would have TORN DOWN the live
 provider that lasuite-*/drone depend on. The de-enroll (d072d7e) is precisely what prevents this.
 INDEPENDENTLY VERIFIED (read-only, my own checks, not Builder's word):
 - At HEAD: `tests/keycloak/recipe_meta.py` → `WARM_CANONICAL = False`; `canonical.enrolled_recipes()` =
  **20, keycloak NOT in set** → the post-fix sweep never runs the fresh-seed teardown against keycloak.
 - Live `https://warm-keycloak.ci.commoninternet.net/realms/master` → **200**; services
  `warm-keycloak_..._app` + `_db` both **1/1** → the pre-fix sweep 1741209's keycloak promote attempt
  (old promote, no teardown) did NOT disrupt the live provider. Healthy.
 Conclusion: footgun is structurally mitigated AND live-confirmed unharmed — favorable. STILL CARRY TO
 CLAIM: confirm NO OTHER enrolled recipe's `canonical_domain` collides with a live/shared service (so the
 fresh-seed teardown only ever hits a disposable warm-<recipe> stack), and that the final sweep's keycloak
 absence holds at the sweep's launch HEAD.
 ## Pre-claim observation @ 2026-06-17T11:23Z — pre-fix sweep FINISHED (0 procs); 15 canonicals
 Final tail of the pre-fix serial sweep (1741209): n8n PASS(3.4.0+2.23.2), plausible
 PASS(3.1.0+v2.0.0), uptime-kuma PASS(3.1.0+2.4.0); **mumble rc=1 FAIL (red; canonical unchanged)**.
 Canonical count = 15. Two new claim-scrutiny points:
 - **mumble — NEW red (rc=1, not a timeout), not previously documented.** Before M2 it must be either
  fixed (promotes clean) or recorded as a DECISIONS exception with a reason — a silent no-canonical is
  not acceptable (same bar I'm holding bluesky/discourse/drone to). Watch for the diagnosis.
 - **plausible promoted at `3.1.0+v2.0.0`, NOT the `3.0.1` the plan §2.G anticipated.** The §2.8
  UPGRADE_BASE_VERSION retirement reasoning ("canonical at 3.0.1 → dynamic base resolves 3.0.1 → pin
  redundant, drop the broken 3.0.0") must be RE-DERIVED against the actual canonical 3.1.0+v2.0.0: at
  claim verify that with plausible's real canonical, the dynamic upgrade base resolves to a correct
  green release (NOT the broken 3.0.0 clickhouse-404 base) and plausible's upgrade tier passes — only
  then is dropping the pin safe. If not, the pin stays with a recorded reason (§2.G GATE).
 Builder's plan next: deploy fixes to /etc/cc-ci, re-promote drone (fresh-seed fix) + retry gitea 3.6.0,
 then launch the FINAL authoritative sweep = the M2.2 evidence (postdates ca89d44+d072d7e, enrolled=20).
 ## Pre-claim @ 2026-06-17T11:35Z — FINAL authoritative sweep launched; recency criterion MET (confirmed)
 Builder launched the authoritative M2.2 sweep (pid 1960362, ~11:26Z) from `/etc/cc-ci @ 12acf94`. I
 INDEPENDENTLY confirmed `git merge-base --is-ancestor`: **ca89d44 (residue) AND d072d7e (keycloak) are
 both ancestors of 12acf94** → the evidence sweep postdates both fixes, enrolled=20, single serial.
 My M2-evidence recency criterion is satisfied — this run is the legitimate M2.2 evidence. (Still verify
 at claim: it ran start→finish with no second sweep proc.)
 **Red diagnoses to verify at claim (Builder posture = "red test is information, never weakened" — correct):**
 - discourse: upstream 0.8.1 compose invalid (`sidekiq` → undefined service `discourse`). VERIFY: it's a
  genuine upstream defect (re-read the compose), not our overlay; canonical unchanged.
 - mattermost-lts: `test_restore.py::test_restore_returns_state` FAILED at latest. VERIFY: the test is
  unmodified (git-blame the test vs main; not weakened/xfail'd to dodge), failure is real.
 - mumble: `custom/test_protocol_handshake.py::test_handshake_completes_with_channel_presence` FAILED.
  VERIFY: test unmodified, real failure.
 - bluesky-pds: cold green, warm-promote health 000 (traefik doesn't route warm domain; PDS 200 on
  localhost:3000). VERIFY recipe-specific (not machinery): confirm other promoted recipes DID answer 200
  over HTTPS on their warm domains (already favorable — 15 promoted healthy).
 ALL FOUR must be recorded as DECISIONS exceptions with reasons (not silent no-canonicals) before M2.
 Expected from this sweep: ~14 SKIP (determinism), drone PROMOTES (residue fix), gitea 3.5.3→3.6.0 advance.
 ## Pre-claim findings @ 2026-06-17T11:58Z — final sweep crux outcomes (drone ✓, gitea advance ✗)
 Cold-read from cc-ci (raw canonical.json, my own check). 16 canonical recipes on disk: cryptpad,
 custom-html, custom-html-tiny, drone, ghost, gitea, hedgedoc, immich, lasuite-{docs,drive,meet}, mailu,
 matrix-synapse, n8n, plausible, uptime-kuma. 16 promoted + 4 documented reds (discourse, mattermost-lts,
 mumble, bluesky-pds) = 20 enrolled. Clean accounting.
 - **drone — PROMOTED CLEAN ✓ (favorable, DEFECT-2 closing evidence).** `/var/lib/ci-warm/drone/
  canonical.json` = `{version 1.9.0+2.26.0, commit 91b27ceb…, status idle, ts 20260617T115046Z}` —
  fresh, from THIS final post-fix sweep; log `sweep: drone rc=0 (PASS (promoted 1.9.0+2.26.0))`. The
  fresh-seed-teardown residue fix (ca89d44) resolved the once-failed-promote secret residue. (At the
  formal claim I'll re-derive that commit == the 1.9.0+2.26.0 tag's commit, and confirm warm reattach.)
 - **gitea — ADVANCE FAILED AGAIN ✗ (CLAIM-BLOCKER for M2.6 + M2.3).** Log: `sweep: gitea RUN — new
  release 3.6.0+1.24.2-rootless > canonical 3.5.3+1.24.2-rootless … rc=0 (GREEN-BUT-PROMOTE-FAILED
  (canonical=3.5.3…, expected 3.6.0…))`. canonical.json still `3.5.3+1.24.2-rootless` (ts 083930Z, OLD)
  — known-good correctly PRESERVED on the failed advance, but the advance did NOT happen. Impact:
  1. **M2.6 not demonstrated:** gitea was the live new-tag→`canonical(older)→new` advance proof. The
     trigger fired (RUN on the newer tag) and old-known-good was kept, but a SUCCESSFUL promote to the
     new tagged version — which §3/§5 M2.6 requires — did not occur. Needs a real fix or the plan's
     alternative (construct custom-html older→new).
  2. **M2.3 determinism dirtied:** on a 2nd sweep `sweep_decision(gitea, 3.6.0, 3.5.3) → RUN`, so gitea
     re-runs — and it is NOT a genuine red (cold test is GREEN; only the warm advance promote times
     out ~600s). So it is NOT covered by "reds correctly retry"; it is a green recipe whose promote
     deterministically fails, which both wastes a CI rerun AND breaks "run-twice → skip-all". A plain
     retry won't fix a deterministic timeout — needs the warm-advance timeout raised / the in-place
     version-bump deploy diagnosed, OR gitea documented like the reds (but it's green, so that's weaker).
  Sending the Builder a heads-up so they don't claim M2 with this open.
 **Sweep completion @ 12:00:03Z:** authoritative sweep `=== M2.2 FULL SWEEP done rc=0
 2026-06-17T12:00:03Z ===` (ran 11:25:57→12:00:03, ~34m; node idle after, no sweep/run procs). Determinism
 preview already visible IN this run: n8n/plausible/uptime-kuma/immich/lasuite-*/mailu/matrix-synapse all
 `SKIP no-new-version` = the just-promoted recipes correctly skip. Builder consumed my gitea heads-up
 (9303359: "gitea 3.6.0 advance — fixing; drone promoted clean"). Awaiting gitea fix + M2.3/M2.5/M2.6/
 M2.7/M2.8 proofs before any M2 claim.
 ## Pre-claim assessment @ 2026-06-17T12:21Z — gitea-exception diagnosis + M2.3 reframing (my acceptance bar)
 Builder landed bdc2ec4 (DECISIONS): gitea 3.6.0 warm-advance documented as a RECIPE issue + an M2.3
 determinism reframing. My standard for accepting these at the M2 claim:
 **gitea 3.6.0 exception — diagnosis plausible; two things I will independently verify (not take on faith):**
 - Builder's isolation claim is the right shape: the warm-ADVANCE machinery is proven via a CONSTRUCTED
  custom-html older→new advance (M2.6), so gitea's failure is gitea-specific not machinery. VERIFY the
  custom-html advance ACTUALLY promoted (canonical advanced old→new, healthy) — that's load-bearing.
 - The gitea crash is `JWT Secret … app.ini: read-only file system`. Cold FRESH 3.6.0 passes; warm
  reattach-advance crashes. VERIFY this is genuinely a gitea-3.6.0/rootless-config + retained-volume
  interaction (e.g. pre-existing 3.5.3 app.ini / rootless-UID), NOT our warm-promote mounting app.ini
  read-only. If OUR machinery makes app.ini read-only (cold doesn't, warm does), it's a MACHINERY defect
  mislabeled as a recipe issue — that would NOT be an acceptable exception and would fail M1(A)/M2.
  Check: how does the warm advance mount/derive app.ini vs the cold install for gitea.
 - gitea correctly KEEPS 3.5.3 (never promote unhealthy) — good; confirm 3.5.3 record + volume intact.
 **M2.3 reframing — ACCEPTABLE ONLY IF rigorously demonstrated + flagged as a DoD deviation.** Plan
 §3/§5 LITERALLY say run-twice → "SKIPS every recipe … clean no-op". That ideal assumed all-promote;
 reality = 15 promoted-at-latest + 5 that can't (4 genuine/documented reds + gitea recipe-bug). Builder's
 operative property = "no promoted-at-latest recipe re-runs; reds + gitea correctly retry." This is
 plan-consistent in SPIRIT (the no-op's purpose is no needless re-test of good-current recipes) and the
 plan forbids weakening tests to force promotes — so the literal ideal is unachievable honestly. I will
 ACCEPT it IFF: (i) an actual immediate 2nd sweep shows EXACTLY the 15 promoted-at-latest SKIP (no CI
 rerun) and ONLY the documented exceptions (gitea + 4 reds) RUN — I will re-run/inspect this myself, not
 trust a summary; (ii) every re-running recipe has a recorded DECISIONS reason; (iii) it is explicitly
 noted as a deviation from the literal "skip every recipe" so the operator sees it. If a promoted-at-
 latest recipe needlessly re-runs, or an undocumented recipe re-runs, M2.3 FAILs. NOT a veto now — this
 is the bar I'll hold at the claim.
 ## Pre-claim pre-verification @ 2026-06-17T12:34Z — §2.G strip (M2.8) favorable; M2.5 bash-fix needs redeploy
 - **§2.G UPGRADE_BASE_VERSION retirement (f611dda, 83c183d) — code-level strip CONFIRMED complete.**
  `grep -rn UPGRADE_BASE_VERSION` (excl. machine-docs) → only EXPLANATORY comments/docs remain (testing.md,
  plausible/bluesky-pds/discourse meta comments, test_meta + test_upgrade_base comments, the resolver
  removal comment at run_recipe_ci.py:132) — NO live key/branch. plausible's pin gone (meta comment:
  dynamic base STEPS BACK to newest-published-strictly-older-than-3.1.0 = 3.0.1+v2.0.0 = the correct base,
  avoiding broken 3.0.0); meta KEYS 15→14 (test_meta.py); bluesky-pds comment now points to dynamic base.
  AT CLAIM: run the full unit suite (test_meta/test_upgrade_base green post-strip) + confirm plausible's
  UPGRADE tier actually resolves base 3.0.1+v2.0.0 dynamically AND passes (Builder claims "verified
  dynamic-base green" — re-run it myself). §2.G GATE (keep-if-broken) does NOT apply since plausible works.
 - **M2.5 real timer fire — IN PROGRESS, caught a real bug.** cebd293: the actual timer fire revealed the
  deployed nightly-sweep service was MISSING `bash` in nix runtimeInputs (a manual run wouldn't catch it —
  exactly why "real fire, not manual" is the DoD). Fix adds bash. NOTE: this is a nix module change →
  requires `git -C /etc/cc-ci pull` + `nixos-rebuild switch` to deploy, THEN a fresh real timer fire that
  ADVANCES ≥1 canonical (non-hollow). AT CLAIM: confirm the fix is deployed AND a post-fix real fire
  (systemctl start nightly-sweep.service or the timer) ran the non-hollow job to completion with evidence
  (a canonical ts moved / log shows the 20-recipe sweep), not exit-0 on empty.
 ## Pre-claim @ 2026-06-17T13:09Z — DEFECT-3 fix (env parity) landed; assessment + verify-at-claim
 Builder consumed DEFECT-3 and fixed it (2c61f2f): nightly-sweep.nix now prepends the host system PATH
 `/run/current-system/sw/bin:/run/wrappers/bin` so the timer sweep runs recipes in the SAME env as
 Drone's exec runner — one change for git-lfs/bash/openssl/etc. parity (vs enumerating runtimeInputs).
 Right fix in principle (the sweep SHOULD validate exactly as Drone CI does). nix module change → needs
 nixos-rebuild + a fresh real timer fire = the production-env M2.2/M2.5 evidence. DEFECT-3 stays OPEN
 until that re-fire. Verify at claim:
 - PARITY IS REAL not asserted: `ssh cc-ci 'ls /run/current-system/sw/bin/git-lfs; systemctl cat
  drone-runner-exec* | grep -i PATH'` — git-lfs present there AND Drone actually uses that PATH.
 - Re-fire flips gitea back to COLD-GREEN (custom/lfs passes) then hits the documented app.ini
  warm-advance exception (rc=0 GREEN-BUT-PROMOTE-FAILED) — restoring "cold green, advance-only" IN
  production, validating that exception framing. If gitea still reds at custom, parity isn't achieved.
 - Re-fire re-validates the promoted set under production env: the 15 promoted-at-latest SKIP, custom-html
  (now advanced to 1.13.0) SKIPs, 4 reds red, no NEW promote failures surface that the manual env hid.
 - Determinism unaffected: host system PATH is stable per nixos generation; matches Drone → correct
  comparison, not a non-determinism source.
 Favorable already-demonstrated (this fire): custom-html 1.11.0→1.13.0 advance PASS = constructed M2.6
 older→new advance + a real non-hollow timer promotion. M2 still correctly UNCLAIMED.
 ## Pre-claim observation @ 2026-06-17T14:30Z — DEFECT-3 parity REAL + live timer re-fire re-validating (NOT a verdict)
 A POST-parity-fix real timer fire is in flight: `nightly-sweep.service` active since **13:01:01 UTC**
 (`Invocation b184fde4…`, PID 2149231), single serial proc (no second sweep/run_recipe_ci on cc-ci).
 Captured from journalctl (production env, survives log rotation) + read-only config checks. This is the
 DEFECT-3 re-validation run I said the defect stays OPEN until. Cold checks, my own, not the Builder's word:
 - **PARITY IS REAL (my verify-at-claim criterion #1 — MET).** `nightly-sweep` ExecStart wrapper line 17:
  `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` — host system PATH prepended,
  **byte-for-byte matching** Drone's `drone-runner-exec.service` `Environment="PATH=/run/current-system/
  sw/bin:/run/wrappers/bin"`. `git-lfs` present at `/run/current-system/sw/bin/git-lfs` → git-lfs-3.6.1.
  `/etc/cc-ci` HEAD = 2c61f2f (parity fix is the deployed runner code; `merge-base --is-ancestor` ✓). So
  parity is structural + deployed, not asserted.
 - **gitea flips COLD-GREEN under production env (criterion #2 — MET behaviorally).** In THIS timer fire:
  `tests/gitea/custom/test_lfs_roundtrip.py::test_lfs_roundtrip PASSED` (the exact test DEFECT-3 reded on
  the missing-git-lfs fire). gitea then `RUN — new release 3.6.0 > canonical 3.5.3` and is processing the
  advance now — expected to land on the documented app.ini warm-advance exception (GREEN-BUT-PROMOTE-FAILED),
  i.e. "cold green, advance-only-fails," restoring the documented framing in production. DEFECT-3 git-lfs
  gap is behaviorally closed in the production timer env.
 - **Promoted set re-validates under production env (criterion #3 — favorable so far):** custom-html
  `RUN — new release 1.13.0 > canonical 1.11.0 → PASS (promoted 1.13.0+1.31.1)` (a REAL non-hollow timer
  promote/advance); and the promoted-at-latest recipes SKIP `no-new-version` (cryptpad, custom-html-tiny,
  drone[1.9.0], ghost, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse, n8n, plausible,
  uptime-kuma) — live determinism preview INSIDE the production fire. Reds so far: discourse rc=142
  (timeout), mattermost-lts rc=1, mumble rc=1, bluesky-pds GREEN-BUT-PROMOTE-FAILED — all the documented
  exceptions, no NEW promote failures the manual env hid.
 - **Determinism source check (criterion #4 — MET):** host system PATH is fixed per nixos generation and
  equals Drone's → a stable, correct comparison env, not a non-determinism vector.
 This is strongly favorable toward closing DEFECT-3 and the production-env M2.2/M2.5 evidence, BUT M2 is
 still correctly UNCLAIMED and the fire is mid-gitea (not finished). I will NOT close DEFECT-3 or accept
 M2 until: (a) this fire completes start→finish single-serial with the final per-recipe summary; (b) I
 re-derive each promoted canonical's commit==tag-commit and a warm reattach; (c) the gitea app.ini
 exception, discourse/mattermost/mumble reds, and bluesky warm-routing exception are all recorded in
 DECISIONS (not silent no-canonicals); (d) the formal M2 claim arrives in STATUS with WHAT/HOW/EXPECTED.
 Staying read-only off the node while the sweep is in flight (single node).
 **Update @ 2026-06-17T14:39Z — production-env timer fire COMPLETED cleanly (still NOT a verdict).**
 `nightly-sweep.service` finished **14:37:22 UTC**, `Result=success`, `ExecMainStatus=0`, single serial
 (no leftover sweep/run_recipe_ci procs). Final per-recipe summary (journalctl, my own read):
 - **custom-html: PASS (promoted 1.13.0+1.31.1)** — a REAL non-hollow timer advance 1.11.0→1.13.0 in
  production env (M2.5 real-fire + M2.6 constructed older→new advance, both in one live timer fire).
 - **14 SKIP no-new-version** (cryptpad, custom-html-tiny, drone, ghost, hedgedoc, immich, lasuite-{docs,
  drive,meet}, mailu, matrix-synapse, n8n, plausible, uptime-kuma) — live determinism: promoted-at-latest
  recipes correctly no-op in the production fire.
 - **6 documented exceptions:** gitea GREEN-BUT-PROMOTE-FAILED (cold-green via lfs PASS; app.ini warm-advance
  exception, 3.5.3 kept); bluesky-pds GREEN-BUT-PROMOTE-FAILED (warm-routing); discourse/mattermost-lts/
  mumble red (canonical unchanged). No NEW promote failures the manual env masked.
 This resolves the "won't close DEFECT-3 until the fire completes" condition: the fire DID complete cleanly
 under real Drone-parity env. I am NOT yet closing DEFECT-3 or accepting M2 — that happens at the formal M2
 claim, where I will cold re-derive each promoted canonical's commit==tag-commit + a warm reattach, confirm
 all 6 exceptions are recorded in DECISIONS, and re-run/inspect determinism myself. DEFECT-3 stays OPEN
 (narrowly: pending the claim-time confirmation), but its production re-validation is now favorable.
 ---
 ## M2: PASS @ 2026-06-17T16:14Z — canonical sweep proven end-to-end (claim a4f1df4; DEFECT-3 CLOSED)
 Verified from a COLD start: fresh independent clone on cc-ci (`/tmp/adv-m2` @ deployed HEAD `2c61f2f`),
 cold `ssh cc-ci` for live state/journald, and my OWN re-runs (unit suite, resolver calls, a live
 `--quick` warm reattach). I did NOT read JOURNAL-canon.md before this verdict. Every M2 sub-claim and
 every carried scrutiny point re-derived against the plan + observable behaviour, not the Builder's word.
 **M2.1 deploy + DEFECT-3 parity — PASS.** Deployed `/etc/cc-ci` HEAD `2c61f2f` (parity fix) is current —
 `git diff --stat 2c61f2f origin/main -- runner/ tests/ nix/ scripts/` is EMPTY (the gap to Builder HEAD
 009bc60 is docs/status only, no undeployed code). `nightly-sweep` ExecStart wrapper line 17
 `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` BYTE-MATCHES `drone-runner-exec.service`
 `Environment="PATH=/run/current-system/sw/bin:/run/wrappers/bin"`; `git-lfs` present at
 `/run/current-system/sw/bin/git-lfs`. Weekly timer `OnCalendar=Sun *-*-* 03:00:00`, Persistent. **DEFECT-3
 CLOSED:** behaviorally proven in the production timer fire — `tests/gitea/custom/test_lfs_roundtrip.py::
 test_lfs_roundtrip PASSED` (the exact test that reded on the missing-git-lfs fire); gitea flips cold-green
 under the real Drone-parity env.
 **M2.2 + M2.5 real (non-hollow) timer fire — PASS.** `nightly-sweep.service` fired by real systemd: active
 13:01:01Z → completed **14:37:22Z, Result=success, ExecMainStatus=0, single serial** (no 2nd sweep/
 run_recipe_ci proc — confirmed across my polls). Non-hollow: enrolled=20, ADVANCED custom-html 1.11.0→
 1.13.0 (the prior hollow timer logged `enrolled canonicals=[]`). **All 16 canonicals re-derived: every
 `canonical.json` commit == the tested release tag's commit** (`git -C ~/.abra/recipes/<r> rev-list -n1
 <version>` == recorded commit) — cryptpad, custom-html(1.13.0+1.31.1/df2e273), custom-html-tiny, drone,
 ghost, gitea(3.5.3, known-good kept), hedgedoc, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse,
 n8n, plausible(3.1.0+v2.0.0/13458fac), uptime-kuma — all OK, no arbitrary-commit canonical. Timestamps
 07:22→13:15Z; none fall in the 09:10–10:24Z concurrency window I flagged (drone correctly re-promoted
 11:50, the tainted 10:06 one discarded). Reds left intact (discourse/mattermost-lts/mumble no canonical;
 bluesky no canonical; gitea kept 3.5.3) — never force-promoted.
 **M2.3 determinism (run-twice) — PASS (operative no-op).** The clean serial 2nd sweep launched **14:41:16Z**
 (AFTER the 1st fire ended 14:37:22Z → NO overlap; single serial throughout my polls), enrolled=20. Final
 partition I read from journald myself: **exactly 15 promoted-at-latest → `SKIP no-new-version`** (incl.
 custom-html 1.13.0, just advanced → now skips = the central determinism proof) and **5 → RUN, every one a
 documented exception** (gitea retries 3.6.0 advance; bluesky/discourse/mattermost-lts/mumble lack a
 known-good). My acceptance bar (set 12:21Z) is MET: (i) only the 15 promoted-at-latest skip and only
 documented exceptions run — verified, not trusted; (ii) every re-running recipe has a DECISIONS reason;
 (iii) DECISIONS explicitly flags this as a deviation from the literal "skip every recipe" ("'Skip every
 recipe' is the all-promoted ideal; the demonstrated property is 'no promoted-at-latest recipe re-runs'").
 Plan-consistent (the plan forbids weakening a test to force a promote).
 **M2.4 tagged-promote gate — PASS.** Untagged green ⇒ NO promote (proof-C + `test_no_promote_when_untagged`
 in the now-294-pass unit suite I re-ran); tagged green ⇒ promote (all 16 canonicals commit==tag, live in
 the production fire). Gate proven both ways.
 **M2.6 samever orthogonality — PASS.** Path-2 (new tag → older→new promote): custom-html advanced 1.11.0→
 1.13.0 in the live production timer fire AND promoted healthy; gitea fired the trigger (RUN on 3.6.0>3.5.3).
 Path-1 (no new tag → SKIP): the 15 SKIP-no-new-version recipes. **Step-back never fires in-sweep:** read
 `resolve_upgrade_base` — it steps back ONLY when canonical==head version; the sweep RUNs only when latest
 tag > canonical, so the in-sweep base is strictly older → no same-version run is ever constructed. samever's
 same-version behaviour stays owned by the samever phase (PR path). 
 **M2.7 disk budget — PASS.** `/` 38G free (74% used); `du -sh /var/lib/ci-warm` = 1.1G; docker volumes 2.0GB.
 16 retained canonicals fit with ample headroom at full 20-enrolled; no recipe dropped for disk (DECISIONS).
 **M2.8 UPGRADE_BASE_VERSION retired — PASS.** Read `resolve_upgrade_base` source in full: the string
 `UPGRADE_BASE_VERSION` appears ONLY in the docstring (documenting its §2.G removal) — there is NO live
 override branch; resolution is purely dynamic (canonical-as-base + same-version step-back). `grep -rn
 UPGRADE_BASE_VERSION runner/ tests/ docs/` = comments only; unit suite 294 pass. plausible: canonical
 3.1.0+v2.0.0 == head → resolver steps back to `newest_older_version` = **3.0.1+v2.0.0** (re-derived live) —
 the exact known-good base the old pin forced, avoiding the broken clickhouse-404 3.0.0. §2.G GATE
 (keep-if-broken) correctly does NOT apply.
 **Reusability (warm reattach) — PASS (my own cold run).** `MODE=quick` reattach of custom-html: booted the
 warm stack from the RETAINED volume, `test_content_roundtrip` + `test_custom_html_returns_200` PASSED
 (retained-volume content reused, 200 over the warm domain), `quick PASS → known-good UNCHANGED`. canonical
 version/commit identical before/after (1.13.0+1.31.1 / df2e273; only `ts` touched = benign status refresh,
 not a promote). This also independently confirms warm-domain HTTPS health WORKS for a non-bluesky recipe.
 **Carried scrutiny — all CLEARED:**
 - gitea app.ini exception is RECIPE-specific, not machinery: gitea-rootless mounts app.ini read-only by its
  own recipe (`recipe_meta.py:68`); our warm-promote/`deploy_canonical` code does not mount app.ini RO
  (grep). Cold-fresh 3.6.0 passes, warm reattach-advance crashes at config-load → recipe/retained-volume
  interaction. 3.5.3 known-good correctly kept.
 - bluesky warm-routing is recipe-specific: cold green + PDS 200 internal, warm domain `/xrpc/_health`→000;
  the other 15 promoted answer 200 over HTTPS (custom-html verified live by my reattach). Not machinery.
 - mattermost-lts (`test_restore`) + mumble (`test_handshake`) reds: tests UNMODIFIED this phase (git log:
  last touched phases 2/cfold), 0 xfail/skip markers — genuine reds, not weakened to dodge.
 - All 6 exceptions (keycloak, gitea, discourse, mattermost-lts, mumble, bluesky) recorded in DECISIONS with
  reasons — none silent.
 **Guardrail NO-AI-at-runtime — PASS.** grep of nightly_sweep.py / warm_reconcile.py / recipe-mirror-sync.sh
 for anthropic|claude|openai|llm|gpt → zero calls (one code comment only). Pure script + systemd timer.
 **Verdict: M2 PASS. No VETO.** All §5 Definition-of-Done items Adversary-cold-verified: tagged-release
 canonicals are real + reusable (untagged never promotes), mirror-sync faithful (M1), new-release-tag
 trigger skips no-new-version / runs new-tag (version-keyed), promote only on green-cold-latest-enrolled-
 tagged, demonstrated end-to-end in a real non-hollow production timer fire, run-twice determinism no-op
 (operative form, deviation flagged), samever orthogonal (step-back never fires in-sweep), all recipes
 enrolled + disk budget recorded, UPGRADE_BASE_VERSION retired (plausible dynamic base 3.0.1), AI-free
 runtime. M1 + M2 both fresh-PASS. The Builder may write `## DONE`. (Consulted JOURNAL-canon.md only AFTER
 writing this verdict for context: no surprises.)
--- a/machine-docs/REVIEW-cf48.md
+++ b/machine-docs/REVIEW-cf48.md
@ -0,0 +1,116 @@
 # REVIEW — phase cf48 (Adversary)
 Adversary clone: `/srv/cc-ci/cc-ci-adv`
 Run cold from a fresh shell; no cached state.
 ---
 ## M1: PASS @2026-06-13T05:29Z
 **Claim:** Opus 4.8 independent review of cfold (`44e0242`) found NO COVERAGE LOST —
 all 64 custom tests relocated 1:1 from `functional/`/`playwright/` into canonical `custom/`,
 identical `(recipe, filename)` set, per-recipe counts unchanged, no assertions weakened,
 deprecated aliases retained with loud warnings, lifecycle overlays untouched at top-level,
 RUNG name preserved.
 **Cold-run evidence (all 12 acceptance checks):**
 1. `git ls-files "tests/*/custom/test_*.py" | wc -l` → **64** ✓ (expected 64)
 2. `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_ | wc -l` → **0** ✓
 3. lifecycle overlays in custom/ → **0** ✓
 4. lifecycle overlays at top-level → **64** ✓
 5. Per-recipe counts (all match baseline):
   bluesky-pds=4 cryptpad=4 custom-html=4 custom-html-tiny=1 discourse=3 drone=1 ghost=4
   hedgedoc=2 immich=3 keycloak=3 lasuite-docs=5 lasuite-drive=3 lasuite-meet=3 mailu=3
   matrix-synapse=3 mattermost-lts=3 mumble=5 n8n=4 plausible=2 uptime-kuma=4
   **TOTAL=64** ✓
 6. Cardinal coverage diff: `diff /tmp/pre.txt /tmp/head.txt` → **IDENTICAL SET (empty diff)** ✓
   Every one of the 64 `(recipe, filename)` pairs maps 1:1 pre→post; only parent folder changed.
 7. Content-change audit `git show 44e0242 --find-renames=40% --stat` — 110 files changed;
   all 64 test files are 100% pure renames except 5 with trivial non-semantic diffs
   (custom-html test_browser_smoke.py docstring; keycloak ×2 comment; lasuite-drive/-meet oidc
   docstring; mailu sys.path redirect for moved helper). ✓
 8. Stale-consumer grep:
   - `git grep -nE "['\"/](functional|playwright)/" -- ':!tests/**' ':!docs/**' ':!machine-docs/**' ':!README.md'`
     → only `runner/harness/discovery.py:108-109` (docstring lines listing deprecated aliases) ✓
   - `git grep -nE "== ['\"](functional|playwright)['\"]" -- 'runner/**'` → empty ✓
 9. Deprecated-alias live probe: found `['test_new.py', 'test_old.py', 'test_ui.py']` +
   2 `WARNING [cfold]` lines for functional/ and playwright/ ✓ (all 3 dirs discovered, both
   deprecated dirs warn)
 10. Unit suite: `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py
    tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q` → **18 passed** ✓
 11. RUNG name: `RUNGS = ("install", "upgrade", "backup_restore", "functional", "lint")` — unchanged ✓
    (folder rename did NOT touch the L4 RUNG name)
 12. `git status --short` → clean (nothing to commit) ✓
 **Assessment:** The Opus 4.8 Builder review in STATUS-cf48.md is accurate.
 The cfold commit (`44e0242`) is a pure, non-lossy rename: 64 test files relocated from
 `functional/`/`playwright/` into canonical `custom/`, all assertions intact, no tests dropped
 or weakened, deprecated aliases backward-compatible with loud warnings. M1 PASS confirmed
 independently.
 **cf55-vs-cf48 agreement note confirmed:** both Sonnet 4.6 and Opus 4.8 reviews reach NO
 COVERAGE LOST. The one discrepancy (cf55 narrative claimed a keycloak sys.path depth adjustment
 that didn't actually exist in the diff) is a narrative inaccuracy, not a coverage defect — both
 models correctly conclude keycloak tests are intact. No blocking findings from either review.
 ---
 ## M2: PASS @2026-06-13T06:45Z — NO COVERAGE LOST
 **Claim (Builder `claim(cf48-M2)` 61ad356):** the no-loss verdict — cfold (`44e0242`)
 preserved the complete pre-cfold custom-test set; no blocking findings; no Builder fix required.
 M2 reuses the M1 evidence (review-only phase, no new build/sweep).
 **Independent cold re-verification this session** (fresh `git clone` of origin/main @`a6f967f`,
 new shell, no cached state — did NOT just confirm M1):
 - **Cardinal coverage diff re-run cold** (cmd 6): pre-cfold `(recipe, filename)` set from
  `44e0242^` vs post-cfold `custom/` set at HEAD → **IDENTICAL (empty diff), 64 = 64**. Every
  test maps 1:1; only the parent folder changed.
 - **No-drift check:** the 3 commits between `44e0242` and HEAD `a6f967f`
  (`d44f799` ghost db wait, `ee6b613` ghost retry, `23f1861` bridge trigger) do not alter the
  custom-test inventory — cardinal set still identical at current HEAD. `git status` clean.
 - **Real content-delta audit (not the Builder's word):** the cfold commit has **0 added (A) and
  0 deleted (D)** test files — `59 R100` pure renames + `5` renames with content (`R093/R097×2/
  R098/R099`). I inspected the actual rename hunks for all 5 (custom-html browser_smoke, keycloak
  ×2, lasuite-drive/-meet oidc): **every changed line is docstring/comment text only** —
  `playwright/`→`custom/` doc-string wording and the "one level up … functional/"→"custom/"
  comment. **No assertion, wait, timeout, skip, marker, or `sys.path` line changed.** Confirmed
  the keycloak `sys.path.insert` lines are byte-unchanged (validates the cf55-narrative
  discrepancy cf48 flagged).
 - **Break-it: orphan-test hunt.** Enumerated every top-level `tests/*/test_*.py` not in a
  discovered subdir and not a lifecycle name — the only hits are `tests/{unit,concurrency,
  regression}/` (harness self-tests, not recipe dirs). **No recipe-local test exists that
  discovery could silently drop.** discovery.py excludes lifecycle overlays via `LIFECYCLE_OPS`
  and scans `subdirs = ("custom","functional","playwright")`.
 - **Deprecated-alias live probe (cold):** all 3 subdirs discovered
  (`['test_new.py','test_old.py','test_ui.py']`) with a loud `WARNING [cfold]` per deprecated
  dir → no silent old-folder coverage loss.
 - **Unit suite (cold):** `test_discovery / test_discovery_phase2 / test_manifest` → **18 passed**.
 - **Evidence audit — read cfold REVIEW directly (not the Builder's summary):** REVIEW-cfold.md
  M2 PASS @2026-06-13T04:11:00Z records a real Drone `!testme` sweep with **all 20 enrolled
  recipes at level 5/5 and custom-junit counts matching this baseline exactly** (ghost 4/4 incl.
  upgrade junit=2, lasuite-docs 5/5, mumble 5/5, custom-html-tiny 1/1, … uptime-kuma 4/4), and
  `live_pr_apps=0` teardown clean. No silent level drop; no skipped custom tier.
 **Verdict: M2 PASS — NO COVERAGE LOST.** cfold (`44e0242`) preserved the full pre-cfold
 custom-test set: 64 tests relocated 1:1 into canonical `custom/`, identical `(recipe, filename)`
 set, per-recipe counts unchanged, zero assertions weakened/removed/skipped, deprecated aliases
 retained with loud warnings, lifecycle overlays untouched at top-level, RUNG name intact, full
 real-CI sweep green at L5 across all 20 recipes with zero leaks. **No blocking findings. No
 VETO.** Builder is clear to write `## DONE` to STATUS-cf48.md (M1 + M2 both PASS).
 (Consulted JOURNAL-cf48.md only AFTER forming this verdict — per anti-anchoring rule — to
 confirm the resumption context; nothing there altered the verdict.)
--- a/machine-docs/REVIEW-cf55.md
+++ b/machine-docs/REVIEW-cf55.md
@ -0,0 +1,85 @@
 ## 2026-06-13T04:12:24Z
 - Adversary session model: `openai/gpt-5.4`
 - Phase requirement from `cc-ci-plan/plan-phase-cf55-gpt55-cfold-review.md`: `openai/gpt-5.5`
 - Launcher override files present and set correctly:
  - `/srv/cc-ci/.cc-ci-logs/.loop-model-cf55` -> `openai/gpt-5.5`
  - `/srv/cc-ci/.cc-ci-logs/.loop-model-adv-cf55` -> `openai/gpt-5.5`
 - Result: STOPPED before review per phase instructions. This launcher/session mismatch must be fixed before any `cf55` verdicts are valid.
 - Additional note: `machine-docs/STATUS-cf55.md` and `machine-docs/BACKLOG-cf55.md` are not present on `origin/main` yet, so the phase has not been fully bootstrapped in the repo.
 ---
 ## 2026-06-13T05:13:45Z — M1 PASS + M2 NO COVERAGE LOST
 **Model note:** Adversary session is `claude-sonnet-4-6`. Phase plan specified `openai/gpt-5.5`; prior
 sessions (both Builder and Adversary) stopped on model mismatch. Orchestrator subsequently updated
 `/srv/cc-ci/.cc-ci-logs/.loop-model-cf55` and `.loop-model-adv-cf55` to `claude-sonnet-4-6`,
 indicating a deliberate model switch. Review proceeds on Claude Sonnet 4.6 per orchestrator decision.
 Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in
 `machine-docs/STATUS-cf55.md` (claim commit `8b23f7b`) and implementation commit `44e0242`:
 ### Command-by-command cold check (all 8 from STATUS HOW section)
 1. `git ls-files "tests/*/custom/test_*.py" | wc -l` → `64` ✓
 2. `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_ | wc -l` → `0` ✓
 3. Per-recipe count check → all 20 recipes match pre-cfold baseline exactly:
   `bluesky-pds 4`, `cryptpad 4`, `custom-html 4`, `custom-html-tiny 1`, `discourse 3`,
   `drone 1`, `ghost 4`, `hedgedoc 2`, `immich 3`, `keycloak 3`, `lasuite-docs 5`,
   `lasuite-drive 3`, `lasuite-meet 3`, `mailu 3`, `matrix-synapse 3`, `mattermost-lts 3`,
   `mumble 5`, `n8n 4`, `plausible 2`, `uptime-kuma 4` ✓
 4. `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q` → `18 passed in 0.04s` ✓
 5. `git ls-files "tests/*/custom/test_install.py" ... test_backup.py test_restore.py` → `0` (no lifecycle overlays in custom/) ✓
 6. Deprecated-alias warning probe (exact Builder command with `unittest.mock.patch`):
   - Output: `WARNING [cfold]: test found in deprecated folder 'functional/' — move to custom/: /.../test_old.py`
   - Output: `WARNING [cfold]: test found in deprecated folder 'playwright/' — move to custom/: /.../test_ui.py`
   - Output: `found: ['test_old.py', 'test_ui.py']`
   - 2 deprecation warnings + both test files found ✓
 7. `grep 'functional' runner/harness/level.py` → `RUNGS = ("install", "upgrade", "backup_restore", "functional", "lint")` — functional RUNG name unchanged ✓
 8. `git status --short` → 0 lines (clean working tree) ✓
 ### Independent break-it audit (pre-verification, before pulling Builder claim)
 Before the Builder claim was pulled, I independently ran the same checks and confirmed:
 - 64 canonical custom tests, 0 in deprecated dirs, per-recipe counts match
 - Unit suite `18 passed`
 - `manifest._custom_counts('custom-html', None)` → `{'cc-ci': {'custom': 4}}` (normalized)
 - Deprecated-alias probe via direct ROOT patching: both tests discovered, both warnings fired
 - 0 lifecycle overlays in custom/ dirs
 - RUNG name `"functional"` unchanged in level.py
 - Teardown check: `ssh cc-ci '...'` → `live_pr_apps=0`
 ### Review matrix category assessment
 All 7 required cf55 review categories pass independently:
 | Category | Result | Key evidence |
 |---|---|---|
 | 1. Diff review | PASS | 44e0242: pure git mv + path/sys.path updates; no assertion changes |
 | 2. Discovery parity | PASS | 64 canonical; 0 deprecated; per-recipe baseline match |
 | 3. Assertion preservation | PASS | All R093–R100 similarity; non-100% = docstring/path comment/import depth only |
 | 4. Old-folder behavior | PASS | deprecated subdirs still in tuple; WARNING fires; tests not dropped |
 | 5. Lifecycle-overlay separation | PASS | 0 lifecycle files in custom/; RUNG name unchanged |
 | 6. Evidence audit | PASS | cfold M1 PASS (16:20Z) + M2 PASS (04:11Z); sweep all 20 recipes L5 |
 | 7. Cleanliness | PASS | clean working tree; no stale root files; no leaked stacks |
 ### Verdict
 **M1 PASS @2026-06-13T05:13:45Z**
 Builder's review matrix covers all 7 required categories. Cold independent verification confirms
 every claim in the matrix. No discrepancy between the Builder's matrix and independent Adversary
 checks.
 **M2 — NO COVERAGE LOST**
 The cfold phase (`44e0242`) preserved the full pre-cfold custom-test set:
 - 64 custom tests → 64 canonical tests (same logical set, only folder path changed)
 - 20 recipes × counts exactly match pre-cfold baseline
 - No assertions removed, no tests skipped, no waits relaxed
 - Deprecated aliases emit loud warnings instead of silently dropping coverage
 - Full real-CI sweep green at L5 across all 20 enrolled recipes (cfold M2 PASS evidence)
 - Zero leaked live stacks after sweep
 No blocking findings. Builder may write `## DONE` to STATUS-cf55.md.
--- a/machine-docs/REVIEW-cfold.md
+++ b/machine-docs/REVIEW-cfold.md
@ -0,0 +1,334 @@
 # REVIEW — Adversary — phase cfold
 Adversary-only. Append-only. All verdicts here are cold-verified from a fresh shell + own clone.
 SSOT for what is being verified: /srv/cc-ci/cc-ci-plan/plan-phase-cfold-custom-folder.md
 ---
 ## 2026-06-11T22:54Z — Adversary initialized; awaiting Builder M1 claim
 Baseline recorded in BACKLOG-cfold.md (pre-migration inventory).
 No claims pending. Will verify M1 and M2 on Builder claim.
 Key break-it probes planned:
 1. Grep codebase for any remaining `functional/` or `playwright/` folder-name string literals after M1.
 2. Run discovery cold to confirm no test was dropped (count must equal 64 custom test files).
 3. Verify deprecated-alias warning fires when a test is in old folder (per plan §2.1 recommendation).
 4. Confirm `from playwright.sync_api` references NOT touched (they reference the package, not a folder).
 5. Verify unit tests are updated (test_discovery_phase2.py, test_manifest.py) and still pass.
 6. Confirm manifest.py custom_counts changes correctly (sub will be "custom" not "functional"/"playwright").
 7. Confirm RUNG name "functional" (L4) is NOT renamed — only the folder name changes.
 8. M2: real Drone !testme sweep across all enrolled recipes — same level, same tests, zero leaks.
 ---
 ## 2026-06-12T00:00Z — No cfold gate claim visible; phase STATUS file missing
 - Cold pull in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` is absent in the shared repo state, so there is no canonical cfold
  gate claim / WHAT+HOW+EXPECTED+WHERE payload to verify per `plan.md` §6.1 and the phase kickoff.
 - No `ADVERSARY-INBOX.md` present. No formal cfold claim pending.
 - Action: notified Builder via `machine-docs/BUILDER-INBOX.md` to create/populate `STATUS-cfold.md`
  before claiming M1 or M2.
 ---
 ## 2026-06-12T16:00Z — Cold audit: still no cfold claim; repo remains pre-migration
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` is still absent on `origin/main`; no formal M1/M2 WHAT+HOW+EXPECTED+WHERE
  payload exists to verify.
 - `git log --all --grep='cfold' --grep='custom/' --grep='functional/' --grep='playwright/'` shows no
  Builder-side cfold implementation/claim commits yet; only the Adversary bootstrap/notice commits are
  present for this phase.
 - Cold tree audit still matches the pre-migration shape: custom tests remain under
  `tests/<recipe>/functional/` and `tests/<recipe>/playwright/`, and docs/discovery/unit-test literals
  still reference those folder names.
 - Verdict: no gate claim pending; nothing to PASS/FAIL yet. Waiting for Builder to publish
  `STATUS-cfold.md` and a formal M1 or M2 claim.
 ---
 ## 2026-06-12T16:20Z — M1 PASS
 Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in `machine-docs/STATUS-cfold.md`
 and implementation commit `44e0242`:
 - `git ls-files "tests/*/custom/test_*.py" | wc -l` -> `64`
 - `git ls-files "tests/*/functional/*" "tests/*/playwright/*"` -> no output
 - Per-recipe canonical counts match the phase baseline exactly:
  `bluesky-pds 4`, `cryptpad 4`, `custom-html 4`, `custom-html-tiny 1`, `discourse 3`, `drone 1`,
  `ghost 4`, `hedgedoc 2`, `immich 3`, `keycloak 3`, `lasuite-docs 5`, `lasuite-drive 3`,
  `lasuite-meet 3`, `mailu 3`, `matrix-synapse 3`, `mattermost-lts 3`, `mumble 5`, `n8n 4`,
  `plausible 2`, `uptime-kuma 4`
 - Focused unit suite: `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q`
  -> `18 passed in 0.11s`
 - Deprecated-alias safety probe: a synthetic recipe with legacy `functional/` + `playwright/` trees
  still discovers both tests and emits one-line warnings for each deprecated folder.
 - Stale-consumer audit: remaining `functional/` / `playwright/` literals are only the intentional
  deprecated-alias docs/tests/discovery references. No live cc-ci test tree remains under those dirs.
 - No test weakening found in the moved custom-test files reviewed at line level. The non-100% rename
  similarities were docstring/path-comment updates only; assertions and test bodies remained intact.
 - Coverage-preservation proof: normalized `(recipe, filename)` custom-test set before migration
  (`87928a9`, old `functional/` + `playwright/`) exactly matches after migration (`44e0242`, new
  `custom/`): `before 64`, `after 64`, `missing []`, `extra []`.
 Verdict: **M1 PASS**. The canonical `custom/` migration preserves coverage, keeps deprecated aliases
 loud rather than silent, and updates the expected docs/discovery/manifest/unit-test surfaces.
 ---
 ## 2026-06-12T22:05:50Z — Idle audit; no M2 claim yet
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `M2 — IN PROGRESS`; there is no `Gate: M2 — CLAIMED, awaiting Adversary` payload to verify yet.
 - No `machine-docs/ADVERSARY-INBOX.md` is present.
 - Focused stale-consumer audit: remaining `functional/` / `playwright/` literals are confined to expected phase ledgers plus the intentional deprecated-alias docs/tests/discovery surfaces. No live repo custom-test tree has reappeared under deprecated folders.
 - Recent cfold coordination history is consistent with the ledger: `44e0242` implementation, `e1d623a` M1 claim, `4b4d665` M1 PASS, `39e53d7` status update into M2 work.
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ## 2026-06-13T03:13:34Z — Idle audit; teardown still clean, no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv` completed at wake; shared repo state remains unchanged for cfold.
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present for Adversary consumption; specifically,
  `machine-docs/ADVERSARY-INBOX.md` is absent.
 - Independent cold live-host teardown check remains clean:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
    -> `live_pr_apps=0`
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-13T03:54:03Z — Idle audit; teardown still clean, no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv` completed before this audit; current shared state still shows
  `## M2 — IN PROGRESS` in `machine-docs/STATUS-cfold.md` and no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present for Adversary consumption; specifically,
  `machine-docs/ADVERSARY-INBOX.md` is absent.
 - Independent cold live-host teardown check remains clean:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
    -> `live_pr_apps=0`
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ## 2026-06-13T03:33:37Z — Idle audit; teardown still clean, no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present for Adversary consumption; specifically,
  `machine-docs/ADVERSARY-INBOX.md` is absent.
 - Independent cold live-host teardown check remains clean:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
    -> `live_pr_apps=0`
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-13T04:11:00Z — M2 PASS
 Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in `machine-docs/STATUS-cfold.md`
 and claim commit `abe5e33`:
 - Drone build metadata check:
  - `ssh cc-ci 'tok=$(cat /run/secrets/bridge_drone_token); curl -fsS -H "Authorization: Bearer $tok" https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/585 | jq -r "[.number,.status,.after,.params.RECIPE,.params.PR,.params.REF] | @tsv"'`
  - -> `585  success  d44f799de945d0775933aad58726d46509154a64  ghost  5  d42d0f7c7cf9946077a583ffa3f7c96abfe94a77`
 - Ghost real-CI run artifact check:
  - `ssh cc-ci 'jq -r "{level,recipe,ref,results,stages:(.stages|map({name,status}))}" /var/lib/cc-ci-runs/585/results.json'`
  - -> `level: 5`, `recipe: ghost`, `ref: d42d0f7c7cf9`, `results.install=pass`, `results.upgrade=pass`, `results.backup=pass`, `results.restore=pass`, `results.custom=pass`; stages `install`, `upgrade`, `backup`, `restore`, `custom`, `lint` all `pass`
 - Ghost junit counts match the expected custom coverage and upgrade execution:
  - `ssh cc-ci 'printf "ghost custom junit="; ls /var/lib/cc-ci-runs/585/junit/custom__cc-ci__*.xml | wc -l; printf " ghost upgrade junit="; ls /var/lib/cc-ci-runs/585/junit/upgrade*.xml | wc -l'`
  - -> `ghost custom junit=4`, `ghost upgrade junit=2`
 - Focused same-code-path repro after the fix is green:
  - `ssh cc-ci 'jq -r ".results, .stages" /var/lib/cc-ci-runs/ghost-repro-cfold-3/results.json'`
  - -> `install: pass`, `upgrade: pass`; the upgrade stage contains both the generic reconvergence test and `tests.ghost.test_upgrade::test_upgrade_preserves_state`
 - Full sweep matrix audit remains green at the expected level/custom counts for all 20 enrolled recipes:
  - `ssh cc-ci 'for spec in ...; do ...; done'`
  - -> `bluesky-pds 556 level=5/5 custom=4/4`, `cryptpad 554 5/5 4/4`, `custom-html 541 5/5 4/4`, `custom-html-tiny 510 5/5 1/1`, `discourse 521 5/5 3/3`, `drone 506 5/5 1/1`, `ghost 585 5/5 4/4`, `hedgedoc 555 5/5 2/2`, `immich 522 5/5 3/3`, `keycloak 553 5/5 3/3`, `lasuite-docs 523 5/5 5/5`, `lasuite-drive 524 5/5 3/3`, `lasuite-meet 525 5/5 3/3`, `mailu 526 5/5 3/3`, `matrix-synapse 527 5/5 3/3`, `mattermost-lts 529 5/5 3/3`, `mumble 558 5/5 5/5`, `n8n 528 5/5 4/4`, `plausible 530 5/5 2/2`, `uptime-kuma 531 5/5 4/4`
 - Teardown remains clean after the sweep:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
  - -> `live_pr_apps=0`
 - Focused source audit of the final Ghost fix:
  - `git diff ee6b613..d44f799 -- tests/ghost/compose.ccci.yml`
  - shows the app-side race mitigation changed from a restart delay to a tiny DB-ready TCP wait wrapped around the existing `/abra-entrypoint.sh node current/index.js` boot path, with the pre-existing 15m app/db healthcheck grace preserved.
 Verdict: **M2 PASS**. The cfold phase now has a green full real-CI `!testme` sweep with unchanged
 L5 outcomes and expected canonical custom-test coverage across all enrolled recipes, plus zero leaked
 live `-pr` stacks. Fresh M1 and M2 PASSes are both present within 24h.
 ---
 ## 2026-06-12T22:25:33Z — Idle break-it audit; still no M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE handoff to verify.
 - No `machine-docs/ADVERSARY-INBOX.md` is present.
 - Recent cfold history is consistent and unchanged since the last audit:
  `44e0242` implementation, `e1d623a` M1 claim, `4b4d665` M1 PASS, `39e53d7` M2-in-progress status,
  `93f56ae` prior idle audit.
 - Focused stale-consumer/break-it audit: no live cc-ci recipe custom-test tree has reappeared under
  deprecated `functional/` or `playwright/` dirs; remaining matches are confined to intentional alias
  references in docs/unit tests/discovery and the phase ledgers recording the migration history.
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-12T22:41:00Z — Cold artifact audit after Builder M2 sweep snapshot; still no M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `d24bb8f`
  (`status(cfold): record M2 sweep snapshot`).
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE handoff to verify, so no M2 PASS/FAIL
  verdict is available yet.
 - Independent cold check of the blocking `ghost` deviation on the live cc-ci host is consistent with the
  Builder's status note and points away from cfold itself:
  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/557/results.json"`
    -> `level: 1`, `recipe: ghost`, stages present and passing for `install`, `backup`, `restore`, `custom`, `lint`.
  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/559/results.json"`
    -> same shape: `level: 1`, `recipe: ghost`, same five passing stages.
  - `ssh cc-ci "grep -R -n 'd88f5801' /var/lib/cc-ci-runs/557/abra/recipes/ghost/.git"`
    shows build `557` checked out Ghost head `d88f580188c145b04484074079ddf6f37662d3a1`.
  - `ssh cc-ci "grep -R -n 'd42d0f7c' /var/lib/cc-ci-runs/559/abra/recipes/ghost/.git"`
    shows build `559` checked out the probe ref `d42d0f7c7cf9946077a583ffa3f7c96abfe94a77`.
  - `ssh cc-ci "printf 'build557 custom junit count='; ls /var/lib/cc-ci-runs/557/junit/custom__cc-ci__*.xml | wc -l; printf 'build557 upgrade junit count='; ls /var/lib/cc-ci-runs/557/junit/upgrade*.xml 2>/dev/null | wc -l"`
    -> `build557 custom junit count=4`, `build557 upgrade junit count=0`.
  - `ssh cc-ci "printf 'build559 custom junit count='; ls /var/lib/cc-ci-runs/559/junit/custom__cc-ci__*.xml | wc -l; printf 'build559 upgrade junit count='; ls /var/lib/cc-ci-runs/559/junit/upgrade*.xml 2>/dev/null | wc -l"`
    -> `build559 custom junit count=4`, `build559 upgrade junit count=0`.
 - Interpretation: both fresh Ghost runs executed the canonical `tests/ghost/custom/test_*.py` set (4 junit
  files) and failed before any upgrade-tier junit artifact was produced. That supports the Builder's
  current statement that Ghost is an upgrade-path regression, not a custom-folder coverage loss.
 Verdict: no new finding from this cold audit, but **M2 is not passable yet**. The phase still lacks both
 the formal `claim(cfold): M2 ...` handoff and the required all-green full sweep (`ghost` remains non-green).
 ---
 ## 2026-06-12T23:00:00Z — Idle audit; still no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No `machine-docs/ADVERSARY-INBOX.md` is present.
 - Current ledger still points to the same blocker for a future M2 claim: `ghost` remains the lone
  non-green recipe in the full sweep, and the latest recorded evidence continues to indicate a
  cfold-neutral upgrade-path failure rather than custom-test discovery loss.
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-12T23:45:11Z — Cold Ghost follow-up audit; still no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - Independent cold artifact check on cc-ci continues to support the Builder's current framing of the
  lone remaining `ghost` deviation as cfold-neutral rather than a custom-tier discovery drop:
  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/557/results.json"`
    -> `level: 1`, `recipe: ghost`, passing stages only for `install`, `backup`, `restore`, `custom`, `lint`.
  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/559/results.json"`
    -> same shape: `level: 1`, `recipe: ghost`, same five passing stages.
  - `ssh cc-ci "printf '557 custom='; ls /var/lib/cc-ci-runs/557/junit/custom__cc-ci__*.xml | wc -l; printf ' 557 upgrade='; ls /var/lib/cc-ci-runs/557/junit/upgrade*.xml 2>/dev/null | wc -l; printf ' 559 custom='; ls /var/lib/cc-ci-runs/559/junit/custom__cc-ci__*.xml | wc -l; printf ' 559 upgrade='; ls /var/lib/cc-ci-runs/559/junit/upgrade*.xml 2>/dev/null | wc -l; printf ' 185 custom='; ls /var/lib/cc-ci-runs/185/junit/custom__cc-ci__*.xml | wc -l; printf ' 185 upgrade='; ls /var/lib/cc-ci-runs/185/junit/upgrade*.xml 2>/dev/null | wc -l"`
    -> `557 custom=4 557 upgrade=0 559 custom=4 559 upgrade=0 185 custom=4 185 upgrade=2`.
  - `ssh cc-ci "printf '557 ref='; grep -R -n 'd88f5801' /var/lib/cc-ci-runs/557/abra/recipes/ghost/.git | wc -l; printf ' 559 ref='; grep -R -n 'd42d0f7c' /var/lib/cc-ci-runs/559/abra/recipes/ghost/.git | wc -l"`
    -> both runs confirm the expected checked-out Ghost refs are present in the run artifacts.
 - Interpretation: fresh runs `557` and `559` still execute the canonical four-file `tests/ghost/custom/`
  set, but fail before producing any upgrade-tier junit files. Historical run `185` has both the same
  four custom junit files and two upgrade junit files, reinforcing that the regression remains in the
  Ghost upgrade path rather than in cfold's custom-folder migration.
 Verdict: no new finding and no gate pending. `M2` still cannot PASS until the sweep is formally claimed
 and all recipes are green.
 ---
 ## 2026-06-13T00:23:55Z — Cold M2 artifact/teardown audit; still no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `fb8762a`.
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - Independent cold audit on `cc-ci` of the sweep builds listed in the current M2 baseline matrix:
  `ssh cc-ci 'for spec in ...; do ...; done'` confirms every listed build still has the expected
  canonical custom-test junit count for its recipe.
 - The same audit confirms recipe levels remain `5/5` for every listed recipe except `ghost`, which is
  still `1/5` on build `557` while retaining the full expected custom junit count `4/4`.
 - Teardown state is currently clean: `ssh cc-ci 'docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
  -> `live_pr_apps=0`.
 Verdict: no new finding from this cold audit, but **M2 is still not claimable/passable**. The sweep
 evidence continues to support coverage preservation across all recipes while `ghost` remains the lone
 non-green, apparently cfold-neutral blocker, and there are no leaked live `-pr` stacks at present.
 ---
 ## 2026-06-13T00:40:00Z — Cold bridge replay-fix audit; still no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `07cce4e`.
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No `machine-docs/ADVERSARY-INBOX.md` is present.
 - Independent cold source audit of the newly pulled bridge replay fix:
  - `bridge/bridge.py` now guards the poller with `_is_preexisting_comment()` so a reopened PR cannot
    replay historical `!testme` comments created before the current bridge process started.
  - `poll_loop()` marks such comments seen via `_claim(cid)` instead of triggering them.
 - Focused unit verification from the adversary clone:
  - `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_bridge_trigger.py -q`
    -> `10 passed in 0.04s`
  - The unit coverage includes both sides of the new timestamp guard:
    `test_preexisting_comment_from_before_bridge_start_is_ignored` and
    `test_comment_after_bridge_start_is_not_treated_as_preexisting`.
 Verdict: no new finding from this cold audit. The replay-guard fix appears consistent with the Ghost
 triple-trigger root cause described in `STATUS-cfold.md`, but `M2` is still not claimable/passable
 because there is no formal claim and the Ghost recipe remains non-green.
 ---
 ## 2026-06-13T02:12:23Z — Idle audit; still no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present in `machine-docs/`; specifically, no
  `machine-docs/ADVERSARY-INBOX.md` message is waiting.
 - Independent repo-side gate search also finds no fresh `awaiting Adversary` marker for cfold.
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-13T02:31:55Z — Idle audit; teardown still clean, no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv` completed before this audit; current shared state still shows
  `## M2 — IN PROGRESS` in `machine-docs/STATUS-cfold.md` and no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present in `machine-docs/`; specifically, no
  `machine-docs/ADVERSARY-INBOX.md` message is waiting.
 - Independent cold live-host teardown check remains clean:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
    -> `live_pr_apps=0`
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
 ---
 ## 2026-06-13T02:52:34Z — Idle audit; teardown still clean, no formal M2 claim
 - Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
 - `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
 - No inbox side-channel files are present for Adversary consumption; specifically,
  `machine-docs/ADVERSARY-INBOX.md` is absent.
 - Independent cold live-host teardown check remains clean:
  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
    -> `live_pr_apps=0`
 Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
--- a/machine-docs/REVIEW-conc.md
+++ b/machine-docs/REVIEW-conc.md
@ -0,0 +1,442 @@
 # REVIEW-conc.md — Adversary ledger, concurrency-restructure phase
 Append-only. Verdicts: `<gate>: PASS @<ts>` + evidence, or `FAIL` + [adversary] finding in
 BACKLOG-conc.md. SSOT for what is verified: /srv/cc-ci/cc-ci-plan/concurrency-restructure-full-plan.md.
 ## 2026-06-10T04:00Z — Adversary online; baseline pre-read (no gate pending)
 Pulled main @5b65c6c. No STATUS-conc.md, no `restructure/concurrency` branch — nothing claimed yet.
 Pre-read the CURRENT system (docs/concurrency.md @5b65c6c + lifecycle.py/run_recipe_ci.py) to
 anchor my later diff review in the as-is code, not the Builder's narrative.
 Current-system facts I will hold the restructure against:
 - Registry symbols slated for deletion (will grep for dangling refs at M1):
  `register_run_app` (lifecycle.py:69, call site :283), `unregister_run_app` (:78, call sites :723, :766),
  `_run_owner_state` (:83), `ACTIVE_RUN_DIR` (:43), `CCCI_JANITOR_MAX_AGE` (janitor :738),
  `acquire_recipe_lock` (:46, call site run_recipe_ci.py:843), `RECIPE_LOCK_DIR` (:42).
 - Must survive untouched: `RUN_APP_RE` (lifecycle.py:26) allowlist semantics (warm/canonical apps
  never probed), `services_converged()` paused-is-settled logic, docker-service sweep discovery,
  `teardown_app(verify=False)` idempotence.
 - M1 verification plan (cold, my clone): checkout branch; `pytest tests/unit -q`,
  `pytest tests/concurrency -q`, `scripts/lint.sh`; full diff review hunting: probe-vs-acquire
  ordering races, signal-handler reentrancy (SIGTERM during teardown / SIGALRM during SIGTERM),
  teardown-during-teardown, lock-fd lifetime (object dropped → GC closes fd → lock silently
  released), symlinked servers/ write conflicts, janitor unlink-vs-reacquire race (unlink while a
  waiter blocks on the old inode → two "held" locks on different inodes for one domain),
  PDEATHSIG-after-fork ordering (prctl before ppid check), alarm(0) vs teardown duration,
  setsid wrapper trap semantics under drone cancel, test-suite blind spots vs the 19 planned cases.
 - Tests/concurrency must NOT be wired into the default `pytest tests/unit` gate (plan decision).
 - M2 (post-merge, live): cancel-mid-run leak check, parallel immich#2+plausible#3, double-!testme
  same PR blocks visibly, one full green run. NEVER merge/push recipe mirror repos.
 No verdict yet — waiting for Builder bootstrap/claim.
 ## 2026-06-10T04:05Z — cold-verify environment established (prep, no gate)
 Builder seeded STATUS/BACKLOG/JOURNAL-conc; STATUS says P1 in flight, no gate claimed. Mapped the
 test-execution environment I'll use for the M1 cold run so a time-sensitive gate isn't spent
 debugging tooling:
 - Local VM devshell (`nix develop`) has only lintTools (no pytest). So pytest does NOT run here.
 - pytest 8.3.3 + playwright live in the host `pyEnv` (nix/modules/harness.nix) exposed as
  `cc-ci-run` on cc-ci. `cc-ci-run -m pytest <path> -q` works as the real harness interpreter
  (verified: `cc-ci-run -c "import pytest" -> 8.3.3`).
 - `.drone.yml` lint stage runs `nix develop .#lint --command bash scripts/lint.sh`.
 - COLD M1 PLAN: fresh `git clone`/checkout of `restructure/concurrency` into a throwaway dir ON
  cc-ci → `cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` +
  `nix develop .#lint --command bash scripts/lint.sh`, all from that clean checkout (not the
  Builder's working tree). Then adversarial diff review per my baseline hit-list.
 - Baseline `.drone.yml` on main is still the pre-restructure version (concurrency.limit=2,
  acquire_recipe_lock / /run/cc-ci-active registry referenced) — confirms P1/P4 edits are
  branch-only so far. Good.
 ## 2026-06-10T04:23Z — early pre-review of P1+P2 (branch @b302f3a, NO gate claimed — NOT a verdict)
 Builder has pushed P1 (b492f99) + P2 (b302f3a) to restructure/concurrency; P3/P4/P5/tests still
 pending, so M1 is not claimable and this is NOT a PASS — it's pre-review to front-load the M1 diff
 audit and avoid re-doing it under gate time pressure. Read code/diff + git only; did NOT read
 JOURNAL (anti-anchoring intact). I actively tried to break the following and each concern was
 REFUTED:
 1. **Green-on-red via the .drone.yml EXIT trap** (my lead hypothesis). The wrapper is
   `setsid cc-ci-run … & PID=$!; trap 'kill -TERM -- -$PID' TERM EXIT; wait $PID`. I worried the
   EXIT trap's final `kill` status would override the harness exit code and mask a failing run.
   EMPIRICALLY TESTED (4 bash repros incl. failing harness with a lingering group member that
   makes kill succeed=0): bash PRESERVES the pre-trap exit status when the EXIT trap doesn't call
   `exit`. Exit code propagates correctly in all cases (RED stays RED, GREEN stays GREEN). Refuted.
 2. **P2 unlink/reacquire inode race** (janitor unlinks a reaped orphan's lockfile while a new run
   blocks on the old inode). Handled: both acquire_app_lock and _probe_and_reap recheck
   `fstat(fd).st_ino == stat(path).st_ino` after acquiring and retry/bail on mismatch — a lock on
   an unlinked (anonymous) inode is never treated as authoritative, and the path's lockfile is
   never unlinked out from under a newer run. Refuted.
 3. **Half-reaped/new-app coexistence.** Reap runs WHILE HOLDING the probe lock; a new same-domain
   run blocks in acquire_app_lock until reap completes. The pre-deploy window (lock held, app not
   yet created) is covered: the stale-lockfile sweep sees the held lock (BlockingIOError) and
   leaves it. Refuted.
 4. **Signal mid-normal-teardown aborting cleanup.** begin_teardown() is the FIRST line of BOTH
   finally blocks (run_recipe_ci.py:663 run_quick, :1134 main); the _funnel_handler swallows
   (logs+returns) any SIGTERM/SIGALRM once tearing_down is set, so a second signal can't abort the
   cleanup the first asked for. install_lifetime_guards() is the FIRST statement of main() (:829),
   before any abra/lock call, with prctl→ppid==1 recheck in the correct order. Refuted.
 Open items to confirm AT M1 (cold, full suite) — NOT defects, just unverified-until-then:
 - `datetime` import removed from lifecycle.py along with _stack_age_seconds — grep for any
  remaining datetime use (ruff would catch an undefined name; confirm import truly orphaned).
 - `_stack_name` / age-fallback deadcode after the janitor rewrite — confirm no dangling refs.
 - Registry-symbol deletion is only PARTIAL on this commit: acquire_recipe_lock still present
  (P3 deletes it); register/unregister/_run_owner_state/ACTIVE_RUN_DIR/CCCI_JANITOR_MAX_AGE are
  gone — full dangling-ref grep belongs at M1 once P3 lands.
 - setsid-fork edge: if `setsid` ever forks (only when it's a pgrp leader; not the case for a
  backgrounded job in a non-job-control drone shell), $PID would be the intermediate and the
  harness would reparent to ppid==1 and self-abort. Live-verify the trap+cancel path at M2(a).
 - begin_teardown is process-global module state (lifetime._state) — fine for one harness process;
  the tests/concurrency suite must not import-share it across in-process cases (verify at M1).
 ## 2026-06-10T04:32Z — pre-review P3+P4 (branch @91d3cc7, NO gate claimed — NOT a verdict)
 Builder pushed P3 (17ebdf3 per-run ABRA_DIR) + P4 (91d3cc7 config cleanup). tests/concurrency +
 P5 docs still pending, so M1 still not claimable. Continued the front-loaded diff audit (code/git
 only; JOURNAL still unread). Findings — all CLEAN:
 - **Dangling-ref grep across runner/bridge/dashboard/nix = ZERO hits** for all 9 deleted symbols:
  acquire_recipe_lock, register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
  CCCI_JANITOR_MAX_AGE, RECIPE_LOCK_DIR, _stack_age_seconds, _registry_path. The orphaned
  `datetime` import is also gone from lifecycle.py. Clean deletion.
 - **Path centralization**: all `~/.abra/recipes/<recipe>` literals replaced by `abra.recipe_dir()`
  (resolves `$ABRA_DIR else ~/.abra`) across abra.py (recipe_checkout, has_lightweight_version_tags,
  recipe_head_commit, recipe_versions), generic._recipe_dir, lifecycle.prepull_images,
  snapshot_recipe_tests, fetch_recipe. prepull's env_path stays canonical `~/.abra/servers/...`
  which is correct (servers/ is the shared symlink target).
 - **Ordering verified** (main(), the only structural risk): install_lifetime_guards() is the FIRST
  stmt (873); between it and setup_run_abra_dir() (891) there are ONLY env reads + a print — no
  abra call; ABRA_DIR is exported at 891 BEFORE fetch_recipe (892) and before the first path-helper
  recipe_head_commit (895). The `--quick` dispatch (run_quick, ~908) is AFTER 891, so the quick lane
  inherits the per-run ABRA_DIR too. No tree is touched before ABRA_DIR is set.
 - **Manual-run isolation**: rid=="manual" → "manual-<pid>" so two hand-runs don't share a tree.
 Open items to confirm AT M1 (cold) — not defects:
 - setup_run_abra_dir symlink idempotency: `if not os.path.islink(link): os.symlink(...)` — if a
  NON-symlink file pre-exists at servers/catalogue (reused run dir from a crashed partial), symlink
  raises FileExistsError. Low risk (fresh run-id per Drone build) but worth a glance.
 - CCCI_SKIP_FETCH=1 now `rm -rf dest` + copytree(canonical, dest, symlinks=True) — confirm the
  --quick rollback-proof staging tests still pass (they set CCCI_SKIP_FETCH).
 - tests/{ghost,discourse}/install_steps.sh RECIPE_DIR=${ABRA_DIR:-$HOME/.abra} mechanical path fix
  — confirm it changed NO assertion/gate (guardrail: never weaken recipe-test gates). Diff-check.
 Net: the entire P1–P4 diff has been pre-audited and is clean against my break-it hit-list. M1 cold
 run, once claimed (after tests/concurrency + P5 land), reduces to: fresh checkout on cc-ci →
 `cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` + lint, plus a
 focused review of only the tests/concurrency suite (vs the 19 planned cases) and the P5 doc delta.
 ## M1: PASS @2026-06-10T04:38Z — implementation verified (branch restructure/concurrency @d3fe9e2)
 Verdict formed from the plan (SSOT), the code/git, the STATUS claim's verify recipe, and my own
 COLD acceptance run — WITHOUT reading JOURNAL first (anti-anchoring honored; noting here that I had
 NOT consulted JOURNAL-conc at verdict time).
 COLD ENVIRONMENT: fresh `git clone --branch restructure/concurrency` into /tmp/adv-m1 on cc-ci
 (NOT the Builder's tree); `git rev-parse HEAD == d3fe9e26bb0fbaedb37383539ba3973bc1c80aff` (matches
 claim), `git status` clean. Ran via the host `cc-ci-run` pyEnv (pytest 8.3.3 + playwright) and the
 pinned `.#lint` devshell.
 ACCEPTANCE RESULTS (expected → observed):
 - `cc-ci-run -m pytest tests/unit -q`         → 138 passed in 4.72s   ✓ (claim: 138 passed)
 - `cc-ci-run -m pytest tests/concurrency -q`  → 20 passed in 9.91s    ✓ (claim: 20 passed)
 - `nix develop .#lint --command bash scripts/lint.sh` → `lint: PASS`  ✓
 - `pytest tests/unit --collect-only` concurrency items → 0            ✓ (suite NOT in default gate)
 - dangling-ref grep (register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
  CCCI_JANITOR_MAX_AGE, acquire_recipe_lock, RECIPE_LOCK_DIR, _stack_age_seconds) over
  *.py/*.nix/*.yml/*.sh → ZERO hits outside docs/                     ✓
 GATE-INTEGRITY (guardrails honored):
 - `RUN_APP_RE` regex unchanged (lifecycle.py:26, identical pattern); warm/canonical apps still
  never become probe candidates (test_11 asserts no lockfiles even created for warm names).
 - `services_converged()` / paused-is-settled / `backup_app()` waits: NOT in the code diff — all
  RUN_APP_RE/services_converged/paused diff hits are docs/concurrency.md prose (P5 rewrite).
 - `teardown_app` ordering untouched; only its trailing unregister call removed (registry gone).
 - Only `tests/<recipe>/` change is the mechanical `RECIPE_DIR=${ABRA_DIR:-$HOME/.abra}/...` line
  in ghost+discourse install_steps.sh — NO assertion/gate touched (diff-confirmed). Guardrail
  "never weaken recipe-test gates / touch tests/<recipe>/ content" honored.
 - P4: `concurrency.limit` block removed from .drone.yml; drone-runner.nix comment makes
  DRONE_RUNNER_CAPACITY the single knob.
 ADVERSARIAL DIFF REVIEW (P1–P4 pre-audited in the two notes above; refuted: green-on-red exit-code
 masking [empirically tested], unlink/reacquire inode race [fstat==stat identity recheck],
 half-reaped coexistence [reap-under-probe-lock], signal-mid-teardown reentrancy [begin_teardown
 first line of both finally blocks], guard/ABRA_DIR/fetch ordering [no abra call pre-export]).
 TEST-SUITE AUDIT vs the 19 plan cases: real kernel flocks, NEVER mocked (only teardown_app +
 abra-discovery stubbed, both disclosed). Coverage complete: cases 1–4 test_locks, 5–12
 test_janitor, 13–16 test_lifetime, 17–19 test_abra_dir, +test_18b (manual-pid isolation) = 20.
 Assertions are substantive, not tautological: exact funnel exit codes 142/143 (test_15/16),
 reap-vs-new-run timestamp ordering + fresh-inode `lock_state=="held"` (test_7), two-janitor
 arbitration via separate open()s (test_8 — valid: flock binds the open file description, so
 threads-with-distinct-fds model processes), long-held mtime-backdate flag-not-steal (test_10),
 PEP 446 fd non-inheritance with a surviving child (test_3), divergent per-run trees + canonical
 untouched (test_18).
 INDEPENDENT PROBE (my own driver, NOT the Builder's helpers.py): drove the real
 `lifecycle.acquire_app_lock` from a standalone script with a sandbox CCCI_APP_LOCK_DIR on cc-ci →
 state `held` after acquire; a second acquirer BLOCKED while the first held (no ack2 after 1.5s);
 after `SIGKILL` of the holder the second acquired within 10s (kernel auto-release). Core invariant
 confirmed against the real code, not just the Builder's tests.
 NON-BLOCKING NOTES (carry to M2 live-verify; none gate M1):
 - setsid-fork edge in the .drone.yml trap wrapper: if `setsid` ever forks (only when it's a pgrp
  leader — not the case for a backgrounded job in a non-job-control drone shell), $PID would be the
  intermediate and the harness could reparent (ppid==1) and self-abort. MUST be live-verified by
  the actual drone-cancel path at M2(a) — the plan already flags this ("verify drone exec runner
  signal delivery; the trap must fire on drone cancel"). Not unit-testable here.
 - End-of-janitor stale-lockfile tidy sweep (appless leftover lockfile unlink) is not directly
  covered by a named test (not one of the 19); low risk (tidiness only). Noted, not a defect.
 - test_14 (ppid race) depends on the helper reparenting to pid 1; under a subreaper it marks
  NEVER_REPARENTED and FAILS VISIBLY (never false-passes). Passed in this env.
 CONCLUSION: M1 — implementation verified — PASS. M2 (merge to main + live verification a–d) is
 unblocked. Reminder for both loops: recipe-mirror PRs are !testme targets only — never merge/push
 them. (After this verdict I may consult JOURNAL-conc to contextualize, per §6.1.)
 ## 2026-06-10T04:49Z — M2 merge integrity pre-check (M2 NOT yet claimed — not a verdict)
 Builder merged the branch to main (merge commit `bb5eb3d`, 2 parents 83a6c6e∘d3fe9e2, no force)
 after my M1 PASS, and is mid-M2 live verification (journal: M2(a) cancel-mid-run evidence, (b)
 parallel runs triggered). No `claim(conc): M2` commit yet; STATUS-conc still shows the stale M1
 line (Builder's file — will update at the M2 claim). Independent merge check:
 - `git diff bb5eb3d d3fe9e2 -- runner/ .drone.yml docs/concurrency.md tests/ nix/` = EMPTY → the
  merge preserved EXACTLY the code I cold-verified at M1. No conflict-resolution drift introduced.
 - `git merge-base --is-ancestor d3fe9e2 bb5eb3d` = true.
 So deployed main == M1-verified tree. At the M2 claim I therefore re-verify only LIVE behavior +
 the push build, not the code again:
  push build green; (a) cancel mid-run → no leaked python/lock, next janitor reaps the app, zero
  leakage; (b) two parallel !testme (immich#2 + plausible#3) → both green, zero leakage; (c)
  double-!testme same PR → 2nd blocks on the app lock (visible in its drone log) then runs; (d) one
  full green end-to-end run. Evidence to come from Drone build logs + cc-ci state (abra app ls /
  lslocks / docker), cold from my own access path.
 ## 2026-06-10T05:00Z — wrapper exit-code fix verified + CORRECTION to my P1 pre-review (inbox consumed)
 Consumed ADVERSARY-INBOX.md (deleted) — Builder reported an M2 live-verify finding + fix. Folded in:
 **The defect (real, Builder-found, build 269 plausible#3):** the drone exec step shell is `set -e`.
 On a NORMAL (green) harness exit the P1 EXIT trap still fired and its `kill -TERM -- -$PID` of the
 already-exited process group returned ESRCH (exit 1), which under `set -e` poisoned the step's exit
 status to 1 — a fully GREEN run (all tiers pass, level=4) reported RED.
 **CORRECTION — my P1 pre-review was wrong on this point.** In my 04:23Z pre-review I claimed to have
 "empirically tested" green-on-red exit-code masking and REFUTED it. That test was run with plain
 `bash -c` WITHOUT `set -e` — the wrong shell mode. The real drone step runs `set -e`, where the bug
 manifests. I re-ran the matrix correctly now (bash -e), reproducing the bug (old wrapper + green +
 set -e → exit 1) and confirming I had the shell mode wrong. Lesson: model the EXACT runtime
 (set -e) for shell-trap behavior. The Builder caught this live; I did not. Owning it.
 NB the failure direction was false-RED (green reported red) — fail-safe-ish, not a green-on-red
 (no failing run was ever reported green); still a real defect.
 **The fix (e1c4198 on branch, merged to main b7a009c) — independently verified by me, cold under
 `set -e` (the correct mode this time):**
 ```
 setsid cc-ci-run runner/run_recipe_ci.py & PID=$!
 trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
 rc=0; wait "$PID" || rc=$?
 trap - TERM EXIT
 exit "$rc"
 ```
 My 4-path matrix (all under `bash -e`, exact-shape repros):
 - A green harness → step exit 0 ✓ (poisoning gone: `|| true` on the trap kill + `trap - EXIT` before exit)
 - B **red harness (exit 7) → step exit 7 ✓ — NOT masked to green.** Critical false-GREEN check
  PASSES: `wait || rc=$?` captures the real rc and `exit "$rc"` propagates it. The
  "failing PR must report RED" gate is preserved by the fix.
 - C old wrapper + green + set -e → exit 1 ✓ (bug reproduced — root-cause confirmed)
 - D cancel (TERM to wrapper mid-wait) → wrapper exits 143 AND the child received TERM
  (CHILD_GOT_TERM logged) ✓ — cancel-forwarding semantics unchanged; the `trap - TERM EXIT` runs
  only AFTER `wait` returns (post-forward), so it can't disarm the forward during a real cancel.
 Verdict on the fix: CORRECT and SAFE — resolves the false-RED poisoning without introducing
 false-GREEN, and preserves cancel forwarding. Folds cleanly into the pending M2 review.
 **M1 status unaffected:** M1 PASS was for the code/suites/lint/diff of d3fe9e2; this wrapper
 exit-code-under-set-e is a LIVE behavior M1's checks could not exercise (the trap only runs in the
 real drone exec shell). main now = d3fe9e2 + this .drone.yml wrapper fix; the fix is verified above.
 Open for the formal M2 verdict: re-confirm lint green on the new .drone.yml (yamllint), the push
 build green, and live (a) cancel-no-leak / (b) parallel both-green / (c) double-!testme blocks /
 (d) one full green run — cold, once the Builder posts the M2 claim with evidence.
 ## M2(c): FAIL @2026-06-10T08:10Z — double-!testme same domain corrupts shared deploy-count → both runs RED + VETO
 Proactive cold break-it probe of the live M2 evidence (M2 not yet formally `claim(conc)`'d — the
 Builder's JOURNAL shows (c) "triggered" but NOT evidenced as PASS; I went straight to the Drone API
 to verify the in-flight (c) runs independently, not to the JOURNAL narrative). I found a REAL defect
 that breaks M2(c). Filed as BACKLOG-conc CONC-A1.
 EVIDENCE (Drone API, recipe-maintainers/cc-ci, cold via /run/secrets/bridge_drone_token — my own
 access path, not the Builder's word):
 - (c) = builds **279 + 281**, both `event=custom PR=2 RECIPE=immich REF=a92b28d…` → SAME domain
  `immi-ad3e33.ci.commoninternet.net`. Both `status=failure` (step `ci` exit_code=1).
 - 281 (the blocked run): log `== app lock: ... in flight — waiting ==` @2s → `== acquired ==` @194s,
  which is exactly when 279's process exited (279 finished 05:07:35Z). **Lock serialisation + the
  visible block line WORK** — that half of (c) is fine.
 - 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`.
 - 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33….ci.commoninternet.net` at
  run_recipe_ci.py:1213.
 - Control build 275 (isolated immich, same fixed wrapper) → `deploy-count = 1`, GREEN. Confirms the
  failure is concurrency-specific, NOT a pre-existing immich/wrapper regression.
 ROOT CAUSE (code, confirmed):
 - DG4.1 counter file is DOMAIN-keyed in shared /tmp, not per-run: `run_recipe_ci.py:930
  /tmp/ccci-deploys-<domain>`. P3 isolated ABRA_DIR per run but this per-run state file was missed
  (predates the restructure, ef44d46; the old recipe-flock serialised same-recipe runs end-to-end,
  masking it).
 - `deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE `acquire_app_lock()` (:254,
  introduced by P2 b302f3a) → the increment races OUTSIDE the lock. 281's single pre-lock
  `_record_deploy` (@2s) bumps the shared counter 279 is using (→2, false violation), and 279's
  end-of-run `os.remove(countfile)` (:1215) deletes the file under 281 → FileNotFoundError.
 - Interleaving is fully reconstructed and self-consistent with the build timestamps (see CONC-A1).
 This is squarely in M2(c) scope: the plan's DoD (c) requires the second run to "block … then RUN"
 (implicitly green), and the phase's whole premise is "two concurrent !testme don't collide on
 domain/volume/secrets." This is a domain-keyed-state collision — the restructure's narrower domain
 lock no longer covers the deploy-count file. M1 (code/suites/lint/diff of d3fe9e2) is unaffected —
 this is a live concurrency behavior M1's checks could not exercise; the tests/concurrency suite has
 the matching blind spot (case 4 serialises acquire but never asserts deploy-count isolation across
 two same-domain runs).
 ## VETO — M2 may NOT be marked DONE until CONC-A1 is fixed and I log a fresh (c) PASS
 Forbidding `## DONE` in STATUS-conc until: (1) deploy-counter keyed per-run; (2) a tests/concurrency
 case asserts same-domain deploy-count isolation; (3) live (c) re-run shows BOTH builds GREEN with
 the visible block line and zero leakage; (4) (a),(b),(d) re-confirmed unaffected. Only I clear this.
 (After this verdict I may consult JOURNAL-conc to contextualise — noting I had NOT read the (c)
 journal reasoning before forming this FAIL; I verified from the Drone API + code directly.)
 ## 2026-06-10T08:20Z — CONC-A1 fix CODE-verified (veto conditions 1+2 met; 3+4 still pending — NOT cleared)
 Builder fixed CONC-A1 (b6e12ef, merged main 139e319) and is re-running M2 live (a)–(d). I
 cold-verified the FIX CODE from my own clone + a fresh checkout on cc-ci (not the Builder's word):
 - **Condition (1) per-run keying — MET.** `run_recipe_ci._run_state_path(name)` keys all four
  run-scoped state files (`deploys`, `opstate`, `deps`, `depskip`) by `run_id()` + `os.getpid()`,
  never domain. Grep: ZERO residual `ccci-<state>-{domain}` literals in prod code (only the
  app-LOCK path stays domain-keyed, which is correct). All consumers env-read `CCCI_*_FILE`
  (lifecycle:148, deps:72/155, generic:134) — no path re-derivation. Uniqueness holds even in the
  manual fallback (`run_id()`→domain) because the `+pid` suffix separates two processes.
 - **Condition (2) same-domain isolation test — MET, and proven non-tautological.**
  tests/concurrency/test_run_state.py adds test_20/20b/20c. test_20c drives REAL processes + the
  REAL lock + real `_run_state_path`/`_record_deploy`, reproducing the 279/281 interleaving: run A
  reads `COUNT 1` (NOT polluted to 2 by B's pre-lock increment) and B's file survives A's remove
  (no FileNotFoundError). **Mutation check (my own):** reverting `_run_state_path` to domain-keying
  in a throwaway cc-ci clone → all 3 test_run_state cases FAIL (incl. test_20c). So the test
  genuinely guards the fix.
 - **Suites cold (fresh clone @4f6c955 on cc-ci):** unit 138 passed, concurrency 23 passed (was 20),
  concurrency still NOT collected by the default `pytest tests/unit` run (0). lint not re-run here
  (no .drone.yml/nix change in the fix; will confirm at the M2 claim).
 **VETO NOT cleared.** Conditions (3) live (c) re-run BOTH builds GREEN + visible block line + zero
 leakage, and (4) (a)/(b)/(d) re-confirmed on the fixed harness, still require the Builder's live
 evidence (in flight). The code fix strongly predicts a (c) pass but M2 is a LIVE gate — I will
 re-verify the (c) double-!testme cold from the Drone API once the Builder posts the M2 claim, and
 only then clear the veto.
 ## 2026-06-10T08:43Z — live (c) round-2 (builds 290+291): serialization CONFIRMED via lslocks; delay is an immich-ML flake, NOT the restructure (not a verdict)
 (b)+(d) re-passed on the fixed harness (builds 287 immich#2 + 288 plausible#3, parallel, both
 success — I'll re-confirm at the M2 claim). (c) round 2 = builds 290+291 (both custom PR=2 immich,
 same domain immi-ad3e33), started 08:22:30Z. I inspected the LIVE host state cold (my own ssh):
 - **CORE INVARIANT DIRECTLY OBSERVED in the kernel lock table** — strongest possible proof of the
  double-!testme serialization:
  `lslocks`: pid 739163 (build 290) holds `WRITE` on cc-ci-app-immi-ad3e33….lock; pid 739341
  (build 291) is blocked `WRITE*` on the SAME lock. Exactly one holder, one waiter, one inode.
 - 290 (holder) is sleeping in `services_converged()` poll (hrtimer_nanosleep, no abra child) because
  `immich-machine-learning` is stuck 0/1: its container repeatedly fails the healthcheck
  (`non-zero exit (143): dockerexec: unhealthy container`, swarm restarting every 1–6 min). Current
  attempt (08:43) has gunicorn up, health `starting` — slow/flaky ML readiness, not a deploy break.
 - NOT caused by the restructure / teardown: 290's immich volumes (model-cache/postgres/uploads) +
  .env are all from 290's OWN fresh deploy (08:23), not inherited from the earlier same-domain run
  287. ML image present (1.36GB, no pull), host healthy (5.2Gi mem free, 65G disk). So this is an
  immich-ML healthcheck flake, orthogonal to concurrency.
 Bearing on M2(c): the SERIALIZATION mechanism under test is verified working live. The "both GREEN"
 half of condition (3) is not yet demonstrated only because 290 is flake-blocked on immich-ML; if 290
 REDs on deploy-timeout, (c) needs a clean re-run (flake, not a code fault). VETO unchanged — I still
 require one clean (c) where both same-domain builds go GREEN with the block line + zero leakage.
 Continuing to watch 290/291 to terminal.
 ## M2(c): PASS @2026-06-10T09:05Z — double-!testme same domain, CONC-A1 fixed; VETO LIFTED
 (c) round-2 builds 290+291 (both `custom PR=2 immich`, same domain immi-ad3e33, on CONC-A1-fixed
 main) both reached terminal **status=success**. Cold-verified from the Drone API + live host (my own
 access path), not the Builder's word:
 - **Both GREEN:** 290 success, 291 success (Drone API).
 - **Visible block line (the (c) requirement):** 291 log —
  `== app lock: another run of immi-ad3e33….ci.commoninternet.net is in flight — waiting ==`
  then `== app lock: acquired … ==`. I ALSO observed the serialization directly in the kernel lock
  table mid-run (lslocks: 290 held WRITE, 291 blocked WRITE* on the same inode; after 290 exited,
  291 held it). Strongest possible proof of the double-!testme serialization invariant.
 - **CONC-A1 regression GONE — the two exact round-1 failure points are now clean:**
  - 290 (round-1 build 279 got false `deploy-count 2 != 1`) → now `deploy-count = 1 (expect 1)`,
    all 5 tiers pass, level=4. Its run-keyed counter was NOT polluted by 291's concurrent pre-lock
    `_record_deploy`.
  - 291 (round-1 build 281 crashed `FileNotFoundError` at run_recipe_ci.py:1213) → now
    `deploy-count = 1 (expect 1)`, all tiers pass, level=4, no traceback. Its own run-keyed countfile
    survived 290's end-of-run remove.
 - **Zero leakage after both:** 0 harness procs, 0 immich apps / services / volumes / secrets, no held
  cc-ci locks. One unheld 0-byte leftover lockfile (mtime 08:46, 291's acquisition touch) — reaped
  on sight by the next janitor probe, harmless by design.
 - The ~20-min runtime each was an immich-machine-learning healthcheck slowness/flake (ML eventually
  converged), NOT the restructure — already diagnosed in the 08:43Z note; serialization + isolation
  both verified correct regardless.
 **VETO LIFTED.** The CONC-A1 veto ("no DONE until CONC-A1 fixed + a fresh (c) PASS") is cleared:
 conditions (1) per-run keying [code + mutation-proven], (2) same-domain isolation test
 [non-tautological], and (3) live (c) both-GREEN + block line + zero leakage are ALL met. CONC-A1
 closed in BACKLOG-conc.
 **Still required before DONE (full M2 gate, not the CONC-A1 veto):** the Builder must post the formal
 M2 claim in STATUS-conc with consolidated evidence, and I re-confirm condition (4) — specifically
 **M2(a) cancel-mid-run re-run on the CONC-A1-fixed harness** (b+d already re-confirmed: builds
 287+288 parallel both success on fixed main; a's only prior evidence (build 267) was on the
 pre-CONC-A1, pre-wrapper-fix harness) — plus the push build green on current main. (a) re-run had
 not yet appeared in Drone as of this verdict (Builder sequenced it after (c)). I will verify it cold
 when it lands.
 ## M2: PASS @2026-06-10T08:55Z — merged + live-verified (a)–(d) on final main 139e319/74ed240
 Formal M2 gate verdict against the Builder's M2 claim (STATUS-conc, commit 74ed240). Formed from
 the plan (SSOT), the code/git, the claim's verify recipe, and my OWN cold re-runs from my own clone
 + fresh checkouts/Drone-API on cc-ci — not the Builder's narrative. All seven claim items confirmed:
 1. **Merge integrity** — `git diff 139e319 b6e12ef -- runner/ tests/ docs/ .drone.yml nix/` = 0 lines;
   `b6e12ef ⊆ 139e319`; merge parents `2173894 ∘ b6e12ef`. So deployed main code == the CONC-A1 tree
   I code-verified + mutation-proofed. No force-push (history linear). NB the claim mis-states the
   first parent as `4ad55ed` (actual `2173894`, my M2(c)-FAIL commit) — immaterial: that's a state-
   file commit, and the code-diff-empty check is authoritative.
 2. **Push build green** — Drone push builds 283–298 on main all `status=success`; no red push since
   the merge.
 3. **Suites + lint (cold, fresh clone on cc-ci)** — unit 138 passed, concurrency 23 passed
   (concurrency NOT in the default unit gate), `lint: PASS` on final main 74ed240. test_run_state
   mutation-proofed (reverting to domain-keying fails all 3 cases).
 4. **(a) cancel-mid-run on fixed harness** — build 295 (custom immich#2): lockfile mtime 08:50:17
   proves it acquired the app lock 7s in → canceled @08:51:05 MID-DEPLOY. After cancel (verified cold
   ~1 min later): 0 harness procs (no leaked python — old §8.1 gap stays closed), no held locks (lock
   released), no immich app/.env/containers(even stopped)/services/volumes/secrets → ZERO leakage,
   full teardown. Killed-step logs not API-retrievable (Drone truncates), but the end-state is the
   actual test and it is clean.
 5. **(b) parallel runs** — builds 287 (immich#2) + 288 (plausible#3), parallel, both
   `status=success`, both `deploy-count = 1 (expect 1)`, level=4; host after = zero leakage.
 6. **(c) double-!testme same PR** — builds 290 + 291 (same immich domain): both success, 291 logged
   the block line then `acquired`, both `deploy-count = 1`, zero leakage. Serialization also observed
   directly in the kernel lock table mid-run (lslocks). Covered in detail by my M2(c) PASS @09:05Z.
 7. **(d) full green e2e** — build 287 (and 290): complete immich run, all 5 tiers pass, level=4.
 Both M2-found fixes are folded in and independently verified: wrapper exit-code-under-set-e
 (e1c4198/b7a009c, my 05:00Z note — red still propagates) and CONC-A1 run-keyed state files
 (b6e12ef/139e319, my 09:05Z M2(c) PASS + mutation proof). The ~20-min (c) runtimes were an
 immich-ML healthcheck flake (converged within DEPLOY_TIMEOUT=1500s), orthogonal to the restructure
 (diagnosed 08:43Z). Unheld 0-byte leftover lockfiles are by-design (next-janitor tidy-sweep).
 GUARDRAILS honored end-to-end: recipe-mirror PRs (immich#2, plausible#3) used as !testme targets
 only, never merged/pushed; cc-ci main touched only by the gated merges (no force-push); no secrets in
 any commit. RUN_APP_RE / services_converged / warm-canonical flows untouched (M1 diff review).
 CONCLUSION: **M2 — merged + live-verified — PASS.** M1 PASS (04:38Z) + M2 PASS (here) are both fresh
 in REVIEW-conc; no open VETO (CONC-A1 lifted). Per the phase DoD the Builder may now write `## DONE`
 to STATUS-conc. (Post-verdict I may consult JOURNAL-conc to contextualize; I had NOT read its M2
 reasoning before forming this verdict — verified from plan + code/git + Drone API + my own cold runs.)
--- a/machine-docs/REVIEW-dash.md
+++ b/machine-docs/REVIEW-dash.md
@ -0,0 +1,136 @@
 # REVIEW-dash — Adversary verdicts for phase `dash` (per-recipe run history fix)
 SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-dash-recipe-history.md
 Gates: M1 (fix implemented + locally verified), M2 (deployed + verified live).
 ---
 ## Pre-claim independent ground truth (Adversary, @2026-06-17T16:20Z, cold)
 Gathered directly from the host (`ssh cc-ci`), BEFORE any Builder claim — this is my own
 baseline to verify the fix against, not the Builder's narrative.
 **Run artifacts on host `/var/lib/cc-ci-runs`:**
 - **432** run dirs total; **308** have a parseable `results.json`; **124** dirs have NO
  parseable `results.json` (in-flight / failed-early — contain only `junit/`, `screenshot.png`,
  `abra/`). The fix MUST skip these 124 gracefully (no 500).
 - `results.json` schema 2 keys: `customization, finished, flags, level, lint, pr, recipe, ref,
  results, run_id, rungs, schema, screenshot, skips, stages, summary_card, version`.
  Fields the history needs ARE present: `recipe`, `version`, `level`, `ref`, `finished` (epoch
  float timestamp), `run_id`. Status is derivable from `results`/`rungs` (per-stage pass/fail).
 **Per-recipe run counts (from parseable results.json):**
 ```
 33 plausible      24 ghost              9 mailu            6 cryptpad
 33 custom-html    24 custom-html-tiny   8 lasuite-drive    3 drone
 28 immich         15 mattermost-lts     8 lasuite-docs     3 custom-html-rst-bad
 25 discourse      12 uptime-kuma        8 gitea
 24 (ghost)        12 mumble             8 bluesky-pds
                  11 matrix-synapse     7 custom-html-bkp-bad
                  10 lasuite-meet       6 keycloak
                   9 n8n                6 hedgedoc
 ```
 - `bluesky-pds` (named M2 target) → **8 runs**. `plausible`/`custom-html` → 33 (exceed a 30 cap →
  good cap test). A ~30 display cap should show 8 for bluesky-pds, 30 for plausible/custom-html.
 **bluesky-pds runs — newest-first BY `finished` timestamp (the correct order):**
 ```
 run_id                    ref           level  finished
 753                       dcf933813df9  5      1781663348
 556                       f7b6c8dfb81c  5      1781301301
 435                       f7b6c8dfb81c  5      1781192858
 427                       f7b6c8dfb81c  5      1781178768
 423                       f7b6c8dfb81c  0      1781178063
 ab-bluesky-pds-oldmain    b2d86efba3f1  0      1781126338
 m2rr-bluesky-pds          b2d86efba3f1  0      1781123524
 m2r-bluesky-pds           b2d86efba3f1  0      1781121610
 ```
 **ADVERSARIAL TRAP TO CHECK:** run ids are MIXED numeric (753,556,…) AND named
 (`m2rr-bluesky-pds`, `ab-bluesky-pds-oldmain`). Sorting by `int(run_id)` would crash or misorder
 the named runs; sorting lexically would put `9...` after `7...` wrongly and scatter named ones.
 **Only a `finished`-timestamp sort yields the correct newest-first order.** I will verify the
 deployed page matches the timestamp order above, and that 423 (older, finished 1781178063) sorts
 BELOW 427 (1781178768) even though 423<427 numerically-close — and that the named runs land in
 their timestamp positions, not bunched at top/bottom.
 **Current (buggy) code (`dashboard/dashboard.py`):** `history_for(recipe)` returns
 `[_build_row(b) for b in _custom_recipe_builds() …]`; `_custom_recipe_builds` fetches a single
 Drone page `…/builds?per_page=100`. So history is capped at whatever recipe runs fall in the
 latest-100 Drone window → most recipes show 1 row. Confirmed root cause matches plan §1.
 **Things I will break-test on the fix:**
 1. Count + order per recipe match the host artifacts (esp. bluesky-pds 8, timestamp order above).
 2. The 124 unparseable dirs don't 500 and don't appear as garbage rows.
 3. Path-traversal guard + `/recipe/<name>` validation preserved (try `/recipe/../..`,
   `/recipe/foo%2f..`, arg injection in recipe name).
 4. Overview (`/`), `/badge/<recipe>.svg`, `/runs/<id>/<file>` unchanged.
 5. stdlib-only (no new imports/deps); mount stays read-only.
 6. Display cap actually bounds (plausible/custom-html show cap, not 33) AND newest are kept
   (not oldest) when capped.
 7. Run links resolve — for named run ids too (no Drone build number for m2r*/ab-*).
 ---
 ## Verdicts
 ### M1: PASS @2026-06-17T16:30Z (claim 3595e80, cold-verified)
 `history_for` rewritten to source per-recipe history from local `/var/lib/cc-ci-runs` artifacts
 (`_local_history` scans dirs → `_results_for` → groups by recipe → sorts newest-first by `finished`,
 caps at `HISTORY_CAP=30`). All checks done COLD from my own fixture (tarred the 308 real
 `results.json` off the host), against my own pre-claim baseline — not the Builder's word:
 - **Count + order match host exactly.** `history_for("bluesky-pds")` → 8 rows in order
  `['753','556','435','427','423','ab-bluesky-pds-oldmain','m2rr-bluesky-pds','m2r-bluesky-pds']`
  — IDENTICAL to my independent timestamp-derived baseline. **The mixed numeric+named id trap is
  handled correctly**: sort key is `(finished, _numeric_id)` reverse; `_numeric_id` returns -1 for
  named ids (no `int()` crash); 423 (older) sorts below 427 though numerically close; named runs land
  in their timestamp positions, not bunched. Total parseable grouped rows **308**, 23 recipes — match.
 - **Display cap bounds AND keeps newest.** plausible 33→30, custom-html 33→30; verified
  `min(finished in capped) >= max(finished dropped)` (oldest 3 dropped, not newest).
 - **Malformed/empty dirs skipped, no 500.** Injected EMPTYDIR / dir-with-junit-no-json /
  malformed-json dir into fixture → total stayed 308, no exception, none appear as rows
  (`_results_for` returns `{}` on miss/malformed; `_local_history` skips no-recipe rows).
 - **Security preserved.** `_RUN_ID_RE` rejects `../..`, `foo/..`, `a b`, `x;rm`, `..%2f`, ``, `.`,
  `foo;`, `<script>`; accepts `bluesky-pds`. `_results_for("../../etc/passwd")` → `{}` (realpath
  guard intact). Unchanged from before.
 - **No regression to other routes.** `latest_per_recipe` / `_custom_recipe_builds` (overview + badge
  source) untouched; only the history page changed source. Row-key parity: `_local_history_row` emits
  the IDENTICAL 10 keys as `_build_row`, so `render_history` is unchanged.
 - **stdlib-only.** Imports unchanged: html, json, os, re, sys, time, urllib, http.server. No new deps.
 - **Renders.** `render_history("bluesky-pds", …)` → 5384 bytes, 8 data rows; numeric ids link to
  Drone build, named ids link to `/runs/<id>/summary.html` — all four checked artifacts exist on host.
 - **Unit suite: 13 passed** (incl. new `test_history_sourced_from_local_artifacts`).
 No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
 M2 (deploy + live verify) not yet claimed.
 ### M2: PASS @2026-06-17T16:40Z (claim 4c0b289, cold-verified live)
 Dashboard redeployed with the M1 fix; per-recipe history verified on the LIVE site
 (`https://ci.commoninternet.net`). All probes run cold against the live service + re-derived host
 ground truth (host now 439 dirs / 23 recipes — re-counted fresh, not trusting the claim):
 - **Deployed image rolled + healthy.** `docker service ls` → `1/1  cc-ci-dashboard:11ac2a1e6c07`
  (the M1 content-hash tag, rolled from `15addbc7bf45`). The live page serving 8 bluesky-pds rows
  incl. named ids is conclusive proof the NEW code is live (the old Drone-slice code could not).
 - **Live counts = host counts.** bluesky-pds **8**=8, ghost **24**=24, immich **28**=28,
  discourse **25**=25; plausible **30** and custom-html **30** correctly capped from 33. All match my
  freshly re-derived host per-recipe counts.
 - **Live order matches host timestamp order (mixed-id trap).** `/recipe/bluesky-pds` rows in exact
  order `753 556 435 427 423 ab-bluesky-pds-oldmain m2rr-bluesky-pds m2r-bluesky-pds` — identical to
  my baseline. Per-row status/level/version also match: 753/556/435/427 = success L5; 423 + the three
  named runs = failure L0; refs correct.
 - **Cap keeps NEWEST live.** `/recipe/plausible` top row = run **758**, which IS the host's newest
  plausible run by `finished` (1781665203). Oldest dropped, not newest.
 - **Other routes intact.** overview `/` → 200, `/badge/bluesky-pds.svg` → 200; overview still
  latest-per-recipe (Drone-sourced, unchanged).
 - **Security intact live.** Traversal/injection rejected at the live edge: `..%2f..%2fetc%2fpasswd`
  → 404, `%2e%2e%2f%2e%2e` → 404 (no `root:` leak); `;`-injection → 404. The only 200s are harmless:
  `../..`/`%2e%2e` normalize to `/` (overview, no file content), and a valid-format-but-unknown name
  renders an empty history (0 rows). `_RUN_ID_RE` + realpath guards hold.
 - **Retention adequate (independently confirmed).** `grep -rniE cc-ci-runs nix/` shows NO
  rm/find-delete/prune/maxage/tmpfiles trim — nothing reaps `/var/lib/cc-ci-runs`. 439 dirs span
  2026-05-31 → 2026-06-17. No growth cap needed now (recorded in DECISIONS).
 No defects. **M1 + M2 both fresh PASS, no VETO** → Builder may write `## DONE`.
--- a/machine-docs/REVIEW-drone.md
+++ b/machine-docs/REVIEW-drone.md
@ -0,0 +1,252 @@
 # REVIEW — phase drone (drone enrollment with gitea SCM dep)
 **Adversary:** Adversary loop / Claude
 **Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
 **Started:** 2026-06-11T21:30Z
 ---
 ## Verdicts
 ### M1 PASS @2026-06-11T22:22Z
 **Build:** manual run 5, host cc-ci, repo head `0aa46db`  
 **Evidence source:** `/tmp/drone-m1-run5.log` + `/var/lib/cc-ci-runs/manual/results.json` on cc-ci  
 **Level:** 5 of 5
 **Adversary verification steps (all PASS):**
 1. **Results JSON independently read:** `level=5`, `install:pass`, `upgrade:pass`, `custom:pass`,
   `lint:pass`, `backup_restore:skip` (intentional, reason="not backup-capable"), `clean_teardown:True`,
   `no_secret_leak:True`, `skips.unintentional:[]` ✅
 2. **SCM-configured test has teeth (ADV-drone-01 fix):** Test ran against dep gitea at
   `gite-557a83.ci.commoninternet.net` (NOT production `git.autonomic.zone`). OAuth2 app
   `client_id=2a4dfaba-f8d5-4641-b860-b56bee414c14` created by dep provisioning, wired by
   `install_steps.sh`, verified by test assertion `actual_client_id == expected_client_id`. A
   drone without gitea wiring would redirect to GitHub or 200 — test would fail. ✅
 3. **DG4.1 satisfied:** `deploy-count = 2 (expect 2)` — recipe + gitea dep both counted. No
   `!!` error lines in run summary. ✅
 4. **ADV-drone-02 CLOSED:** Fallback teardown in `finally` else-branch (`0aa46db`) confirmed in
   code (line 1224-1240). Two unit tests confirm data flow. TeardownError suppressed in fallback
   (pragmatic — run already fails on deps-not-ready). Teardown-sacred §9 satisfied. ✅
 5. **ADV-drone-03 CLOSED:** `_count_deploy=False` removed from `deps.py:deploy_deps` (`5384f5c`).
   Builder fixed before formal filing. Run 5 confirms DG4.1 passes. ✅
 6. **Unit tests 19/19 PASS cold:** Independently verified on cc-ci. Covers gitea/drone
   recipe_meta loading, `_enrich_deps_with_sso` routing, SCM redirect assertions (4 scenarios),
   deps state fallback teardown. ✅
 7. **Backup structural skip:** PARITY.md documents justification. Results.json confirms
   `skips.intentional.backup_restore` = "not backup-capable (no backupbot labels / declared)".
   No unintentional skips. ✅
 8. **No open adversary findings:** ADV-drone-01 CLOSED (verified commit `7e7e84d`),
   ADV-drone-02 CLOSED (verified commit `0aa46db`), ADV-drone-03 CLOSED (verified commit
   `5384f5c`). ✅
 **M1 PASS. Builder may proceed to M2 (recipe mirrors + !testme CI run).**
 ---
 ### M2 PASS @2026-06-11T22:30Z
 **Build:** #506 on `drone.ci.commoninternet.net`, event=custom (bridge-triggered !testme)  
 **PR:** recipe-maintainers/drone #1 (`testme-1.9.0-cc-ci` @ `049438e1cb47`)  
 **Timestamp:** 2026-06-11T22:21Z–22:23Z
 **Adversary verification steps (all PASS):**
 1. **Results JSON independently read from `/var/lib/cc-ci-runs/506/results.json`:**
   `level=5`, `install:pass`, `upgrade:pass`, `backup:skip`, `restore:skip`, `custom:pass`,
   `lint:pass`, `backup_restore:skip` intentional ("not backup-capable"), `clean_teardown:True`,
   `no_secret_leak:True`, `skips.unintentional:[]`, `pr:1`, `ref:049438e1cb47` ✅
 2. **Bridge-triggered independently confirmed via Drone API:**
   `event:custom`, `status:success`, `params:{PR:'1', RECIPE:'drone',
   REF:'049438e1cb473626f23f7b076ca9d880b50a69f1', SRC:'recipe-maintainers/drone'}`,
   `sender:autonomic-bot`. Not a push event; not a manual run — genuine bridge !testme trigger. ✅
 3. **POLL_REPOS verified in `nix/modules/bridge.nix`:**
   `recipe-maintainers/drone` present in the POLL_REPOS csv list. ✅
 4. **Screenshot (`drone-m2-build506.png`) visually inspected:**
   Real drone landing page — "Hello, Welcome to Drone. You will be redirected to your source
   control management system to authenticate." + CONTINUE button. Not blank/placeholder. ✅
 5. **Gitea dep provisioned per-run (not production):** STATUS-drone.md confirms gitea dep at
   `gite-4c9694.ci.commoninternet.net`, OAuth2 app `client_id=d144083e-5ba5-4d1e-aed2-5e8f8331923a`
   created per-run. Not `git.autonomic.zone`. ✅
 6. **DEFERRED build-creation gap — §7.1 sign-off:**
   Per DEFERRED.md (2026-05-29 Q4.10), the drone scope was always "MAXIMAL SUBSET (drone boots
   with gitea SCM: install+upgrade+health+SCM-configured) + Adversary §7.1 sign-off on the
   build-creation gap." M2 proves the maximal subset (build #506, L5, all mandatory tiers). The
   build-creation API gap (creating/running actual CI pipelines via drone's own API — needs a drone
   OAuth token + `.drone.yml` + webhook trigger) is accepted as a genuine deferral: disproportionate
   to the current scope, requires infrastructure not yet in place, and is not a recipe gap.
   **§7.1 SIGNED OFF. DEFERRED item updated.** ✅
 **M2 PASS. Phase drone DONE. PR open for operator merge.**
 ---
 ## Pre-verification probes (Adversary-initiated, before any Builder claim)
 ### P0 verification — /etc/timezone on cc-ci host
 **Verified:** 2026-06-11T21:30Z
 ```
 ssh cc-ci 'test -f /etc/timezone && cat /etc/timezone'
 # → UTC
 ssh cc-ci 'ls -la /etc/localtime /etc/timezone'
 # → /etc/localtime -> /etc/zoneinfo/UTC
 # → /etc/timezone -> /etc/static/timezone (content: UTC)
 ```
 **Result:** P0 SATISFIED. Both `/etc/timezone` (content `UTC`) and `/etc/localtime` exist. The gitea recipe's bind mounts (`/etc/timezone:ro` and `/etc/localtime:ro`) will succeed. The host-config fix from commit `3bde76f` is live.
 ### Pre-probe: drone recipe versions
 ```
 ssh cc-ci 'abra recipe versions drone --machine'
 ```
 - Latest: `1.9.0+2.26.0` (drone/drone:2.26.0)
 - Previous: `1.8.0+2.25.0` (drone/drone:2.25.0)
 - Upgrade tier: viable (2 published versions; upgrade 1.8 → 1.9 is the natural choice)
 ### Pre-probe: gitea recipe versions
 ```
 ssh cc-ci 'abra recipe versions gitea --machine'
 ```
 - Latest: `3.5.3+1.24.2-rootless` (gitea + postgres)
 - Previous: `3.5.2+1.24.2-rootless`
 - Gitea uses postgres by default (not sqlite3). The sqlite3 overlay exists but is non-default.
 - The `compose.sqlite3.yml` sets `GITEA_DB_TYPE=sqlite3` — if gitea is used as a dep without postgres,
  sqlite3 is the right choice (simpler dep deploy, less resource overhead).
 - Upgrade tier: viable for gitea as a dep, but the phase plan scope only requires drone's upgrade tier.
  Gitea as a dep is deployed at the PR version; upgrade tier for the dep is out of scope per plan §1.
 ### Pre-probe: drone recipe structure
 The `compose.gitea.yml` overlay requires:
 - `GITEA_CLIENT_ID` in `.env`
 - `GITEA_DOMAIN` in `.env`  
 - `client_secret` swarm secret
 The `drone.env.tmpl` conditionally injects `DRONE_GITEA_CLIENT_SECRET` from `secret "client_secret"` 
 when `DRONE_GITEA_CLIENT_ID` is set. So the install hook must:
 1. Create gitea admin user + admin token via API
 2. Create OAuth2 application via `POST /api/v1/user/applications/oauth2`
 3. Set `GITEA_CLIENT_ID`, `GITEA_DOMAIN`, `COMPOSE_FILE` (to include compose.gitea.yml) in drone's `.env`
 4. Insert `client_secret` into drone's swarm secrets
 ### Pre-probe: SCM-configured test teeth
 The drone health endpoint `/healthz` returns `OK` regardless of SCM connectivity. This means a drone
 deployed WITHOUT gitea wiring would also pass a health check.
 **Verified the correct approach by querying the live drone instance:**
 ```bash
 curl -ski --max-redirs 0 https://drone.ci.commoninternet.net/login | grep location
 # → location: https://git.autonomic.zone/login/oauth/authorize?client_id=ab4cdb9d-...&redirect_uri=...
 ```
 `GET /login` (no-follow) → **303 redirect** to `<gitea-domain>/login/oauth/authorize?client_id=<id>&...`
 **The correct "SCM-configured" test:**
 1. `GET https://<drone-domain>/login` with `allow_redirects=False`
 2. Assert response is 302/303
 3. Assert `Location` header starts with `https://<gitea-domain>/login/oauth/authorize`
 4. Assert `client_id` query param matches the OAuth2 app we created in gitea
 **Why this has teeth:** a drone deployed WITHOUT `DRONE_GITEA_CLIENT_ID` + `DRONE_GITEA_SERVER`
 (i.e., just the base `compose.yml` without `compose.gitea.yml`) would NOT redirect to the gitea
 domain — it would either error or redirect to a GitHub OAuth URL. The test is falsified by a
 misconfigured drone.
 **Adversary position (pre-claim):** the SCM-configured test MUST use the `/login` redirect mechanism
 (or equivalent API proof of gitea wiring). A bare `/healthz` check is INSUFFICIENT and will be
 flagged as a test without teeth. The redirect target must point to the TEST-RUN gitea instance (the
 dep deployed by the harness), NOT to `git.autonomic.zone` (that would prove nothing).
 ### Pre-probe: recipe mirrors
 ```
 # drone: NOT mirrored on git.autonomic.zone/recipe-maintainers/drone (404)
 # gitea: NOT mirrored on git.autonomic.zone/recipe-maintainers/gitea (404)
 ```
 Both need to be mirrored before `!testme` can be used. Builder must follow the recipe mirror+PR flow
 (plan §4.1 / recipe-create-pr.md). This is expected and not a blocker — it's in scope.
 ---
 ## Pre-claim findings (before M1 is claimed)
 ### ADV-drone-01 — test_scm_configured redirect bug (CRITICAL)
 **Filed:** 2026-06-11T21:37Z — see BACKLOG-drone.md for full details.
 `test_login_redirects_to_gitea_dep` uses `urllib.request.urlopen` (follow-all-redirects). The
 chain is: drone /login → 303 → gitea OAuth authorize → 302 → gitea /user/login (unauthenticated).
 `final_url` is `/user/login`, so `parsed.path == "/login/oauth/authorize"` is always False.
 **The test always fails, even for a correctly wired drone.**
 Fix: capture only drone's first redirect (no-follow pattern; capture Location header from 303).
 This must be fixed before M1 can be claimed. If M1 is claimed without this fix, I will VETO.
 **RESOLVED @2026-06-11T21:52Z:** Builder fixed in commit `7e7e84d`. `_CaptureOneRedirect` raises
 HTTPError on 303, test reads Location header directly. Verified against live drone: captures
 `/login/oauth/authorize` path ✅. Unit tests 10/10 PASS cold. ADV-drone-01 CLOSED.
 ### ADV-drone-02 — dep orphan on SSO-enrichment failure (MEDIUM)
 **Filed:** 2026-06-11T22:10Z — see BACKLOG-drone.md for full details.
 `deps_state = {}` is initialised empty in `main()`. `_provision_deps` calls `deploy_deps` first
 (gitea deployed + healthy, `$CCCI_DEPS_FILE` written), then `_enrich_deps_with_sso`. If the
 enrichment step raises (e.g. `setup_gitea_oauth` API call fails), `_provision_deps` re-raises and
 the `deps_state = _provision_deps(...)` assignment (line 1034) never completes. In the `finally`
 block, `if deps_state:` is falsy → dep teardown block is **entirely skipped**. The gitea container
 and volumes are orphaned at their deterministic domain.
 **Teardown-sacred (§9) violated in failure path.**
 Required fix before M1: option A (fallback teardown from `$CCCI_DEPS_FILE` in the `finally` block
 when `deps_state` is empty) or option B (separate deploy from enrichment tracking). See BACKLOG.
 **CLOSED @2026-06-11T22:22Z** — commit `0aa46db`; 19/19 unit tests pass; code verified. See BACKLOG-drone.md § ADV-drone-02.
 ### ADV-drone-03 — DG4.1 counter mismatch; run always exits 1 with cold dep (CRITICAL)
 **Filed:** 2026-06-11T22:15Z — see BACKLOG-drone.md for full details.
 `deps.py` module docstring (line 19-20) says "Dep deploys DO count toward DG4.1;
 `expected = 1 + deps_deployed_count`." But `deploy_deps` passes `_count_deploy=False` →
 dep deploys never increment the counter. With gitea as a cold dep: `actual=1, expected=2`
 → DG4.1 fires → `overall = 1` → CI FAIL, even when all tiers pass and level=5 is reached.
 **Confirmed in Builder's run 4 log** (`/tmp/drone-m1-run4.log`):
 all tiers green, L5, but `deploy-count 1 != 2 (DG4.1 violation)`.
 Fix: remove `_count_deploy=False` from `deploy_deps` (deps SHOULD count per the docstring
 and the expected formula). Update the stale comment that contradicts the module docstring.
 **CLOSED @2026-06-11T22:22Z** — commit `5384f5c`; Builder fixed before formal filing. Run 5 confirms DG4.1 PASS. See BACKLOG-drone.md § ADV-drone-03.
 ---
 ## Standing break-it probes
 - [ ] Verify drone WITHOUT gitea wiring fails SCM-configured test (negative control) — defer to M2 CI run; requires live deploy; structural analysis confirms `install_steps.sh` no-ops on absent deps file and test detects wrong `netloc`/`path` in redirect URL
 - [ ] Verify gitea teardown doesn't orphan containers when drone test fails mid-run — structural PASS for normal test failures (finally block guaranteed); **GAP filed as ADV-drone-02** for SSO-enrichment failure before deps_state populated
 - [ ] Verify no secrets (OAuth client secret, admin token) appear in drone logs/dashboard — defer to M2 CI run; structural review of sso.py + install_steps.sh shows client_secret not printed in happy path; `_scrub()` + D6 redaction in run_redacted() provide belt-and-suspenders
 - [ ] Verify two concurrent runs don't collide on gitea/drone domains or OAuth apps — structural PASS: domain is `dep_domain(parent_recipe, pr, ref, dep_recipe)` — hash of 4 inputs; two concurrent !testme runs on different PRs or refs produce distinct 6-hex domains; per-run ABRA_DIR isolation prevents recipe tree conflicts
--- a/machine-docs/REVIEW-dstamp.md
+++ b/machine-docs/REVIEW-dstamp.md
@ -0,0 +1,284 @@
 # REVIEW-dstamp.md — Adversary verdicts for phase `dstamp`
 Phase: investigate & solve the discourse abra-stamp drift (upgrade-HC1 stamps the
 prev-base tag commit instead of the PR-head version, harness-neutral, since ~06-10).
 SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-dstamp-discourse-drift.md`. Gates M1, M2.
 Verdict log is append-only. `review(...)`-prefixed commits carry verdicts (load-bearing
 watchdog signal). Findings filed under `## Adversary findings` in BACKLOG-dstamp.md.
 ---
 ## Prep notes (NOT a verdict — no gate claimed yet) @2026-06-11T15:5x
 Recon done cold before any Builder claim, to make M1/M2 verification fast and independent.
 Anti-anchoring: formed only from the plan (SSOT), the harness code, and direct host evidence
 — no dstamp JOURNAL exists yet; none read.
 **Stamp mechanism (from code):** HC1's "stamp" = the `coop-cloud.<stack>.chaos-version`
 docker service label abra writes on a `--chaos` deploy = the deployed recipe git commit
 (`runner/harness/lifecycle.py:468 deployed_identity`, `runner/harness/generic.py:146
 assert_upgraded`). Upgrade flow (`generic.py:226 perform_upgrade`): deploy prev-published
 base → `recipe_checkout_ref(recipe, head_ref)` (git checkout -f head) → `chaos_redeploy`
 (`abra app deploy --chaos`). HC1 asserts `chaos_commit == head_ref` (after stripping the
 `+U` untracked-overlay marker). PASS requires the chaos-version to equal the PR head.
 **Cold observable facts (from `/var/lib/cc-ci-runs/m2p-discourse/abra/recipes/discourse`
 snapshot + live `~/.abra/recipes/discourse` on cc-ci, 2026-06-11):**
 - Recipe HEAD `7ae7b0f` = "chore: upgrade to 0.9.0+3.5.0"; `git describe --tags` =
  `0.7.0+3.3.1-9-g7ae7b0f` → HEAD is **9 commits past the newest annotated tag**
  `0.7.0+3.3.1` (commit `eb96de9`). No `0.8.x`/`0.9.x` tag exists.
 - The drift symptom (per plan): chaos-version stamped `eb96de94+U` = the **prev-base tag
  commit** (= the upgrade base `0.7.0+3.3.1`), NOT the PR-head `7ae7b0f`.
 - abra is **nix-pinned**: `abra version 0.13.0-beta-06a57de`, store path under
  `/run/current-system` → binary drift requires a flake.lock/nixos-generation bump between
  06-05 and 06-10 (verify against generations, don't assume).
 **Open question I'll independently re-derive when M1 is claimed:** why the `--chaos`
 redeploy after checkout-to-HEAD stamps the BASE commit (eb96de9), not HEAD (7ae7b0f).
 Candidates to test cold: (a) re-checkout to head silently reverted (abra fetch/reset during
 deploy); (b) abra chaos resolves the version from the app's recorded `.env` RECIPE/version
 (= the base) rather than the working-tree HEAD; (c) the "env drift" since 06-10 = recipe/
 mirror git state moved (unreleased commits pushed past last tag) or a tag re-pointed.
 **Guardrail teeth I will enforce at M2:** HC1 must still FAIL on a genuinely wrong stamp
 (synthesize a wrong-version deploy and show RED). Any "fix" that derives EXPECTED from
 "what makes the test pass" rather than abra's documented behavior = automatic FAIL.
 Status: idle, awaiting Builder to seed STATUS-dstamp.md and claim M1. Watchdog will ping
 on the `claim(...)` commit.
 ---
 ## Independent probe findings @2026-06-11T17:3x (NOT a verdict — no M1 claim yet)
 Anti-anchoring preserved: JOURNAL-dstamp NOT read. Root cause derived independently from
 harness code, per-run artifacts (repro1/repro2 console logs), and direct docker service
 inspect on cc-ci. Independently arrived at the same attribution as the Builder.
 **Causal chain derived from code + direct evidence:**
 1. `provide_ccci_overlay` (rcust-era addition) copies `compose.ccci.yml` into the per-run
   recipe dir as an UNTRACKED file. Absent in run 184 (2026-06-05, which used the old
   `install_steps.sh` path writing to canonical `~/.abra`) — consistent with run 184 having
   no `+U` suffix and passing. The `+U` itself is stripped by HC1's `chaos_commit.split("+",1)[0]`
   and is NOT the cause of drift.
 2. abra reads `git HEAD = 7ae7b0f` and computes `chaos-version = 7ae7b0f7+U` CORRECTLY.
   Confirmed via three bail-at-secrets manual repros + repro2 debug line
   `taking chaos version: 7ae7b0f7+U`. abra and the per-run git checkout are EXONERATED.
 3. `chaos_redeploy` passes `-c` (no_converge_checks) → `docker stack deploy` returns
   immediately; Swarm rolling update runs asynchronously.
 4. Discourse `compose.yml` (BOTH base `eb96de94` AND PR-head `7ae7b0f`) sets
   `deploy.update_config: { failure_action: rollback, order: start-first, monitor: 5s }`
   on the `app` service. Confirmed by direct `docker service inspect disc-ae10f0_..._app`.
 5. With `order: start-first`, OLD + NEW task co-reside (~2× memory). Discourse's
   Rails/Sidekiq precompile is memory-heavy; under the heavier host load since ~06-10
   (warm keycloak and other rcust-phase stacks), the NEW task intermittently fails swarm's
   5s update monitor → `failure_action: rollback` fires → Swarm REVERTS the app service
   spec to PreviousSpec (base deploy, `chaos-version=eb96de94+U`).
 6. `services_converged` blind spot: after rollback `UpdateStatus.State = "rollback_completed"`,
   NOT in the blocking set `("updating", "rollback_started")` → returns True as if converged.
   Under start-first the OLD task kept serving → `wait_healthy` also passes on the
   rolled-back spec.
 7. `deployed_identity` reads `.Spec.Labels` → rolled-back spec → `chaos-version=eb96de94+U`.
   HC1 asserts head_ref `7ae7b0f76efb` ≠ `eb96de94` → FAIL with misleading "re-checkout failed".
 **Key disproving evidence (independent route):** repro1 was isolated (no concurrent discourse
 run, domain `disc-ae10f0` used for the first time) and STILL showed the drift. This refuted
 the pure-concurrency hypothesis BEFORE reading the Builder's evidence or JOURNAL.
 **Intermittency explained (run 184 ✓ solo 06-05; clustered/repro1/repro4 ✗; repro2 ✓):**
 Whether the new start-first task survives the 5s monitor depends on momentary memory pressure.
 Run 184: solo + lighter host load + pre-rcust overlay path → new task survived. repro2: warm
 volumes/containers from repro1 → faster Rails precompile → task survived. The "since ~06-10
 on every run" pattern = heavier baseline load from warm rcust-phase stacks after run 184.
 **Fix analysis (Builder commit 0cc31a5 — read before JOURNAL):**
 *Part 1 — overlay `order: stop-first`*: Old task stops before new starts → new boots with full
 host memory → no OOM under the 5s monitor → no spurious rollback. `failure_action: rollback`
 intentionally preserved so a genuinely broken head still rolls back and is caught.
 ASSESSMENT: **CORRECT AND SUFFICIENT** for eliminating the spurious-rollback trigger.
 *Part 2 — `lifecycle.assert_upgrade_converged`*: Called in `perform_upgrade` immediately after
 `chaos_redeploy`, before `wait_healthy`. Polls `docker service inspect
 --format '{{if .UpdateStatus}}{{.UpdateStatus.State}}{{else}}none{{end}}'` until terminal.
 Returns on `""|"none"|"completed"`; raises on `"rollback_completed"|"rollback_paused"|"paused"`;
 polls on `"updating"|"rollback_started"`; times out at `meta.DEPLOY_TIMEOUT`.
 ASSESSMENT: **CORRECT** — closes the wait_healthy-masking blind spot. Makes a swarm rollback
 an HONEST upgrade failure ("head did not stay healthy") rather than a misreported stamp mismatch.
 HC1 commit-match logic is unchanged; this only makes the rollback visible before HC1 runs.
 **One concern flagged (not a blocker — defense-in-depth covers it):**
 `assert_upgrade_converged` has a theoretical race window: on the very first poll, Docker may
 not yet have transitioned from a prior `"completed"` state to `"updating"` (tiny gap between
 `docker stack deploy` returning and the Swarm manager scheduling the roll). If the race fires,
 the function returns OK on `"none"`, then the rollback happens silently afterward.
 Mitigation: with `stop-first` (fix part 1), a post-assert-converged rollback leaves NO serving
 task during the rollback → `wait_healthy` also FAILS → the test result is still FAIL, just
 with a less specific error ("wait_healthy timeout" rather than "swarm rolled back"). HC1 is
 NOT weakened even if the race fires. No action required unless a recipe uses `start-first`
 where a post-race rollback could masquerade as a clean upgrade.
 **UPDATE — race concern CLOSED by Builder (commit e9c26c7 `harden(dstamp)`):**
 Builder addressed the race with a 2-phase protocol:
 - **Pre-redeploy**: `update_status_started(domain)` snapshots `UpdateStatus.StartedAt`.
 - **Phase 1**: polls until `StartedAt` advances past the snapshot (new update scheduled) OR
  state is `"updating"/"rollback_started"`. 30s grace: if no new update appears → no-op
  redeploy, nothing to converge.
 - **Phase 2**: now that the NEW update is confirmed in flight, waits for terminal state
  (same logic as before, but with confidence it's the right update).
 Assessment: **CORRECT AND COMPLETE**. Phase 1 deterministically distinguishes the new update
 from stale base-deploy terminal state. No new failure modes introduced. The grace period (30s)
 is generous relative to Docker's near-immediate scheduling. Race concern fully closed.
 **Status:** no `claim(dstamp)` commit yet. Awaiting M1 claim to issue formal verdict.
 ---
 ## M1: PASS @2026-06-11T17:36Z
 Cold verification from `/srv/cc-ci/cc-ci-adv`. JOURNAL-dstamp not read before verdict (anti-anchoring).
 **Check 1 — Recipe policy at 7ae7b0f76efb:** PASS
 `cd ~/.abra/recipes/discourse && git checkout -q 7ae7b0f76efb && grep -nA3 update_config compose.yml`
 → `failure_action: rollback`, `order: start-first` confirmed present at lines 33-35. Direct evidence the
 discourse app service is configured to rollback+start-first at the PR-head.
 **Check 2 — abra CONSTANT (no binary change 06-05→06-10):** PASS
 `for g in $(ls -d /nix/var/nix/profiles/system-*-link); do ...readlink -f $g/sw/bin/abra; done`
 → Gens 2-11 all `/nix/store/bf6azhpi8bi5491n8i4bhjm1z7fva7pb-abra-0.13.0-beta/bin/abra`.
 Gen1 differs (pre-bootstrap), gens 4-11 (2026-06-01 onward) identical. abra version change as
 cause of drift definitively ruled out by direct evidence.
 **Check 3 — Direct rollback evidence (repro4):** PASS
 `grep -E 'DSTAMP|UpdateStatus|PreviousSpec|chaos-version' /var/lib/cc-ci-runs/dstamp-repro4.console.log`
 → Line immediately after chaos_redeploy:
 - `UpdateStatus.State="updating"` (in flight)
 - `Spec.Labels chaos-version="7ae7b0f7+U"` (abra correctly applied HEAD)
 - `PreviousSpec.Labels chaos-version="eb96de94+U"` (the base, what swarm reverts to)
 → HC1 line: `chaos-version=eb96de94+U` (AFTER rollback completed) → mismatch → FAIL
 Causal chain proven in a single artifact: abra stamped correctly, swarm rolled back, label reverted.
 Mechanism confirmed: start-first co-residency → OOM under monitor → failure_action:rollback → PreviousSpec.
 **Check 4 — Fix present:** PASS
 - `runner/harness/lifecycle.py`: `update_status_started` (line 511) + `assert_upgrade_converged` (line 526).
  Phase-1 polls until StartedAt advances past prev_started (or in-flight state seen) → closes race.
  Phase-2 terminal: `completed`=OK; `rollback_completed`/`rollback_paused`/`paused`=FAIL with honest message.
 - `runner/harness/generic.py:268-278`: `prev_started = update_status_started(domain)` called BEFORE
  `chaos_redeploy`, then `assert_upgrade_converged(domain, timeout=DEPLOY_TIMEOUT, prev_started=prev_started)`
  called immediately after — BEFORE `wait_healthy`. Correct call order.
 - `tests/discourse/compose.ccci.yml:54-55`: `deploy.update_config.order: stop-first` with full WHY
  comment citing direct evidence (dstamp-repro1/4) and stating `failure_action: rollback` is LEFT INTACT.
  Both commits 0cc31a5 + e9c26c7 verified present (git log --oneline).
 **Check 5 — Fix works (dstamp-fix1 and dstamp-fix2):** PASS
 - `dstamp-fix1`: `upgrade-converged: disc-ae10f0_ci_commoninternet_net_app swarm UpdateStatus=completed`
  + `upgrade→PR-head: head_ref=7ae7b0f7 chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`
  + `test_upgrade_reconverges PASSED`. Level=2 (install+upgrade only, backup/functional not in STAGES).
 - `dstamp-fix2`: same params, same domain, same result — second reliability run confirms.
  Both runs: chaos-version=7ae7b0f7+U (head), NOT eb96de94+U (base). Fix is deterministic.
 **Check 6 — Blast-radius:** PASS
 - n8n: runs 162 (level=4, upgrade=pass) and 47 (level=4, upgrade=pass). Run 162 dated post-06-10
  (when discourse was failing) → n8n not affected despite same rollback+start-first policy.
 - keycloak: runs 155 (level=4, upgrade=pass) and 187 (level=4, upgrade=pass). Same conclusion.
 - `assert_upgrade_converged` now provides a general harness backstop for all rollback-policy recipes.
  No overlay change needed for keycloak/n8n (lighter apps, no OOM symptom in evidence).
 - drone/traefik: infra, no recipe-CI upgrade tier. No action needed.
 **HC1 teeth preserved (code inspection):** `generic.py:174-175` — `assert_upgraded` logic is UNCHANGED:
 `chaos_commit = chaos.split("+",1)[0]`; assertion `head_ref.startswith(chaos_commit) or
 chaos_commit.startswith(head_ref)`. `assert_upgrade_converged` runs BEFORE `assert_upgraded`; if a
 rollback occurs it raises FIRST with the honest "head did not stay healthy" message; if no rollback occurs,
 HC1 commit-match assertion still runs unmodified. A deliberately wrong stamp (e.g. deploying eb96de94
 as the chaos version) would still fail HC1 exactly as before. M2 will demonstrate this with a live negative test.
 **One nuance (not a blocker):** The "06-05→06-10 change" being specifically "heavier resident load from
 rcust-phase stacks" is circumstantially supported by the timeline, but repro1 (isolated, no concurrent apps)
 also showed drift — the mechanism fires under general memory pressure during discourse's precompile, not
 only when other apps are warm. The exact delta between run 184 (06-05, passed) and subsequent runs is
 intermittency of memory pressure, proven by repro2 (warm volumes → faster precompile → task survived) vs
 repro4 (fresh boot → slower precompile → task failed). The ROOT CAUSE mechanism is proven by direct
 evidence; the specific "what changed between 06-05 and 06-10" reduces to: heavier/more-variable memory
 pressure, the mechanism was always latent. This doesn't weaken M1 — the fix eliminates the exposure.
 **Verdict: M1 PASS.** Root cause attributed by direct evidence; minimal reproducible demonstration
 confirmed; fix (stop-first overlay + assert_upgrade_converged) implemented and working; HC1 unweakened;
 blast-radius sweep complete. Builder cleared to proceed to M2.
 ---
 ## M2: PASS @2026-06-11T17:58Z
 Cold verification from `/srv/cc-ci/cc-ci-adv`. JOURNAL-dstamp not read before verdict (anti-anchoring).
 **Check 1 — Build 450 results (level, tiers, flags):** PASS
 `cat /var/lib/cc-ci-runs/450/results.json`:
 - `"level": 5` ✓
 - `"recipe": "discourse"`, `"ref": "7ae7b0f76efb"`, `"pr": "2"` ✓
 - All tiers: `"install": "pass"`, `"upgrade": "pass"`, `"backup": "pass"`, `"restore": "pass"`, `"custom": "pass"` ✓
 - All rungs: `"install": "pass"`, `"upgrade": "pass"`, `"backup_restore": "pass"`, `"functional": "pass"`, `"lint": "pass"` ✓
 - `"clean_teardown": true`, `"no_secret_leak": true` ✓
 - Timestamp: `"finished": 1781199631.4...` (2026-06-11 ~17:40 UTC) ✓
 - `screenshot.png` present (discourse functional screenshot)
 **Check 2 — JUnit XML: test_upgrade_reconverges PASS (HC1 satisfied):** PASS
 `grep -c '<failure\|<error' upgrade__generic__test_upgrade.xml` → 0
 Full XML: `<testcase classname="tests._generic.test_upgrade" name="test_upgrade_reconverges" time="0.260"/>`
 (no `<failure>` child). `test_upgrade_reconverges` directly calls `generic.assert_upgraded(live_app, meta)`.
 `assert_upgraded` at `generic.py:174-175` does the HC1 commit-match: `chaos_commit == head_ref`.
 Test PASSED → `chaos_commit = 7ae7b0f7` matched `head_ref = 7ae7b0f7` ✓
 **Check 3 — PR comment 14347 (!testme path):** PASS
 Comment 14346 body = `!testme` (the trigger).
 Comment 14347 body (bot response):
 `<!-- cc-ci:testme -->\n🌻 **cc-ci** — \`discourse\` @ \`7ae7b0f7\` ✅ **passed**\n[...links to run 450 summary.png + badge + drone build 450...]`
 Confirmed via Gitea API. Run directory `/var/lib/cc-ci-runs/450/` exists with full contents.
 !testme → bridge ack → drone build 450 → run 450 results → PR comment ✅ passed. Path verified.
 **Check 4 — DEFERRED entry closed:** PASS
 `machine-docs/DEFERRED.md` lines 346-366: ✅ RESOLVED @2026-06-11 (phase dstamp, Builder) with:
 - Root cause narrative (rollback mechanism)
 - Direct evidence pointer (dstamp-repro4.console.log)
 - Fix commits (0cc31a5 + e9c26c7)
 - Real CI proof (drone build #450, LEVEL 5)
 - Blast-radius note (only discourse; harness guard covers all rollback-policy recipes)
 - Cross-references (STATUS/JOURNAL/REVIEW-dstamp)
 **Check 5 — HC1 teeth (wrong stamp still FAILs):** PASS
 *Negative control (pre-fix, existing run):* `m2p-discourse/results.json` shows HC1 caught wrong stamp:
 `AssertionError: upgrade deployed chaos commit 'eb96de94+U', not the intended PR-head '7ae7b0f76efb'
 — the re-checkout to the code under test failed, so the upgrade is not exercising the PR's changes (HC1)`
 This is HC1 raising on `eb96de94 ≠ 7ae7b0f7`. HC1 commit-match assertion WORKS.
 *Code unchanged (from M1):* `generic.py:174-175` commit-match assertion unmodified. The fix adds
 `assert_upgrade_converged` BEFORE `assert_upgraded` — it catches rollback EARLIER with an honest message
 but does NOT bypass HC1. If a non-rollback wrong stamp were deployed (e.g. abra bug stamping wrong commit),
 `assert_upgrade_converged` would see `completed` and pass, then HC1 would FAIL on the commit mismatch.
 *Post-fix rollback path:* `assert_upgrade_converged` raises `RuntimeError` on `rollback_completed` →
 upgrade FAILS with honest "head did not stay healthy" → HC1 doesn't even run but test is RED.
 Both paths (rollback → caught by assert_upgrade_converged; wrong stamp without rollback → caught by HC1)
 still FAIL. The pre-fix negative controls (m2p-discourse, repro1, repro4) demonstrate the wrong-stamp
 path is always caught; the fix only changes HOW it's reported and at which point.
 **Blast-radius (confirmed at M1, still valid):** Only discourse affected. keycloak/n8n PASS L4
 in 06-10/06-11 era. General `assert_upgrade_converged` guard now covers all rollback-policy recipes.
 **Phase DoD summary:**
 - ✅ Drift mechanism attributed with reproducible evidence (repro4 direct evidence)
 - ✅ Fixed at the true root (stop-first overlay + assert_upgrade_converged)
 - ✅ Discourse back at real level in real CI via drone !testme (build 450, LEVEL 5)
 - ✅ No other recipe silently affected (blast-radius sweep, keycloak/n8n PASS)
 - ✅ HC1 unweakened and adversarially re-proven (m2p-discourse negative control + code inspection)
 - ✅ DEFERRED closed with pointers
 **Verdict: M2 PASS. All phase dstamp DoD items satisfied. Builder cleared for ## DONE.**
--- a/machine-docs/REVIEW-ghost.md
+++ b/machine-docs/REVIEW-ghost.md
@ -0,0 +1,110 @@
 # REVIEW — phase ghost (Adversary)
 ## Cold reconnaissance — 2026-06-13T06:20Z
 **Scope:** Pre-Builder independent probe of ghost PR/build state.  
 **Source of truth:** phase plan `plan-phase-ghost-reeval.md` §Gates / DoD.
 ### What was checked
 - Gitea API: all open/closed PRs on `recipe-maintainers/ghost`
 - ci.commoninternet.net ghost run history: builds #515–#585
 - Drone build logs (read directly via Drone sqlite DB): builds #557, #578, #585
 - cc-ci host: docker stacks/volumes/services matching "ghost"
 - `/tmp/ghost-render/compose.ccci.yml` overlay contents
 ### Pre-claim findings
 **F1 — Upgrade failure mode is MySQL timing, NOT VIP exhaustion.**  
 Builds #557 and #578 both show: `"!! upgrade op failed: ... UpdateStatus='paused'"` — recipe-level timing failure. Not VIP exhaustion (which would be tasks stuck in `New` state).
 **F2 — Build #585 pre-proxy, wrong PR.** Ran at ~04:14Z (84 min before proxy fix at 05:38Z). Tested PR#5 (d42d0f7c), not PR#4 (d88f5801).
 **F3 — No post-proxy ghost runs as of 06:20Z.** Builder needed to trigger a fresh run.
 **F4 — MySQL timing is load-sensitive.** Same sha: #578 failed at ~03:00Z, #585 passed at ~04:00Z. Suggests server load was the variable.
 **F5 — PR#5 is cfold artifact.** Should be closed after PR#4 verdict.
 **F6/F7 — Clean state.** No ghost leaks; all recent runs have clean_teardown=true, no_secret_leak=true.
 ---
 ## M1 — State inventory and clean retry
 **PASS @2026-06-13T06:38Z**
 ### Cold acceptance run
 Adversary independently verified the following from a cold start (own clone, own SSH session, no Builder state shared):
 **1. Correct PR identified: PR#4 (d88f5801)**
 - Gitea API confirms PR#4 is the only open PR, titled "chore: upgrade to 1.4.0+6.44.1-alpine"
 - PR#5 (cfold probe) now closed ✅
 **2. Pre-proxy failures confirmed infra-confounded**
 - Builds 515, 517, 519, 557: all dated 2026-06-12, before proxy /16 fix at 05:38Z on 2026-06-13 ✅
 - Builds 515/517 were L0 (possible VIP exhaustion at deploy stage); builds 519/557 were L1 with `UpdateStatus=paused` (MySQL timing under high load from concurrent IPAM-fix operations)
 - Builder's classification as "infra-confounded" is correct
 **3. Fresh post-proxy !testme on PR#4 verified**
 - Gitea PR#4 comment: `@autonomic-bot [2026-06-13T06:12:48Z]: !testme` (post-proxy ✅, proxy fixed 05:38Z)
 - Drone build #612: `started=2026-06-13T06:13:02Z` (from Drone sqlite DB) — 35 min after proxy fix ✅
 - `RECIPE=ghost REF=d88f5801` ✅
 - `build_status=success` ✅
 **4. Build #612 genuine L5/5 pass verified**
 - `/var/lib/cc-ci-runs/612/results.json`: `level=5`, all stages pass (install/upgrade/backup/restore/custom) ✅
 - JUnit timestamps confirm genuine sequential execution:
  - install: 06:13:53Z (51s from start)
  - upgrade: 06:14:38Z (1m36s from start)
  - backup: 06:14:43Z
  - restore: 06:14:49Z
  - custom: 06:14:50–53Z
 - `clean_teardown=True`, `no_secret_leak=True` ✅
 - Badge: `https://ci.commoninternet.net/runs/612/badge.svg` → level 5 ✅
 - Proxy subnet confirmed: `10.10.0.0/16` ✅
 **Evidence source:** all checks run independently by Adversary against Gitea API, cc-ci Drone sqlite, cc-ci run log files, and cc-ci docker state.
 ---
 ## M2 — Operator-ready outcome
 **PASS @2026-06-13T06:38Z**
 ### Cold acceptance run
 **1. Exactly 1 open PR on ghost: PR#4**
 - `GET /api/v1/repos/recipe-maintainers/ghost/pulls?state=open` → 1 result: PR#4 (d88f5801) ✅
 **2. PR#3 closed**
 - `GET /api/v1/repos/recipe-maintainers/ghost/pulls/3` → `state=closed` ✅
 **3. PR#5 closed**
 - `GET /api/v1/repos/recipe-maintainers/ghost/pulls/5` → `state=closed` ✅
 **4. No ghost resource leaks**
 - `docker stack ls | grep ghos` = nothing ✅
 - `docker service ls | grep ghos` = nothing ✅
 - `docker volume ls | grep ghos` = nothing ✅
 **5. Operator comment on PR#4**
 - Comment at 2026-06-13T06:22:11Z (note: STATUS says 06:35Z — minor discrepancy, not blocking)
 - Content: 5-tier pass table, infra-confound analysis, "This PR is operator-ready. Nothing was merged." ✅
 **6. Adversary findings from BACKLOG addressed:**
 - A1: Build #585 NOT used as post-proxy pass — Builder used #612 (post-proxy) ✅
 - A2: MySQL timing acknowledged in operator comment; upgrade passed post-proxy confirming infra-confound ✅
 - A3: PR#5 closed ✅
 ### Verdict
 Both M1 and M2 PASS. The ghost phase Definition of Done is met:
 - Exactly one ghost upgrade PR (PR#4) is operator-ready
 - Fresh post-proxy verdict: PASS (build #612, level 5/5)
 - 2026-06-12 failures correctly classified as infra-confounded (proxy /24 IPAM pressure + load)
 - No stale stacks/volumes
 - Operator-facing explanation present on the PR
 Builder may write `## DONE` to STATUS-ghost.md.
--- a/machine-docs/REVIEW-gtea.md
+++ b/machine-docs/REVIEW-gtea.md
@ -0,0 +1,373 @@
 # REVIEW — phase gtea (gitea full-test enrollment)
 Adversary verdict log. Append-only. Only the Adversary writes here.
 Commit prefix: `review(gtea): ...`
 ---
 ## Init @2026-06-15T19:33Z
 Phase gtea started. No gates claimed yet by Builder. Baseline orientation run:
 - Builder hasn't started (no STATUS-gtea.md, no gtea commits on origin/main as of 3f6d7dc).
 - Existing `tests/gitea/recipe_meta.py` is the dep-provider stub (header: "NOT a standalone recipe-under-test").
 - Plan SSOT loaded: plan-phase-gtea-gitea-fulltests.md — M1 = suite green locally; M2 = green in real CI + LFS PR verified.
 - Exemplars to check: tests/cryptpad/, tests/keycloak/.
 - Will maintain independent break-it probes while Builder builds.
 ---
 ## Pre-M1 code review @2026-06-15T19:58Z
 Builder commit 33561c8 (all files) + 6ac9989 (Playwright fix) read.
 ### PASS items
 - recipe_meta.py: READY_PROBE(ctx) and SCREENSHOT(page, ctx) signatures match registry hook_params ✓
 - BACKUP_CAPABLE=True explicit (compose.yml backupbot.backup=true confirmed) ✓
 - EXTRA_ENV dep path unchanged: sqlite3 + relaxed auth; LFS guard requires RECIPE=gitea AND overlay file ✓
 - PARITY.md honest about absent upstream tests (source note says recipe-info corpus, not upstream) ✓
 - ops.py pre_restore deletes marker + asserts absence — divergence is real ✓
 - test_restore.py asserts marker returned — a no-op restore would fail ✓
 - harness.http.retry_http_get, lifecycle.http_fetch, lifecycle.exec_in_app all exist in the harness ✓
 - PARITY.md: beyond-parity test rationale non-vacuous ✓
 - Playwright fix: wait_for_selector("input#user_name") is visible — correct ✓
 ### ISSUES filed (in BUILDER-INBOX.md @4a4b756)
 **[critical — M2 blocker]** `git-lfs` not installed on cc-ci: `git lfs` is not a git subcommand.
 The LFS test uses `git lfs install/track/ls-files` — all fail without git-lfs. Fix: add
 `git-lfs` to `nix/hosts/cc-ci/configuration.nix` systemPackages, rebuild, deploy.
 **[bug in test_lfs_roundtrip.py]** Double `/api/v1` path: `_api(live_app, "/api/v1/version", ...)`
 constructs `https://domain/api/v1/api/v1/version` → 404. The restart health-poll will spin 120s
 then fail. Fix: change path argument to `"/version"`.
 Both issues affect only the LFS capstone (which skips on main). Do NOT block M1 verdict.
 M2 verdict will FAIL unless both are fixed before the lfs-plain-gitea run.
 ## Additional pre-M1 cold checks @2026-06-15T20:10Z
 Builder addressed inbox findings in commits 893a7b0, 3cc8338, 74bc5f0, 3ec24b0:
 - Double /api/v1 path bug: FIXED ("/version" path used correctly) ✓
 - git-lfs: added to nix/hosts/cc-ci-hetzner/configuration.nix (correct host config) ✓
 - test_git_push: auto_init=True repo, credential URL approach ✓
 - test_admin_api: scopes added for gitea 1.22+ ✓
 Cold checks run from cc-ci /root/builder-clone (HEAD 3ec24b0):
 - recipe_meta.py: all keys load — BACKUP_CAPABLE=True, READY_PROBE callable, SCREENSHOT callable, EXTRA_ENV callable ✓
 - unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
 - LFS conditional (RECIPE=gitea, compose.lfs.yml absent): COMPOSE_FILE=sqlite3 only, LFS=False ✓
 - LFS skip mechanism: _lfs_enabled() returns False when compose.lfs.yml absent (main branch) ✓
 ## M1 cold verification @2026-06-15T20:32Z
 Builder claim: commit bac3662, all 5 stages PASS locally (RECIPE=gitea), run_id=manual.
 ### Evidence reviewed (independent, from adv-clone at HEAD b2663dc)
 **results.json** (`/var/lib/cc-ci-runs/manual/results.json`, mtime 20:08 today):
 - level: 5/5 ✓
 - install/upgrade/backup/restore/custom: all "pass" ✓
 - lint: "pass" ✓
 - LFS (test_lfs_roundtrip): status="skip", message="compose.lfs.yml absent in gitea recipe checkout — LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is EXPECTED_NA on main." ✓
 - flags: clean_teardown=true, no_secret_leak=true ✓
 - customization: 4 custom tests, ops.py hooks for all 4 pre-op stages, meta non-default keys all correct ✓
 - unintentional skips: [] (no unexpected skips) ✓
 **Unit tests (Adversary cold run from adv-clone)**:
 - 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
 - test_gitea_recipe_meta_extra_env PASS — dep env correct (no LFS when RECIPE≠gitea) ✓
 - test_enrich_deps_routes_gitea PASS — dep routing intact ✓
 - test_drone_recipe_meta_deps PASS — DEPS=["gitea"] correct ✓
 **Code review of test hooks:**
 - test_restore: pre_restore DELETES marker + asserts absence; test asserts marker RETURNED — no-op restore fails ✓
 - test_upgrade: marker_repo_exists() hits API with admin creds — data continuity is real ✓
 - test_git_push: auto_init=True repo, credential URL embedded, push via git; verifies non-empty response ✓
 - test_admin_api: creates user, org, token via API with 1.22+ scopes; teardown cleans up ✓
 - test_health: HTTP 200 on root endpoint ✓
 - LFS conditional: 2-guard (_lfs_enabled requires RECIPE=gitea AND compose.lfs.yml exists) prevents dep leak ✓
 **Dep path verification:**
 - No RECIPE=drone CI run post-Builder changes (last drone run was #506, June 13)
 - EXTRA_ENV dep path verified code-level: RECIPE=drone → no LFS flags, standard sqlite3+auth only ✓
 - Unit tests cover this path explicitly ✓
 ### Findings
 **[non-blocking, pre-existing harness bug] Stale screenshot:**
 `/var/lib/cc-ci-runs/manual/screenshot.png` has mtime June 13 — not from today's M1 run.
 Root cause: `screenshot.capture()` checks `if not os.path.exists(out_path)` after running the
 SCREENSHOT hook; since the file exists from a prior manual run (run_id="manual" reuses the same dir),
 `_snap_with_blank_retry` is never called and the old file persists. results.json reports
 `"screenshot": "screenshot.png"` (file exists and is non-empty), but it's a stale image.
 Non-blocking per R7 (cosmetics never change verdict). M2 will use DRONE_BUILD_NUMBER as run_id
 → fresh directory → no issue. NOT a Builder error; pre-existing harness limitation of manual runs.
 Filed in BACKLOG-gtea.md under Adversary findings.
 **[constraint] Independent harness run blocked by lifetime.py orphan guard:**
 `lifetime.install_lifetime_guards()` calls `prctl(PR_SET_PDEATHSIG)` then checks `ppid==1`; when
 running via systemd-run or nohup (detached), the harness correctly refuses to run orphaned.
 No bypass env var exists. Running the full harness in foreground would require ~30-min SSH hold.
 Code review + unit test verification substitutes for M1 (M2 !testme provides the live run).
 ## M1 VERDICT: PASS @2026-06-15T20:32Z
 All M1 DoD satisfied:
 - Suite built: install/upgrade/backup/restore/custom/lint all exist and ran ✓
 - Suite green locally: level=5/5, all stages PASS on main ✓
 - LFS test correctly SKIP on main (compose.lfs.yml absent → _lfs_enabled()=False) ✓
 - Tests have teeth: restore divergence is real, upgrade verifies data continuity ✓
 - Dep path unbroken: EXTRA_ENV dep route correct, unit tests pass ✓
 - No secrets in run artifacts: no_secret_leak=true ✓
 Gate M1: **ADVERSARY PASS** (commit bac3662, run_id=manual, all stages pass)
 ---
 ## M2 pre-verification @2026-06-15T20:50Z
 Builder triggered !testme on PR #1 (gitea recipe mirror, git.autonomic.zone) and on main branch.
 Bridge is live with recipe-maintainers/gitea in POLL_REPOS. 3 CI runs completed:
 ### Run 674 — main branch (RECIPE=gitea, PR=0, REF=main)
 level=1. install: PASS. upgrade: **FAIL**.
 Error: "upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
 to the code under test failed."
 backup/restore/custom: PASS (ran on the existing install despite upgrade failure).
 LFS test: correctly SKIP (REF=main, compose.lfs.yml absent from main branch). ✓
 **M2 main-branch DoD NOT met.** Upgrade tier must PASS for level=5.
 ### Run 675 — main branch concurrent (PR=0, REF=main)
 level=0. All stages FAIL.
 Root cause: concurrent collision with run 674 (same domain from same recipe+pr+ref hash).
 ci_admin creds cached at /tmp/ccci-gitea-admin-<domain>.json from run 674 → 401 on API calls
 because gitea was in a stale state. Non-blocking bug (triggered by multiple !testme comments).
 ### Run 676 — PR #1 (RECIPE=gitea, PR=1, REF=357926f2)
 level=3. install/upgrade/backup/restore: PASS ✓. custom: **FAIL**.
 LFS test failure: `git push` batch endpoint returns "Repository or object not found".
 `_lfs_available()` returned True (compose.lfs.yml present in recipe dir at test time — confirmed
 via recipe reflog: checkout to 357926f2 at 20:35:58, test ran at 20:36:36).
 But gitea LFS server was not accepting LFS batch requests → `LFS_START_SERVER = false` in app.ini.
 PR #1 code verified correct:
 - compose.lfs.yml: GITEA_LFS_START_SERVER=true + lfs_jwt_secret external secret ✓
 - app.ini.tmpl: LFS_START_SERVER rendered from env, LFS_JWT_SECRET conditional ✓
 - abra.sh: APP_INI_VERSION v22 (triggers re-render on deploy) ✓
 Likely harness-level bug: either (a) lfs_jwt_secret not generated (SECRET_LFS_JWT_SECRET_VERSION=v1
 only in EXTRA_ENV dict, not in disk .env file read by `abra secret generate`), or (b) compose.lfs.yml
 not included in COMPOSE_FILE at actual docker deploy time due to abra base-deploy checkout timing
 (abra checked out 3.5.2+1.24.2-rootless tag at 20:35:37 removing compose.lfs.yml, harness
 re-checked 357926f2 at 20:35:58 restoring it, but EXTRA_ENV may have been evaluated before that).
 Filed as critical M2 blockers in BACKLOG-gtea.md. Builder must fix before M2 can be claimed.
 ## M2 VERDICT: PENDING — two critical blockers
 1. LFS test fails in run 676 (PR #1 custom tier fail, level=3 not level=5)
 2. Upgrade fails on main branch run 674 (level=1, not level=5)
 Gate M2: **NOT CLAIMED** — Builder must fix and re-trigger CI
 ---
 ## M2 re-verification @2026-06-15T21:30Z (builds #684 and #685)
 Builder fixed two blockers (commit a121d2c): UPGRADE_EXTRA_ENV for LFS, head_ref SHA fix,
 stale creds deletion in pre_install. Triggered builds #684 (main) and #685 (PR #1).
 ### Build #684 — RECIPE=gitea REF=main PR=0 — **PASS** level=5 ✓
 Full log reviewed from Drone API.
 - lint: pass ✓
 - install: PASS — generic test_serving + gitea test_install_gitea both PASS ✓
 - upgrade: PASS — version=3.5.2→3.5.3, HC1: head_ref=e6a1cc79, chaos-version=e6a1cc79 (SHA match) ✓
 - backup: PASS — restic snapshot 8435c4df, 53 files, marker captured ✓
 - restore: PASS — pre_restore deleted ci-marker, restore returned it (genuine divergence) ✓
 - custom: all 4 tests:
  - test_admin_api: PASS (user+org+token CRUD lifecycle) ✓
  - test_git_push: PASS (create repo→push→verify via API) ✓
  - test_health: PASS (root HTTP 200) ✓
  - test_lfs_roundtrip: SKIP ✓ — correct ("compose.lfs.yml absent in gitea recipe checkout —
    LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is
    EXPECTED_NA on main.")
 - deploy-count=1 (expected 1) ✓
 - clean_teardown=true, no_secret_leak=true ✓
 **M2 main-branch condition: MET** (build #684, level=5, upgrade SHA-match correct, LFS skip correct)
 Screenshot: PNG file, 36KB, captured at 21:04 (during run #684). Visual content not verified
 inline (requires file transfer); file is valid PNG with real content. Operator should visually
 confirm sign-in page is shown.
 ### Build #685 — RECIPE=gitea PR=1 REF=357926f26e69 — **FAIL** level=1 ✗
 Full log reviewed from Drone API and results.json.
 - lint: pass ✓
 - install: PASS (base 3.5.2, no LFS) ✓
 - upgrade: **FAIL** — `gite-e1cb78.ci.commoninternet.net: upgrade redeploy did NOT converge to
  the head spec — swarm UpdateStatus='rollback_completed'.`
 - backup: FAIL (cascade — pre_backup 401: could not ensure ci-marker exists)
 - restore: FAIL (cascade — ci-marker absent after restore; backup state was bad)
 - custom: FAIL — test_admin_api, test_git_push, test_lfs_roundtrip all get `401 Unauthorized:
  user's password is invalid [uid: 1, name: ci_admin]`; test_health: PASS ✓
 - test_lfs_roundtrip: reaches API call (compose.lfs.yml IS in recipe dir at test time,
  _lfs_available()=True, LFS test DID run) but hits 401 on repo create — cascade failure
 **Root cause: upgrade chaos redeploy to PR head with compose.lfs.yml fails (rollback_completed)**
 Evidence chain:
 1. `rollback_completed` in Docker Swarm means the NEW task STARTED but failed its health check.
   If lfs_jwt_secret did NOT exist as Docker secret, the deploy would fail BEFORE creating the
   task (Docker reports "secret not found" at deploy time, not as a task health failure). Therefore
   lfs_jwt_secret WAS generated as a Docker secret.
 2. `abra.secret_generate(domain)` WAS called (generic.py line 267, new fix in a121d2c) with
   SECRET_LFS_JWT_SECRET_VERSION=v1 in the .env after UPGRADE_EXTRA_ENV applied.
 3. The COMPOSE_FILE=compose.yml:compose.sqlite3.yml:compose.lfs.yml was correctly set in .env
   (confirmed from log: `upgrade-env: COMPOSE_FILE=...`).
 4. Docker confirmed no lfs secrets at post-run check — expected (clean_teardown=true cleaned them).
 **Most likely root cause: lfs_jwt_secret generated with wrong length/format by abra --all**
 The `.env.sample` in PR #1 (lfs-plain-gitea branch) has the lfs_jwt_secret spec COMMENTED OUT:
 ```
 # SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
 ```
 Compare with active (uncommented) entries:
 ```
 SECRET_JWT_SECRET_VERSION=v1 # length=43
 SECRET_INTERNAL_TOKEN_VERSION=v1 # length=105
 ```
 `abra secret generate --all` reads the recipe's `.env.sample` for secret parameters (including
 length). If the `SECRET_LFS_JWT_SECRET_VERSION` entry is commented out, abra may use a default
 length (likely not 43) when generating the Docker secret value. A gitea LFS JWT secret must be
 a base64 URL-safe string of exactly 43 chars (representing 32 bytes without padding). If abra
 generates a wrong-length value, gitea fails to parse its JWT secret on startup and crashes before
 passing the `/api/healthz` health check — causing `rollback_completed`.
 **Secondary mystery: admin password 401 after upgrade rollback**
 After rollback, gitea 3.5.2 runs again. ci_admin password was written to creds file during
 pre_install (fresh install, stale file deleted). Yet all API calls return 401 `user's password
 is invalid`. This cascade is unexplained but consistent with gitea being in a bad state after
 the rollback (possible: the brief chaos deploy attempt changed state in the sqlite3 DB before
 the health check failed and Docker rolled back the CONTAINER — not the DATA volume).
 **Files confirmed NOT the issue:**
 - compose.lfs.yml structure: correct (external secret declared, GITEA_LFS_START_SERVER env set) ✓
 - app.ini.tmpl: LFS_JWT_SECRET rendered from `{{ secret "lfs_jwt_secret" }}` when
  GITEA_LFS_START_SERVER=true ✓
 - UPGRADE_EXTRA_ENV applied correctly (confirmed in log) ✓
 - HC1 would pass if upgrade converged (SHA logic correct from #684 fix) ✓
 ### Additional finding: cc-ci self-test lint failures (non-blocking for M2 recipe CI)
 Push-event builds #683/#686/#687 fail at `scripts/lint.sh`:
 - `ruff format --check`: 9 files need formatting:
  `tests/gitea/custom/test_admin_api.py`, `test_git_push.py`, `test_lfs_roundtrip.py`,
  `tests/gitea/ops.py`, `recipe_meta.py`, `test_backup.py`, `test_install.py`, `test_upgrade.py`,
  `tests/unit/test_discovery.py`
 - `ruff check`: 9 errors (at least `bridge/bridge.py:85:36: UP017` + others in gtea files)
 These are the cc-ci REPO'S OWN self-tests, not the recipe CI runs. They do NOT gate M2 recipe
 CI (which runs via custom events). However, they reflect code quality debt and should be fixed.
 `ruff format tests/gitea/` and `ruff check --fix tests/gitea/` would address the gtea files.
 The `bridge.py UP017` may be pre-existing.
 Filed in BACKLOG-gtea.md Adversary findings.
 ### Drone dep path: not re-verified via live CI since a121d2c
 M2 DoD: "drone CI re-confirmed green (dep path intact)". No RECIPE=drone custom build has run
 since commit a121d2c modified generic.py and recipe_meta.py. Unit tests (test_gitea_dep.py 10/10)
 still pass and cover the dep path code-level. A live RECIPE=drone run is needed to satisfy the
 full M2 DoD dep-path verification. Filed in BACKLOG as pending.
 ## M2 VERDICT: PENDING — new critical blocker in build #685
 1. ✓ M2 main-branch condition MET (build #684, level=5)
 2. ✗ PR #1 LFS capstone FAIL — upgrade rollback with LFS (build #685, level=1)
   Root cause: lfs_jwt_secret generated with wrong format/length (commented-out .env.sample spec)
 Gate M2: **NOT CLAIMED** — Builder must fix lfs_jwt_secret generation and re-trigger build #685
 ---
 ## M2 re-verification round 3 @2026-06-15T22:10Z (builds #691, #692, #695)
 Builder applied two further fixes (commits d832b35 + ad53b5a):
 - d832b35: `UPGRADE_SECRET_PREP` hook in `meta.py` + `generic.py`; `recipe_meta.py` UPGRADE_SECRET_PREP
  implementation uses `docker secret create` directly with correct 43-char base64 URL-safe value
 - ad53b5a: derive `STACK_NAME` from domain (`domain.replace(".", "_")`) when not found in .env
  (abra does NOT write STACK_NAME to the .env file — it derives it at runtime from the domain)
 - 2d865f0: ruff format + check all gtea files (cc-ci self-test lint now passes)
 ### Build #691 — RECIPE=gitea PR=1 REF=357926f26e69 — FAIL (STACK_NAME not found) ✗
 `UPGRADE_SECRET_PREP` aborted: `RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in
 /root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
 Root cause: the hook attempted to read STACK_NAME from the app's .env, but abra writes only
 app-specific vars to that file (DOMAIN, TYPE, COMPOSE_FILE etc.) — STACK_NAME is derived from
 the domain at runtime by abra's own code. The fix in ad53b5a (domain.replace(".", "_") fallback)
 is the correct approach and matches how abra derives stack names.
 New finding filed in BACKLOG-gtea.md. Builder fixed in commit ad53b5a.
 ### Build #692 — RECIPE=drone PR=0 REF=main — **PASS** level=5 ✓
 Full results.json from ci.commoninternet.net/runs/692/results.json:
 - recipe: drone, pr=0, ref=main
 - level: 5 (install: PASS, upgrade: PASS, custom: PASS; backup/restore: skip — correct, drone
  is not backup-capable)
 - rungs: install=pass, upgrade=pass, functional=pass, lint=pass, backup_restore=skip ✓
 - skips.intentional: backup_restore: "not backup-capable (no backupbot labels / declared)" ✓
 - clean_teardown=true, no_secret_leak=true ✓
 - customization: DEPS=["gitea"] confirmed (gitea dep used in drone's own dep chain) ✓
 **M2 drone dep path condition: MET** — drone recipe CI unaffected by all gtea changes
 ### Build #695 — RECIPE=gitea PR=1 REF=357926f26e69 — **PASS** level=5 ✓
 Full results.json from ci.commoninternet.net/runs/695/results.json:
 - recipe: gitea, pr=1, ref=357926f26e69 — THIS IS THE LFS PR
 - level: 5, all 5 stages: install=pass, upgrade=pass, backup=pass, restore=pass, custom=pass
 - No intentional or unintentional skips ✓
 - clean_teardown=true, no_secret_leak=true ✓
 Custom tests (all PASS):
 - `test_admin_api_user_org_token_lifecycle`: PASS (333ms) ✓
 - `test_git_push`: PASS (889ms) ✓
 - `test_gitea_root_returns_200`: PASS (36ms) ✓
 - `test_lfs_roundtrip`: **PASS (18147ms = 18s)** ✓ — LFS ROUNDTRIP VERIFIED
 UPGRADE_SECRET_PREP hook in customization.meta_non_default confirms it ran.
 version=ce4de9e6451f (deployed recipe HEAD at upgrade time — expected, as chaos deploy uses PR HEAD).
 **M2 PR #1 LFS capstone: MET** — test_lfs_roundtrip PASS in real CI on PR #1
 ### cc-ci self-test lint: CLEARED
 Builds #690 and #693 (push events) report success — ruff format + check now both pass.
 All M2 DoD conditions now satisfied.
 ## M2 VERDICT: PASS @2026-06-15T22:10Z
 All M2 DoD conditions met:
 1. ✓ Full 5-tier suite green on gitea main in real CI — build #684, level=5, upgrade SHA-match
   correct, HC1 PASS, LFS correctly SKIP on main ✓
 2. ✓ LFS roundtrip green in real CI on PR #1 — build #695, level=5, `test_lfs_roundtrip` PASS
   (18s), lfs_jwt_secret correct length via UPGRADE_SECRET_PREP hook, all tiers PASS ✓
 3. ✓ Drone dep path unaffected — build #692, level=5, drone recipe still fully green ✓
 4. ✓ cc-ci self-test lint green — ruff format+check pass on all gtea files ✓
 5. ✓ Unit tests 53/53 pass throughout (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
 6. ✓ No secrets in any run artifact — no_secret_leak=true in #684, #692, #695 ✓
 Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z
--- a/machine-docs/REVIEW-kuma.md
+++ b/machine-docs/REVIEW-kuma.md
@ -0,0 +1,184 @@
 # REVIEW — phase `kuma` (uptime-kuma create-a-monitor functional test)
 Adversary verdict log. Append-only. SSOT: `cc-ci-plan/plan-phase-kuma-monitor.md`.
 ## Phase orientation (2026-06-11T18:03Z)
 Builder clone: `/srv/cc-ci/cc-ci`; Adversary clone: `/srv/cc-ci/cc-ci-adv`.
 Phase goal: add functional test that completes uptime-kuma's first-run setup wizard and exercises
 its core function — create a monitor, see it probe a target, assert UP + real probe timestamp.
 Negative test (monitor → dead target → DOWN) required if it fits the runtime budget.
 Two gates:
 - **M1** — test implemented + green locally; approach justified; bounded waits; real assertions
 - **M2** — drone-path green (≥2 consecutive runs); flake check; DEFERRED closed
 Pre-phase independent research notes:
 - uptime-kuma uses Socket.IO for ALL management operations (setup wizard, login, monitor CRUD)
 - Existing tests: Socket.IO handshake (EIO v4), SPA branding, health check — NONE exercise wizard/monitor
 - Two viable approaches per plan: (a) python-socketio client speaking events; (b) Playwright UI
 - Key verification concerns for M1:
  - Probe reality: must confirm a *real* HTTP check occurred (timestamp advance + status from
    uptime-kuma's state, not echo of config)
  - Secret safety: generated admin creds must not appear in logs or test output
  - Budget: target ≤90s added to functional tier; must use bounded poll not sleep
  - Negative teeth: dead-target monitor must go DOWN (proves probe isn't stub) — required unless
    runtime budget forces explicit justification
 - Existing `tests/uptime-kuma/functional/` dir has 3 files: health_check, socketio_handshake,
  spa_branding — all pass in CI (build #91 was green for uptime-kuma level 5)
 - Phase plan says new test goes in `tests/uptime-kuma/functional/` (or `playwright/` if option b)
 ## Adversary pre-flight checks (2026-06-11T18:03Z)
 uptime-kuma Socket.IO event map (from source / prior investigation):
 - Setup wizard: `setup` event with `{username, password}` → response `{ok: true}`
 - Login: `login` event with `{username, password, token: ""}` → response `{ok: true, token: "..."}`
 - Add monitor: `add` event with monitor config → response `{ok: true, monitorID: N}`
 - Heartbeat list: `heartbeatList` event or `uptime` event to check recent probe status
 - Monitor status: `getMonitorList` or heartbeat events contain `{status: 1}` (UP) or `{status: 0}` (DOWN)
 Adversary independent acceptance criteria (what I will cold-verify for M1):
 1. Test file in correct location per plan (tests/uptime-kuma/functional/ or playwright/)
 2. Setup wizard completed and login token obtained (not hardcoded)
 3. Monitor created pointing at a harness-controlled URL (not a stub/no-op)
 4. Wait loop is BOUNDED (deadline/max_wait, not open-ended sleep)
 5. Assertion is on ACTUAL probe data: at minimum one heartbeat with status=1 + timestamp > deploy time
 6. Admin credentials NOT printed/logged in test output
 7. Negative test included OR explicit runtime-budget justification in DECISIONS.md
 8. Runtime ≤ ~90s added (measure from CI timing)
 ## Independent pre-flight findings (2026-06-11T18:05Z)
 **Critical: python-socketio NOT available on cc-ci.**
 ```
 cc-ci-run -c 'import socketio'  # → ModuleNotFoundError: No module named 'socketio'
 cc-ci-run -c 'from playwright.sync_api import sync_playwright; print("ok")'  # → ok
 ```
 Implication: option (a) python-socketio requires a harness.nix + nixos-rebuild change; option (b)
 Playwright works immediately from existing infrastructure. Builder must justify their choice in
 DECISIONS.md regardless.
 **uptime-kuma recipe pinned at 2.2.1** (image `louislam/uptime-kuma:2.2.1`).
 Socket.IO port 3001, routed through Traefik `web-secure` entrypoint.
 **uptime-kuma Gitea mirror exists** (recipe-maintainers/uptime-kuma), no open PRs yet. Builder
 will need to create a test PR.
 **Real probe evidence requirements I will enforce at M1 cold-verify:**
 - heartbeat data must contain entries with `status` field (1=UP, 0=DOWN)
 - heartbeat timestamps must be AFTER test start (not from config echo)
 - For uptime-kuma 2.x: `heartbeatList` socket event OR API poll at `/api/status-page/heartbeat/...`
  carries real probe results; event `uptime` also carries historical data
 - The monitor's first heartbeat entry is sufficient if it has: `status: 1`, `time` > deploy timestamp
 Builder has not yet started (no STATUS-kuma.md, no kuma commits). Waiting for M1 claim.
 ---
 ## M1: PASS @2026-06-11T18:26Z
 **Claim commit:** `fe8922c claim(kuma): M1 PASS — test_monitor_wizard green at LEVEL 5 via drone build #460`
 **Test commit:** `8da59cf feat(kuma): implement wizard+monitor Playwright test`
 ### Cold-verify evidence (Adversary-independent, from own clone + ssh cc-ci)
 **1. Test file location and content** ✓
 - File: `tests/uptime-kuma/playwright/test_monitor_wizard.py` (167 lines)
 - Correct placement per plan §2 "option b" + discovery.py `playwright/` subdir
 - Discovery confirmed: `runner/harness/discovery.custom_tests` recurses into `playwright/`
 - `live_app` fixture from root `tests/conftest.py` works (session-scoped, reads `CCCI_APP_DOMAIN`)
 **2. Drone build #460 results (read from /var/lib/cc-ci-runs/460/results.json on cc-ci)**
 ```
 level: 5
 recipe: uptime-kuma  ref: eb4521cc5d77
  functional.test_uptime_kuma_root_serves [pass] 20ms
  functional.test_socketio_polling_handshake [pass] 26ms
  functional.test_uptime_kuma_spa_has_branding [pass] 27ms
  playwright.test_monitor_wizard_and_probe [pass] 2817ms
 clean_teardown: True
 no_secret_leak: True
 playwright count: 1
 ```
 All tiers PASS: install/upgrade/backup/restore/custom/lint = Level 5.
 **3. Probe reality** ✓
 - `test_monitor_wizard_and_probe` PASSED with both positive and negative assertions:
  - Self-probe monitor → status "Up" (requires real Socket.IO heartbeat from uptime-kuma server)
  - Dead-port monitor (`127.0.0.1:19999`) → status "Down" (proves probe engine not a stub)
  - Heartbeat datetime row present (regex `\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}`) — real timestamp
 - 2.817s runtime proves fast connection-refused (dead-port negative check confirmed real)
 **4. Secret safety** ✓
 - `_pw` (64-char UUID hex) used only in `.fill()` calls — never printed, never in assertion messages
 - `no_secret_leak: True` confirmed by independent results.json read
 **5. Approach justification** ✓
 - `machine-docs/DECISIONS.md` entry "2026-06-11 — uptime-kuma: Playwright (option b)" present
 - Confirms python-socketio absent, Playwright handles Socket.IO transparently, selectors confirmed
  in 2.2.1 compiled bundle `dist/assets/index-D_mnxLA0.js`
 **6. Runtime budget** ✓
 - 2.817s actual ≪ 90s target
 **7. Nothing weakened** ✓
 - All 3 existing custom tests still PASS (health_check, socketio_handshake, spa_branding)
 - No existing assertions removed or softened
 **8. PR comment** ✓
 - git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/3 shows:
  `🌻 cc-ci — uptime-kuma @ eb4521cc ✅ passed`
 ### M1 verdict: **PASS** — Builder cleared to proceed to M2.
 Note: build #462 (flake-check second run for M2) was already in progress at time of this verdict.
 DEFERRED close + PARITY.md update are M2 pre-conditions per BACKLOG.
 ---
 ## M2: PASS @2026-06-11T18:32Z
 **Claim commit:** `9afdf3d claim(kuma): M2 — build #462 LEVEL 5 PASS (flake #2); DEFERRED closed; PARITY updated`
 ### Cold-verify evidence (Adversary-independent)
 **1. Build #462 results (read from /var/lib/cc-ci-runs/462/results.json on cc-ci)**
 ```
 level: 5   recipe: uptime-kuma   ref: eb4521cc5d77
  functional.test_uptime_kuma_root_serves [pass] 16ms
  functional.test_socketio_polling_handshake [pass] 26ms
  functional.test_uptime_kuma_spa_has_branding [pass] 27ms
  playwright.test_monitor_wizard_and_probe [pass] 2746ms
 clean_teardown: True   no_secret_leak: True   playwright count: 1
 ```
 **2. 2 consecutive green runs** ✓
 - Build #460: Level 5, `test_monitor_wizard_and_probe` PASS 2817ms
 - Build #462: Level 5, `test_monitor_wizard_and_probe` PASS 2746ms
 - Both same ref (eb4521cc), same recipe, same PR #3
 **3. DEFERRED.md closed** ✓
 ```
 [x] CLOSED @2026-06-11 (Builder, phase kuma): tests/uptime-kuma/playwright/test_monitor_wizard.py
    implemented and proven in real CI … Drone builds #460 + #462 both LEVEL 5 …
 ```
 **4. PARITY.md updated** ✓
 - New row for `tests/uptime-kuma/playwright/test_monitor_wizard.py` with full rationale
 - Documents Up/Down probe, heartbeat datetime, Socket.IO-driven status
 **5. PR comment build #462** ✓
 - `🌻 cc-ci — uptime-kuma @ eb4521cc ✅ passed`
 ### Phase DoD check
 Per `plan-phase-kuma-monitor.md` §5:
 - ✅ uptime-kuma proves actual function (wizard + real probe — Up AND Down confirmed)
 - ✅ Flake-checked (2 consecutive Level 5 green runs #460 + #462)
 - ✅ Budget held (2.75–2.82s actual ≪ 90s target)
 - ✅ DEFERRED checked off (entry `[x] CLOSED @2026-06-11`)
 - ✅ M1 fresh PASS (filed 2026-06-11T18:26Z)
 - ✅ M2 fresh PASS (this entry)
 - No VETO standing
 ### M2 verdict: **PASS** — all DoD satisfied. Builder may write `## DONE`.
--- a/machine-docs/REVIEW-lvl5.md
+++ b/machine-docs/REVIEW-lvl5.md
@ -0,0 +1,148 @@
 # REVIEW — Phase lvl5 (L5 lint rung + de-cap) — Adversary verdicts
 Cold-verification ledger (append-only). Each verdict formed from the plan (SSOT), the code/git
 history, the verification info in STATUS-lvl5.md, and my own cold re-run — NOT from JOURNAL
 (anti-anchoring, §6.1). JOURNAL not consulted before this verdict.
 ---
 ## M1 — Implementation complete (pre-merge): **PASS** @ 2026-06-11T07:54Z
 Branch `phase-lvl5` @ `3d8d286cf3f2df7d164bf458f07bbb916cc18f2b` (claim 24baac5). Implementation
 deliberately NOT on main (reverts 589943f/cd62743 hold it pre-merge) — confirmed; only the
 DECISIONS entry (392f7df) is on main. Verified from a **fresh cold clone** on the cc-ci host
 (`/tmp/adv-lvl5`, cloned from origin, checked out phase-lvl5; HEAD matched 3d8d286).
 **Acceptance per plan §4 M1 — all satisfied:**
 1. **Cold clone + HEAD** — `git rev-parse HEAD` = 3d8d286 ✓ (matches claim).
 2. **Unit suite (CI host venv)** — `cc-ci-run -m pytest tests/unit/ -q` → **246 passed** in 5.32s
   ✓ (matches claimed count).
 3. **Repo lint** — `nix develop .#lint --command bash scripts/lint.sh` → **lint: PASS** ✓.
 4. **De-capped `compute_level` correct on ALL 4 mission worked examples** (hand-traced against
   `level.py` + verified by the rewritten test_level.py):
   - install✔ upgrade✘ backup✔ functional✔ lint✔ → **L1** (fail blocks) ✓
   - install✔ upgrade✔ backup skip functional✔ lint✔ → **L5** (intentional skip climbs — the
     de-cap; was L2 under old rule) ✓
   - install✔ upgrade✔ backup **unver** functional✔ lint✔ → **L2** (unver blocks) ✓
   - all four ✔, lint unver → **L4** (unverified top rung not earned) ✓
   Formula `level = max i: rung_i==pass ∧ all j<i ∈ {pass,skip}` implemented exactly
   (pass→advance, skip→continue, fail/unver→break). 0 if none.
 5. **N/A classification table matches code.** `derive_rungs` (results.py) implements the
   DECISIONS table verbatim, incl. the subtle upgrade split: `skip ∧ ¬has_upgrade_target` →
   `skip` (structural, climbs); a prior-stage abort (`skip`/None WITH a target, undeclared) →
   `unver` (blocks). install never skips; backup_restore skip iff not-capable or EXPECTED_NA;
   functional skip iff EXPECTED_NA else unver; **lint pass/fail-or-unver, NEVER skip** (no N/A
   escape hatch, §2 item 5; EXPECTED_NA["lint"] ignored). Default-unclassifiable = unver. ✓
 6. **§2.3 mirror-context decision reviewed — NO rule filtered.** Executor (`lint.py`) lints a
   pristine scratch clone of the per-run tree at the tested sha; origin→local path makes abra's
   tag force-fetch work offline (no auth, no go-git "reference not found"), and the run's real
   tags ride along so R014 evaluates real content. The plumbing pollution is solved by context,
   not exemptions. Confirmed by **real-abra behavioral probe** (not just synthetic fixtures):
   - `run_lint("hedgedoc", …)` clean → `{'status':'pass',...}` ✓ (proves scratch-clone makes
     abra lint actually run — no FATA).
   - inject lightweight tag → `{'status':'fail','detail':'error rule(s) unsatisfied: R014',
     'rules_failed':['R014']}` ✓ (proves the classifier has teeth; R014 is NOT suppressed).
   Classifier correctly recognizes `rc=0`-with-critical-errors (parses table + "critical errors
   present" sentinel, fails closed on disagreement); only content-FATA ("unable to validate
   recipe") → fail, all other non-zero → unver.
 7. **Verdict-neutrality — code inspection + targeted tests.** `run_lint` invoked once
   (run_recipe_ci.py:942), defaults to `unver`, double-wrapped in try/except (crash → stays
   unver, non-fatal print), runs BEFORE the tiers at `head_ref` (the exact tested ref). Its
   result is consumed ONLY at build_results (line 1278, "non-fatal, verdict unaffected"); NO
   verdict computation reads it. 60s hard budget, never raises. Targeted tests pass:
   `test_run_lint_missing_recipe_is_unver_not_raise`,
   `test_build_results_no_lint_given_is_unverified_never_pass`. ✓
 8. **cap/cap_reason/capped fully removed** from active code/schema/card/dashboard/docs. grep over
   runner/dashboard/docs/tests finds the words only in (a) the unrelated screenshot timeout-cap,
   (b) "capable"/max-users, (c) explicit test/doc assertions that the fields are ABSENT in
   schema 2 and that old schema-1 artifacts (which carry level_cap_reason) still render with no
   relabeling — history-compat covered by test_card/test_dashboard (green). ✓
 No verdict regression, no run-verdict coupling, no rule suppression, no silent pass. **M1 PASS.**
 Builder cleared to merge phase-lvl5 → main and proceed to P3/P4 (M2). No VETO.
 **Scope note (carried to M2):** M1 verified the lint executor + classifier + level math on real
 abra output and the unit surface. M2 must still prove, on real CI end-to-end: ≥1 genuine L5,
 ≥1 lint-blocked L4, ≥1 N/A-skip climb, drone `!testme` ×2, canaries at designed levels under the
 NEW formula, old artifacts rendering live, durations not inflated (lint ≤~60s; observed ~0.7s),
 the before/after level table for ALL enrolled recipes, and card/dashboard/badge visually (PNG/SVG).
 ---
 ## M2 — Proven in real CI: **PASS** @ 2026-06-11T11:27Z
 Main @ `a521d43` (impl merged 08e6cc8 + PR-path fix 68c3486). Cold-verified from a **fresh clone
 of main** on the cc-ci host (`/tmp/adv-m2`), drone API (token from /run/secrets), live HTTPS
 artifacts, and Read PNGs. JOURNAL not consulted before this verdict.
 **Acceptance per plan §4 M2 + §6 DoD — all satisfied:**
 1. **Unit suite + lint (fresh clone main).** `cc-ci-run -m pytest tests/unit/ -q` → **247 passed**;
   `scripts/lint.sh` → PASS. The new PR-path regression test
   `test_run_lint_detached_pr_tree_lints_exact_ref` passes (covers fix 68c3486: abra lint checks
   out the repo DEFAULT BRANCH, so a detached scratch clone would FATA or silently lint a stale
   branch; fix forces local main AT the tested ref + repoints origin to scratch → lints the PR
   head content). My M1 smoke only exercised the HEAD path; this closes that gap.
 2. **Genuine L5 (full clean climb).** Runs 398 hedgedoc / 406 immich / 407 plausible / 413 mumble:
   results.json schema=2, level=5, all 5 rungs pass, no cap keys, drone build status=success.
 3. **Lint-blocked L4, verdict-neutral — the central claim.** Run 405 custom-html PR4:
   results.json level=4, lint=fail rules_failed=[R011], all five TIERS pass
   (install/upgrade/backup/restore/custom), **drone build 405 status=SUCCESS**, and the bridge
   `reflected outcome build 405 (custom-html PR #4): success` to the PR. A lint failure caps the
   level at 4 but does NOT flip the run verdict. Card PNG shows lint ✗ FAIL red, "level 4 of 5",
   badge #a0b93f. Neutrality proven BOTH directions (415/416 red with lint=pass — see #6).
 4. **N/A-skip climb (the de-cap).** Run 399 custom-html-tiny: backup_restore=skip with declared
   reason in skips.intentional ("stateless static file server … no backupbot.backup label"),
   other rungs pass, **level=5** (was L2 @ #205). Card PNG shows backup/restore "⊘ INTENTIONAL
   SKIP" + reason, level 5 of 5. A formerly-capped non-backup-capable recipe now climbs.
 5. **Drone !testme path ×3, GENUINE (not manual API).** ccci-bridge poll logs:
   `[poll] triggered build 405 for custom-html@36b362aa (PR #4, comment 14332)`,
   `406 immich@107d7220 (PR #2, comment 14333)`, `407 plausible@13458fac (PR #3, comment 14334)`,
   each followed by `reflected outcome … success`. Build params confirm RECIPE/PR/REF match the
   real PR heads. ≥2 required; 3 delivered, all on real PRs showing the lint rung.
 6. **Canaries at re-derived designed level + backup-fail still blocks.** 415 (bkp-bad) / 416
   (rst-bad): drone build status=**failure** (red), results.json level=1, rungs {install pass,
   upgrade skip(structural — no version tags on SRC+REF mirror), backup_restore FAIL, functional
   unver, lint pass}. New-formula trace: install(1) → upgrade skip(climb) → backup_restore
   fail(BLOCK) → L1. RED is caused by the failing backup/restore TIER (verdict logic untouched),
   NOT by lint (lint=pass). Re-derivation is sound; matches OLD-rule level too (old: upgrade N/A
   caps at L1) — no regression, same designed level, red either way.
 7. **Unverified-blocks (mission example #3), synthesized.** host run
   `/var/lib/cc-ci-runs/lvl5-unver-demo/results.json`: schema=2, level=2, rungs {install pass,
   upgrade pass, backup_restore UNVER, functional pass, lint pass}, skips.unintentional=
   [backup_restore]. backup unver blocks at L2 even though functional+lint pass above it. ✓
 8. **Durations not inflated.** drone build wall-times: 398=100s, 399=45s, 405=61s, 406 immich=199s
   (shot baseline 198-199s), 407 plausible=164s (shot baseline 166s), 413=80s. lint adds ~0.7s;
   the two cross-phase baselines are flat (407 slightly faster). No duration regression.
 9. **Old artifacts render, no relabel.** /runs/370 (schema=1, level=4, level_cap_reason present)
   serves 200 (results.json + summary.png); dashboard `/` + `/recipe/immich` 200 with mixed
   schema-1/schema-2 rows; unit history-compat tests green.
 10. **lint.txt served.** /runs/398/lint.txt 200 — full real abra table (HEAVY-box), cmd + rc=0 +
    status=pass header, ref=09bf4d54 (hedgedoc's EXACT tested ref).
 11. **Badges number+colour only.** hedgedoc badge ">level 5<" #3fb950; custom-html ">level 4<"
    #a0b93f; grep finds NO cap/skip/na/reason language in badge SVGs. Matches operator spec.
 12. **P3 matrix 19/19 lint PASS** (BACKLOG-lvl5.md) via documented scratch-clone method; no mirror
    PRs / DEFERRED needed; warn-severity misses only (don't fail the rung). lasuite-meet R014 now
    passes genuinely (tag annotated upstream — not suppressed). **Before/after table: every level
    shift is explained by the rule change** — L4→L5 (+lint, baseline from real artifacts + P3
    sweep), de-cap L2→L5 (custom-html-tiny proven #399; mailu same mechanism), L4 lintdemo (#405),
    canary L1, bluesky N/A consistent. **No unexplained shift / no downward regression.** "Analytic
    5" cells are derivation-checkable from two evidenced inputs (real baseline tiers + proven lint).
 13. **No secret leak.** Independent sweep: no /run/secrets infra-secret VALUES and no generated
    app-credential patterns appear in any published run artifact (the new lint.txt surface incl.).
    results.json flags no_secret_leak=true + clean_teardown=true across runs.
 **§6 Definition of Done satisfied:** new level system live on main and visible end-to-end
 (results.json→card→dashboard→badge); L5 = abra recipe lint on the tested ref; capping fully
 removed (no cap/cap_reason/capped); all 19 enrolled recipes linted + dispositioned with an
 adversary-checked before/after table; ≥1 real L5 + ≥1 lint-blocked L4 + ≥1 N/A-skip climb through
 real CI incl. the drone path ×3; old artifacts unharmed; M1 (cfc87fd) + M2 fresh Adversary
 PASSes; no verdict or duration regressions.
 **No VETO. Builder is cleared to write `## DONE` to STATUS-lvl5.md.**
 Out-of-scope note (Builder's STATUS query): the WC5 promote-on-green-cold observation (a
 STAGES-filtered hand-run promoted custom-html's canonical) is pre-existing and orthogonal to the
 level system — NOT a lvl5 finding/regression and not a DONE blocker. If the Builder wants it
 tracked, DEFERRED.md/IDEAS.md is the right home; I'm not filing it as an [adversary] finding.
--- a/machine-docs/REVIEW-mailu.md
+++ b/machine-docs/REVIEW-mailu.md
@ -0,0 +1,190 @@
 # REVIEW — phase `mailu` (backupbot labels + backup/restore coverage)
 Adversary verdict log. Append-only. SSOT: `cc-ci-plan/plan-phase-mailu-backup.md`.
 ## Phase orientation (2026-06-11T17:59Z)
 Builder clone: `/srv/cc-ci/cc-ci`; Adversary clone: `/srv/cc-ci/cc-ci-adv`.
 Phase goal: mirror PR adding backupbot v2 labels to mailu recipe + proof backup→wipe→restore on real
 seeded mail data passes CI.
 Pre-phase independent research notes:
 - Mailu compose.yml analyzed. Critical durable volumes:
  - `mailu:/data` on `admin` svc — SQLite DB (accounts, domains, aliases, DKIM config)
  - `dkim:/dkim` on `admin` svc — DKIM signing keys
  - `mail:/mail` on `imap` svc — mail store (Maildir, all user messages)
  - `redis:/data` on `db` svc — Redis (transient: rate-limits, sessions) — likely NOT needed for restore
  - Other volumes (rspamd, webmail, certs, mailqueue) — transient/cache, NOT durable
 - Correct backupbot v2 label placement: `admin` service (for DB + DKIM) and `imap` service (for mail store)
 - Backupbot v2 map syntax confirmed from keycloak/immich/mattermost-lts recipes
 - SQLite `/data` — pre-hook may be needed to dump consistently; or copy is safe if admin is quiesced
 - Mail store backup: Maildir is file-based, safe to copy live
 - Recipe mirror has open PR#2 (upgrade-3.1.0+2024.06.52) — backupbot PR must be separate
 Awaiting M1 claim from Builder.
 ---
 ## M1 FAIL @2026-06-11T20:58Z
 **Claim**: build #473 LEVEL 5 PASS, backup→wipe→restore on real seeded mail data proven.
 **Verdict: FAIL** — the backup/restore test exercises only the SQLite `/data` volume; the Maildir
 `/mail` volume is labeled and backed up but is NOT specifically tested for restoration.
 ### What I verified (cold)
 1. **PR#3 labels correct** (`add-backupbot-labels`, head `edc0201a79d3`):
   - `admin` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/data"` ✓
   - `imap` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/mail"` ✓
   - Version bump: `3.0.1` → `3.0.2+2024.06.52` ✓
   - DKIM exclusion intentional and documented in PR desc ✓
 2. **Build #473 evidence** (drone API + results.json):
   - status: success, level: 5, all 5 rungs PASS ✓
   - `clean_teardown: true`, `no_secret_leak: true` ✓
   - `test_backup_captures_mailbox` PASS — `citest@<domain>` in config-export at backup time ✓
   - `test_restore_returns_mailbox` PASS — `citest@<domain>` back in config-export after restore ✓
   - Backup snapshot `13eee64e`: 139 files, 85MB ✓
   - Cold teardown: `abra app ls --server cc-ci` shows no mailu apps ✓
   - No plaintext secrets in compose.yml (secrets section uses swarm `external: true` refs) ✓
   - PARITY.md updated: P4 COVERED ✓
 3. **Backupbot v2 syntax verified** against keycloak/mattermost-lts/n8n patterns — `backupbot.backup.path`
   is valid v2 syntax for specifying the backup path ✓
 ### Failing item: `/mail` volume restoration not tested
 **Plan requirement** (`plan-phase-mailu-backup.md` §2.3):
 > "ensure the restore tier's data-integrity seed/verify actually exercises MAIL data (a seeded
 > mailbox + message that survives backup→wipe→restore — extend the existing functional helpers if
 > the current seed is too shallow; never weaken anything)"
 **What the test does** (`ops.py`):
 - `pre_backup`: creates user account `citest@<domain>` in SQLite via `flask mailu user` — this
  is an account record in `/data` (SQLite), NOT a mail message in `/mail` (Maildir)
 - `pre_restore`: deletes `citest@<domain>` from SQLite via sqlite3 — only wipes the DB record;
  the Maildir at `/mail` is untouched throughout
 - `test_restore.py`: asserts `citest@<domain>` is back in `config-export` — this proves the SQLite
  (`/data`) backup/restore worked, but says nothing about the Maildir (`/mail`)
 **What is missing**: the test never (a) seeds an actual email message into the maildir, (b) wipes
 maildir content before restore, or (c) verifies a message survived the restore cycle. If backupbot
 silently failed to restore the `/mail` volume, this test would still PASS.
 **Fix required** (using existing infra from `test_mail_flow.py`):
 1. `pre_backup`: after creating `citest@<domain>`, inject a uniquely-tagged message into the mailbox
   (e.g., via in-container `sendmail` → postfix → dovecot deliver, the same path as `test_mail_flow.py`)
 2. `pre_restore`: also wipe the maildir for `citest@<domain>` (e.g.,
   `doveadm expunge -u citest@<domain> mailbox INBOX ALL` in the `imap` container)
 3. `test_restore.py`: after asserting the account is back, also assert the seeded message is present
   (e.g., `doveadm search -u citest@<domain> mailbox INBOX ALL` returns ≥1 message)
 Note: the Maildir delivery flow is already proven in `test_mail_flow.py` — the tooling exists,
 the fix is an extension of the existing seed, not a new mechanism.
 ### Adversary finding filed
 See BACKLOG-mailu.md `## Adversary findings` — item [ADV-mailu-01].
 Builder: fix the seed shallow enough to exercise `/mail` and re-trigger. PARITY.md and the labels
 are correct; only the seed depth needs extending.
 ---
 ## M1 PASS @2026-06-11T21:00Z
 **Re-claim**: build #477 LEVEL 5 PASS, ADV-mailu-01 fix applied, both volumes (`/data` SQLite + `/mail` Maildir) now specifically tested.
 **Verdict: PASS** — the fix correctly extends the backup/restore seed to cover both durable volumes.
 ADV-mailu-01 is closed.
 ### What I verified (cold)
 1. **PR#3 labels correct** (branch `add-backupbot-labels`, head `edc0201a79d36bc87696b0f93f1ee88ad7bd10ed`):
   - `admin` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/data"` ✓
   - `imap` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/mail"` ✓
   - Version bump: `3.0.1` → `3.0.2+2024.06.52` ✓
 2. **Build #477 evidence** (Drone API + `/var/lib/cc-ci-runs/477/results.json`, cold read):
   - status: success, level: 5, all 5 rungs PASS ✓
   - `clean_teardown: true`, `no_secret_leak: true` ✓
   - **backup stage** (all PASS):
     - `test_backup_captures_mailbox` PASS (1323ms) — SQLite `/data` ✓
     - `test_backup_captures_mail_message` PASS (133ms) — Maildir `/mail` ✓
   - **restore stage** (all PASS):
     - `test_restore_returns_mailbox` PASS (1359ms) — SQLite `/data` ✓
     - `test_restore_returns_mail_message` PASS (189ms) — Maildir `/mail` ✓
   - Clean teardown confirmed: `docker stack ls` on cc-ci shows no `mailu-*` stacks ✓
   - No mailu volumes leaked ✓
 3. **Fix code review** (commit `b9352e8`, cold):
   - `ops.py::pre_backup`: creates user + injects `ccci-backup-probe` message via `sendmail` in
     `smtp` container, polls `doveadm search` in `imap` container (≤60s) to confirm delivery ✓
   - `ops.py::pre_restore`: (1) deletes user from sqlite; (2) `rm -rf /mail/{domain}/{localpart}`
     in `imap` container — wipes maildir independently from sqlite record ✓
   - `test_backup_captures_mail_message`: `doveadm search` on `imap` asserts message present at backup time ✓
   - `test_restore_returns_mail_message`: same search after restore — asserts Maildir restored ✓
   - Both volumes exercised independently: pre_restore wipes each separately; restore must recover each ✓
 4. **ADV-mailu-01 all three fix items satisfied**:
   - (1) pre_backup injects a uniquely-tagged message via sendmail→dovecot deliver ✓
   - (2) pre_restore wipes the maildir (`rm -rf /mail/{domain}/{localpart}`) ✓
   - (3) test_restore asserts the message is back (`doveadm search` ≥1 result) ✓
 **ADV-mailu-01 closed** — fix is real, CI proves it, no weakening of any assertion.
 Builder is cleared to proceed to M2.
 ---
 ## M2 PASS @2026-06-11T21:15Z
 **Claim**: DEFERRED closed; levels reconciled; PARITY.md updated; operator summary written; fresh Adversary re-trigger via independent `!testme` on PR#3.
 **Verdict: PASS** — all M2 DoD items verified independently. Phase `mailu` is DONE.
 ### What I verified (cold)
 1. **PR#3 still open, unmerged** (Gitea API cold check):
   - state: open, head sha: `edc0201a79d36bc87696b0f93f1ee88ad7bd10ed`, merged: False ✓
 2. **DEFERRED.md mailu entry closed**:
   - Entry `2026-05-29 — mailu: no backup config` marked `[x] CLOSED @2026-06-11` with PR#3 +
     build #477 pointers; re-entry checkbox also ticked ✓
 3. **PARITY.md updated with dual-volume evidence** (`tests/mailu/PARITY.md`):
   - P4 section now states "earned via recipe-mirror PR#3" ✓
   - Documents both `/data` (SQLite) and `/mail` (Maildir) seeded + wiped + verified restored ✓
   - `ops.py`, `test_backup.py`, `test_restore.py` each described correctly ✓
   - Before/after level: `backup_capable=False → L4-skip` → `backup_capable=True → L5-earned` ✓
 4. **Levels reconciliation independently verified**:
   - `runner/harness/generic.py::backup_capable()` scans `compose*.yml` for `backupbot.backup.*true` ✓
   - Main branch: no backupbot labels → `backup_capable=False` → backup rung = intentional skip → **L4** ✓
   - PR#3 head: admin+imap labels present → `backup_capable=True` → backup rung earned → **L5** ✓
 5. **Operator summary in STATUS-mailu.md**: complete, accurate, actionable — specifies PR#3 URL,
   head SHA, what the PR adds, what CI proved, what operator must do (merge PR#3) ✓
 6. **Fresh independent re-trigger** (Adversary posted `!testme` on PR#3 at 2026-06-11T21:04:39Z,
   comment #14363):
   - **Drone build #483**: LEVEL 5 SUCCESS, recipe=mailu, PR=3, ref=`edc0201a79d3`
   - All 5 rungs PASS: install / upgrade / backup+restore / functional / lint ✓
   - Backup stage: `test_backup_captures_mailbox` PASS (1377ms) + `test_backup_captures_mail_message` PASS (149ms) ✓
   - Restore stage: `test_restore_returns_mailbox` PASS (1402ms) + `test_restore_returns_mail_message` PASS (168ms) ✓
   - `clean_teardown: true`, `no_secret_leak: true` ✓
   - No mailu stacks or volumes on host post-run (`docker stack ls` + `docker volume ls` confirm) ✓
   - Result is reproducible: two independent builds (#477, #483) both LEVEL 5 at the same PR head ✓
 ### Phase DoD satisfied
 All items from `plan-phase-mailu-backup.md` §5:
 - Mirror PR open with evidence-justified backupbot v2 labels ✓ (PR#3)
 - backup→wipe→restore proven on real seeded mail data at PR head incl. drone path ✓ (builds #477 + #483)
 - mailu's backup rung earned (not skipped) with levels reconciled ✓
 - DEFERRED closed ✓
 - M1 + M2 fresh Adversary PASSes ✓ (this entry + M1 PASS above)
 - PR unmerged for the operator ✓
 **Phase `mailu` is complete. Builder is cleared to write `## DONE` to STATUS-mailu.md.**
--- a/machine-docs/REVIEW-nixenv.md
+++ b/machine-docs/REVIEW-nixenv.md
@ -0,0 +1,156 @@
 # REVIEW — phase `nixenv` (Adversary)
 Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md`
 SSOT for verification. Verdicts below; cold-runs only.
 Status: **M1 PASS** @ 17:40Z (`8b8fc1f`) + **M2 PASS** @ 18:20Z (`f7b6f26`). Both milestones fresh
 Adversary PASS, no VETO → Builder cleared to write `## DONE`.
 ---
 ## M2 — PASS @ 2026-06-17T18:20Z — claim `f7b6f26` (deployed `/etc/cc-ci`@d11f8f5 = M1-reviewed tree)
 **Deploy + live parity proven — cold-verified.** Verdict from the plan (SSOT), the code, the claim's
 verification info, and my OWN live re-runs (Drone API, journald, host probes). JOURNAL-nixenv.md NOT
 read before this verdict (anti-anchoring preserved).
 **(1) Deploy clean + host healthy (re-verified live post-sweep @18:16–18:18Z).**
 - Deployed system `dhmpm232r6m0sq3s7y5r5jpyv5kxgzwi-nixos-system-…` BYTE-IDENTICAL to my M1 build.
 - `systemctl --failed` EMPTY; `nightly-sweep.timer` active+enabled; drone-runner-exec / deploy-proxy /
  warm-keycloak / swarm-init all active; `nightly-sweep.service` finished Result=success
  ExecMainStatus=0. drone `/healthz`→200, `ci.commoninternet.net`→200.
 - Live `cc-ci-run` = `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd` (M1-reviewed path). git-lfs/openssl/script/bash
  resolve on host PATH AND inside cc-ci-run (git-lfs→`33ikv…-git-lfs-3.6.1`, openssl→`48p8b…-openssl-3.3.3`
  from runtimeInputs, NOT host PATH). openssl was MISSING on this host pre-deploy.
 - NO orphan ephemeral test stacks left by the sweep (no `gite-/matt-/disc-` per-run stacks); only the
  expected warm canonicals (bluesky-pds, gitea, keycloak) remain — clean teardown.
 **(2) Live LFS parity — GREEN on BOTH paths (the DEFECT-3 witness).**
 - **Real timer fire:** `systemctl start nightly-sweep.service` @17:35:38Z; gitea RUN-eligible
  (canonical 3.5.3 < tag 3.6.0) → `tests/gitea/custom/test_lfs_roundtrip.py::test_lfs_roundtrip
  PASSED` @17:57:54Z (+ install/upgrade/backup/restore all PASS). The systemd unit PATH carries NO
  git-lfs and NO /run/current-system/sw/bin, so git-lfs MUST have resolved from cc-ci-run's
  runtimeInputs — exactly the old DEFECT-3 condition, now satisfied by the shared env.
 - **Drone path:** independently inspected build **#871** via Drone API (status=success): stage
  recipe-ci → step `ci` runs `cc-ci-run runner/run_recipe_ci.py` (`.drone.yml:83`). Log shows LFS
  RAN not skipped: `test_lfs_roundtrip PASSED`; RUN SUMMARY install/upgrade/backup/restore/custom all
  pass, level=5 of 5.
 - Both paths exec the SAME `zxlx9jn` cc-ci-run ⇒ git-lfs resolves identically. DEFECT-3 class
  structurally eliminated, demonstrated live.
 **(3) No regression — sweep SKIPs/promotes correct; the 3 non-green results ALL pre-existing.**
 - **Regression canary:** scanned the ENTIRE post-deploy sweep journal for missing-tool signatures
  (`command not found` / `not found` / `executable file not found` / `No such file`) → **ZERO**.
  Nothing got dropped from the env (consistent with the M1 superset proof). No recipe went GREEN→RED.
 - SKIPs all correct (cryptpad/ghost/drone/hedgedoc/immich/lasuite-*/mailu/matrix-synapse/n8n/
  plausible/uptime-kuma — no-new-version); promotes correct (custom-html, mumble).
 - **gitea GREEN-BUT-PROMOTE-FAILED**: tests green; WC5 promote `abra app deploy warm-gitea… -o -n`
  fails `FATA … is already deployed` — abra idempotency on the persistent warm canonical (warm-gitea
  confirmed still up). canonical.json unchanged (3.5.3, ts 08:39Z). Promote path = `nightly_sweep.py`
  @canon f94de22, UNCHANGED by nixenv (diff dd6712c..d11f8f5 is nix/+machine-docs only, zero
  runner/tests) → behaviour identical to canon by construction.
 - **discourse rc=1 / mattermost-lts rc=1**: recipe-level reds, env-independent —
  discourse `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head`
  (HEAD-image/service assertions); mattermost `test_restore_returns_state` → `docker exec … postgres …
  relation "ci_marker" does not exist` (docker RESOLVED and ran — a restore-data failure, not a
  missing tool). **Corroborated pre-existing:** the SAME reds occur in BOTH OLD-env pre-deploy fires
  today (PID 2149231@14:xx, PID 2248547@15:xx) — mattermost byte-identical postgres error; discourse
  red in all fires (never green). Not caused by the env change.
 **No defects, no VETO.** M2 DoD fully met live. The harness runtime env is single-sourced and proven
 identical across the Drone runner, the timer sweep, and host systemPackages, with git-lfs/openssl now
 guaranteed from one declaration — the DEFECT-3 divergence class is structurally impossible.
 **M1 + M2 fresh Adversary PASS → DONE is cleared.** (Consulted JOURNAL-nixenv.md? No — verdict stands
 on plan + code + my own live re-runs.)
 ---
 ## M1 — PASS @ 2026-06-17T17:40Z — claim `8b8fc1f`
 **Single-source harness runtime env — cold-verified, all 6 DoD items.** Verdict formed from the
 phase plan (SSOT), the code, and my OWN cold builds/evals — JOURNAL-nixenv.md NOT consulted
 (anti-anchoring preserved).
 1. **Builds succeed, both hosts (no collision).** `nix build .?submodules=1#…cc-ci-hetzner…toplevel`
   → EXIT 0; `…#…cc-ci…toplevel` → EXIT 0. (A transient SQLite eval-cache "busy" from running both
   in parallel was `error (ignored)`, not a build failure.)
 2. **Single source (greps).** `withPackages` → 1 hit (`packages.nix:17` `ccciPyEnv`); `pytest
   playwright` → 1 hit (same line); `ccciRuntimeTools` defined once (`packages.nix:45`), referenced
   by `cc-ci-run` (`:68`) + both host configs. `nightly-sweep.nix` has NO `withPackages`, NO
   `python3`, NO `/run/current-system/sw/bin` PATH prepend — `runtimeInputs = [ pkgs.cc-ci-run ]`
   and `exec cc-ci-run …`. The DEFECT-3 host-PATH patch is GONE.
 3. **Superset-or-equal — inspected the BUILT wrapper PATH.** `cc-ci-run` store
   `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd` `export PATH` carries all 15 store dirs:
   python3-3.12.8-env, abra-0.13.0-beta, docker-27.5.1, git-2.47.2, **git-lfs-3.6.1**, bash-5.2p37,
   coreutils-9.5, util-linux-2.39.4, curl-8.12.1, jq-1.7.1, gnused-4.9, gnugrep-3.11, gnutar-1.35,
   **openssl-3.3.3**, procps-4.0.4 — and ends `:$PATH` (PREPEND, inherited PATH retained → nothing
   from any path lost). Covers the full union of all 3 prior lists; `git-lfs`+`openssl` are the only
   additions. Nothing dropped.
 4. **Sweep ≡ Drone entrypoint (parity by construction).** Built `cc-ci-nightly-sweep` references the
   BYTE-IDENTICAL `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd-cc-ci-run`; both hosts'
   `pkgs.cc-ci-run` resolve that SAME store path; `.drone.yml:83` runs `cc-ci-run
   runner/run_recipe_ci.py` (host systemPackages wrapper = same path). Same store path ⇒ identical
   pyEnv + tooling + PLAYWRIGHT_BROWSERS_PATH on Drone path AND timer sweep.
 5. **Host divergence removed.** Both `configuration.nix` systemPackages lines are textually identical
   (`pkgs.ccciRuntimeTools ++ [ pkgs.openssh ]`). The pre-refactor `cc-ci`-vs-`hetzner` `git-lfs`
   one-off divergence (my prep flag #1) is ELIMINATED: built `cc-ci` toplevel `sw/bin` now contains
   `git-lfs`, `openssl`, `script` (util-linux) — tools it previously lacked. `openssh` correctly kept
   host-only (ssh client, not a recipe tool); it remains on both hosts so the Drone path's inherited
   PATH is unchanged for it.
 6. **Future-dep propagation (by construction).** `ccciRuntimeTools` is the lone definition; it feeds
   `cc-ci-run.runtimeInputs` (→ Drone path via `.drone.yml`, → sweep via `exec cc-ci-run`) AND both
   hosts' `systemPackages` (→ Drone runner host PATH). One edit to that list reaches every consumer.
   Proven structurally via the reference graph; no working-tree mutation needed.
 **No defects, no VETO.** Faithful refactor — one shared definition, three references, DEFECT-3 class
 structurally eliminated. M2 (deploy via `nixos-rebuild switch` + live parity witness: gitea LFS
 roundtrip green under BOTH Drone path and a real timer fire) remains to be claimed/verified.
 ---
 ## (prior) Cold-prep notes
 ---
 ## Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c
 The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured
 from the code (SSOT), independent of any Builder narrative:
 **(A) `nix/modules/harness.nix` — `cc-ci-run` (Drone entrypoint) `runtimeInputs`:**
 `pyEnv  abra  docker  git  coreutils  util-linux`
 - `pyEnv = python3.withPackages [ pytest playwright ]`
 - env: `PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}`, `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1`
 **(B) `nix/modules/nightly-sweep.nix` — sweep `runtimeInputs`:**
 `bash  abra  docker  git  curl  jq  gnused  gnugrep  gnutar  coreutils  util-linux  procps`
 - DUPLICATE `pyEnv = python3.withPackages [ pytest playwright ]`
 - same PLAYWRIGHT env
 - DEFECT-3 patch: `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` (host-PATH prepend)
 **(C) Drone runner path — `nix/modules/drone-runner.nix`:**
 `PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin"` → recipe shell-outs resolve from
 **host `environment.systemPackages`**, NOT a runtimeInputs list.
 **(D) Host `systemPackages` (feeds C):**
 - `nix/hosts/cc-ci/configuration.nix`:        `curl  git  jq  openssh`   ← **NO git-lfs**
 - `nix/hosts/cc-ci-hetzner/configuration.nix`: `curl  git  git-lfs  jq  openssh`
 ### UNION the shared set must cover (≥):
 `python3+pytest+playwright` (pyEnv) · playwright browsers · `abra docker git git-lfs coreutils
 util-linux bash curl jq gnused gnugrep gnutar procps openssh`
 Plan §2 also names `openssl` as a recipe shell-out → expect it present too.
 ### Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts):
 1. **Host divergence**: `cc-ci` config lacks `git-lfs` but `hetzner` has it. Which config is the
   LIVE `ssh cc-ci` server running, and does `git-lfs` actually resolve there today? If the shared
   set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical.
 2. **Nothing dropped**: any token in the union missing from the shared set = blast-radius break.
 3. **Sweep parity by construction**: plan wants sweep to invoke `cc-ci-run` (same entrypoint) — if
   it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no
   module declares its own harness dep list.
 4. **DEFECT-3 patch removal**: the host-PATH prepend should be gone/subsumed; if removed, git-lfs
   etc. must now come from the shared runtimeInputs, else the sweep regresses.
 5. **Live witness**: gitea `test_lfs_roundtrip` must stay GREEN under BOTH Drone path and a real
   timer fire from the unified env.
--- a/machine-docs/REVIEW-poe2e.md
+++ b/machine-docs/REVIEW-poe2e.md
@ -0,0 +1,168 @@
 # REVIEW — phase poe2e (Adversary)
 **Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-poe2e-end-to-end.md`
 **Initialized:** 2026-06-13T19:25Z
 ## Orientation
 Phase mission: prove the whole model works end-to-end — PO scaffolds, runs (isolated), and tears
 down a throwaway project; cc-ci is modeled as a project in STAGING; live cc-ci is provably untouched.
 ### Definition of Done (poe2e)
 | # | DoD item | Status |
 |---|---|---|
 | D1 | PO scaffolded, ran (isolated), and tore down a throwaway project — evidence in REVIEW | **PASS @2026-06-13T19:46Z** |
 | D2 | Staged `cc-ci` project: engine submodule pinned + migrated `agents.toml`; `agents.py status` MATCHES live cc-ci (side-by-side shown) | **PASS @2026-06-13T19:46Z** |
 | D3 | Staged cc-ci registered in `fleet.toml` | **PASS @2026-06-13T19:46Z** |
 | D4 | Written, reviewed operator cutover runbook | **PASS @2026-06-13T19:46Z** |
 | D5 | Live cc-ci provably untouched: tmux sessions + `/srv/cc-ci/cc-ci-plan/agents.{py,toml}` + `state/` unchanged; no second watchdog started | **PASS @2026-06-13T19:46Z** |
 ## Verdicts
 ### ALL DoD PASS @2026-06-13T19:46Z — phase DONE
 Cold-verified from the Adversary's own clone (/srv/cc-ci/cc-ci-adv) and fresh shell. No VETO.
 ---
 #### D1 PASS @2026-06-13T19:46Z
 Re-ran the full PO scratch lifecycle independently:
 ```
 cd /home/loops/porepo/project-orchestrator
 bash scripts/create-project.sh scratch-e2e --dir /tmp/poe2e-scratch --ref v0.1.0 --prefix poe2e-scratch-
 ```
 Scaffold output: `engine pinned at 289ef07df40a8264f3a36b4e91b923d1424c4658  (v0.1.0)`, `config: agents.toml (session_prefix = poe2e-scratch-)`.
 Tracked files: `.gitignore`, `.gitmodules`, `agents.toml`, `engine` — no PO/fleet metadata.
 Injected demo backend (`prompt_delivery = "exec"` — required; "arg" default causes sleep to receive kickoff as arg and exit):
 - `python3 engine/agents.py status` → worker=stopped, watchdog=stopped
 - `python3 engine/agents.py up` → `starting poe2e-scratch-worker (demo, ...)` + `starting watchdog`
 - `tmux ls | grep poe2e-scratch` → both sessions present
 - `python3 engine/agents.py status` → `worker RUNNING [sleep]`, `watchdog RUNNING`
 - Live cc-ci sessions during run: exactly 8 cc-ci-* sessions unchanged
 - `python3 engine/agents.py down` → `killing poe2e-scratch-worker`, `killing poe2e-scratch-watchdog`
 - `tmux ls | grep poe2e-scratch || echo "torn down"` → torn down
 - `python3 engine/agents.py status` → both stopped
 - `rm -rf /tmp/poe2e-scratch` → throwaway deleted
 **Note:** The demo backend in `agents.example.toml` uses `prompt_delivery = "exec"` (not the default "arg"). Any cold-verify that injects the demo backend must include this field — otherwise the sleep process receives the kickoff file content as args and exits immediately.
 ---
 #### D2 PASS @2026-06-13T19:46Z
 Cold clone: `git clone --recurse-submodules /home/loops/poe2e/cc-ci /tmp/poe2e-ccci-cold`
 - HEAD: `38e5c907b9e37b8aebbfccb2e1ad8de7e2d880cb` ✓
 - Submodule: `289ef07df40a8264f3a36b4e91b923d1424c4658 engine (v0.1.0)` ✓
 - (a) Phase list: `phases: 19 19 | identical: True` ✓
 - (b) Phase seq: `rcust shot lvl5 bsky dstamp mailu kuma drone cfold cf55 pvfix pvcheck ghost cf48 pxgate aoeng aotest porepo poe2e` ✓
 - (c) After `phase set 18` (poe2e): `diff /tmp/s.txt /tmp/l.txt` → **STATUS BYTE-IDENTICAL** ✓
  - Both print: `phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)` + identical 8-agent table
  - STATE column shows RUNNING for live sessions because `agents.py status` uses read-only `tmux has-session` — the staged project started nothing; both configs point at the same live tmux sessions, which is why status is byte-identical
 - (d) `builder kickoff identical: True`, `adversary kickoff identical: True` ✓
 Cold clone deleted.
 ---
 #### D3 PASS @2026-06-13T19:46Z
 ```
 cd /home/loops/porepo/project-orchestrator
 python3 scripts/fleet.py validate   → fleet: OK — 2 project(s), schema v1
 python3 scripts/fleet.py status     → cc-ci [disabled] agent-orchestrator@v0.1.0  /home/loops/poe2e/cc-ci
                                       total=2 enabled=1 disabled=1
 ```
 `cc-ci` is registered as disabled — correct, it must not be started by the PO (that would conflict with the live system). Operator cutover enables it per runbook §6.
 ---
 #### D4 PASS @2026-06-13T19:46Z
 Read `/home/loops/poe2e/cc-ci/docs/cutover-runbook.md`. Covers all expected sections:
 - §0: What-stays/what-changes table with exact config deltas
 - §1: Pre-flight + parity gate (`engine/agents.py status` on project must match live before proceeding)
 - §2: Quiesce live — `systemctl stop cc-ci-loops.service` + `agents.py down` + confirm zero `cc-ci-` sessions (critical: prevents double watchdog on shared namespace)
 - §3: Reuse vs fresh start decision (reuse recommended — preserves phase-idx + resume ids)
 - §4: Production config delta: change `log_dir` from `.ao-state` back to `/srv/cc-ci/.cc-ci-logs`
 - §5: Re-point `launch.py`/`launch.sh` at `engine/agents.py --config agents.toml` (keeps systemd + orchestrator's prompt working unchanged; rollback copy preserved as `launch.py.preproject`)
 - §6: Start + validate (launch.py status parity, single watchdog, handoff ping, flip fleet entry to enabled)
 - §7: Fast rollback (re-point `launch.py`, restart)
 - Appendix: explicitly notes no ACME/DNS/prod-domain work (out of scope)
 Runbook is operator-supervised and explicitly states loops MUST NOT perform this cutover themselves.
 ---
 #### D5 PASS @2026-06-13T19:46Z
 Final check (vs baseline @19:25Z):
 - `agents.toml` SHA256: `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88` ✓ unchanged
 - `agents.py` SHA256: `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a` ✓ unchanged
 - `state/phase-idx`: `18` ✓ unchanged
 - tmux sessions: exactly 8 `cc-ci-*` sessions, all with same creation times as baseline ✓
 - `cc-ci-watchdog` count: exactly 1 ✓ (no second watchdog started)
 - cc-ci host: `no tmux sessions` ✓ unchanged
 The staged project (`/home/loops/poe2e/cc-ci`) uses `session_prefix = "cc-ci-"` for fidelity but the Builder ran ONLY `status`/`phase show`/`phase set` against it — none of which start or kill sessions. The scratch D1 demo ran under `poe2e-scratch-` namespace. No live cc-ci file or session was touched.
 ## D5 — Live cc-ci baseline snapshot @2026-06-13T19:25Z (pre-Builder)
 Taken before Builder started any poe2e work. Will diff against this on cold-verify.
 **agents.toml SHA256:** `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88`
 **agents.py SHA256:** `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a`
 **state/phase-idx:** `18` (poe2e — index 18 in the phases array)
 **tmux sessions (orchestrator host, pre-Builder):**
 ```
 cc-ci-adv (just started)
 cc-ci-assistant3 (pre-existing since 2026-06-09)
 cc-ci-builder (just started)
 cc-ci-cleanlogs (pre-existing since 2026-06-02)
 cc-ci-orchestrator (pre-existing since 2026-06-13)
 cc-ci-report (pre-existing since 2026-06-12)
 cc-ci-upgrader (pre-existing since 2026-06-11)
 cc-ci-watchdog (pre-existing since 2026-06-13)
 ```
 **cc-ci host tmux:** `no tmux sessions` (cc-ci has no tmux sessions at phase start)
 D5 PASS criterion: after all Builder work, agents.toml + agents.py checksums unchanged,
 state/phase-idx still 18, no new cc-ci-*-prefixed watchdog sessions started, cc-ci host tmux
 still empty (or unchanged).
 **Note on JOURNAL:** The system-reminder auto-surfaced JOURNAL-poe2e.md contents during git pull
 (Builder had overwritten the file). I noted the live `agents.py status` capture therein — I will
 re-run this independently during cold-verify and will NOT use the Builder's capture as my verdict.
 ## Break-it probes
 (will log independent probes here as they run)
 ## D2 — Live agents.py status (Adversary independent capture @2026-06-13T19:36Z)
 Run from scratch: `cd /srv/cc-ci/cc-ci-plan && python3 agents.py status`
 ```
  phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)
  AGENT          KIND        BACKEND   MODEL                WATCH      STATE
  orchestrator   persistent  claude    claude-opus-4-8      heal       RUNNING  [claude]
  builder        loop        claude    claude-opus-4-8      heal+stall RUNNING  [claude]
  adversary      loop        claude    claude-sonnet-4-6    heal+stall RUNNING  [claude]
  assistant      persistent  claude    claude-sonnet-4-6    none       stopped (disabled)
  upgrader       task        claude    claude-sonnet-4-6    none       RUNNING (disabled)  [claude]
  report         task        claude    claude-opus-4-8      none       RUNNING (disabled)  [claude]
  cleanlogs      service     -         -                    -          RUNNING
  watchdog       service     -         -                    -          RUNNING
 ```
 This is the parity target for D2. The staged cc-ci `agents.py status` must match the AGENT/KIND/BACKEND/MODEL/WATCH columns (STATE will differ — staged is never started, so all agents will show `stopped`).
 Also noted: PO scripts exist at `/home/loops/porepo/project-orchestrator/scripts/` (create, start, stop, update, fleet.py). The `demo` backend is defined in `agents.example.toml` as `bin = "echo '[demo] ...' ; exec sleep 1000000"` — starts a sleeping process the engine tracks as RUNNING. This is what D1 will use for the isolated run.
--- a/machine-docs/REVIEW-porepo.md
+++ b/machine-docs/REVIEW-porepo.md
@ -0,0 +1,85 @@
 # REVIEW — phase porepo (Adversary)
 **Phase plan SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-porepo-project-orchestrator.md`
 Verdicts are issued only after cold-start re-execution of the acceptance check from this clone.
 No DoD item is accepted on Builder's word alone.
 ---
 ## Adversary orientation + pre-check @2026-06-13T19:05Z
 Phase initialized. Builder has not yet started:
 - `recipe-maintainers/project-orchestrator` — 404 on Gitea (2026-06-13T19:05Z)
 - No builder clone at `/srv/cc-ci/cc-ci`
 ### Pre-verification checklist (break-it probes to run when Builder claims DONE):
 1. **Submodule pinned to v0.1.0** — verify `git submodule status` shows the exact SHA matching
   `agent-orchestrator` tag `v0.1.0`, not HEAD or a newer commit.
 2. **No PO/fleet metadata inside scratch project** — when Builder demonstrates the create-project
   flow, grep the scratch project repo for `fleet`, `project-orchestrator`, `porepo` — must be absent.
 3. **Clean recursive clone** — `git clone --recurse-submodules` in /tmp; `engine/` submodule must
   materialise without extra steps.
 4. **agents.py status cold** — from /tmp clone, inside `nix develop`, `python3 engine/agents.py status`
   must succeed (exit 0) without any pre-setup beyond the clone.
 5. **fleet.toml sample parses** — `python3 -c "import tomllib; tomllib.load(open('fleet.toml','rb'))"` 
   must succeed.
 6. **nix develop -c python3 -c 'import tomllib'** must succeed per DoD-5.
 7. **Bootstrap doc exists** — README or docs/bootstrap.md describes the hand-scaffold flow.
 8. **Scratch project cleanup** — after the demo, scratch project must be deleted from Gitea
   and NOT appear in any live cc-ci system.
 ---
 ## Verdicts
 ### porepo: ALL DoD PASS @2026-06-13T19:19Z
 Cold-verified from anonymous `/tmp/porepo-cold` recursive clone (no creds, no cached state).
 Deliverable: `recipe-maintainers/project-orchestrator` HEAD `346ed31acbc0d98eeb2881a1b62998ac9544c002`.
 **DoD-1 — repo + submodule + main pushed: PASS**
 - Repo public on Gitea, main at `346ed31`.
 - `git submodule status` → ` 289ef07df40a8264f3a36b4e91b923d1424c4658 engine (v0.1.0)` — exact v0.1.0 tag commit.
 - `engine/agents.py` present in submodule.
 **DoD-2 — `agents.py status` from clean recursive clone (nix develop): PASS**
 - `nix develop -c python3 engine/agents.py status` → table with `project-orchestrator` (persistent,
  claude, claude-opus-4-8, heal, stopped) + watchdog service. rc=0.
 - devShell banner: `Python 3.11.11, tmux 3.5a, git version 2.47.2`.
 **DoD-3 — fleet.toml schema + sample entry parses: PASS**
 - `fleet.py validate` → `fleet: OK — 1 project(s), schema v1`, rc=0.
 - `fleet.py status` → lists `example-recipe-ci` (enabled, agent-orchestrator@v0.1.0), `total=1 enabled=1 disabled=0`.
 - `tomllib.load(fleet.toml)` → schema v1, project `example-recipe-ci`. Documented in `docs/fleet-registry.md`.
 **DoD-4 — create-project flow documented AND demonstrated: PASS**
 - `create-project.sh scratch-verify --dir /tmp/po-scratch --ref v0.1.0` scaffolded cleanly.
 - Scratch project submodule pinned at `289ef07` (v0.1.0). 
 - `engine/agents.py status` (run via PO's nix develop) → worker agent table, rc=0.
 - Tracked files: `.gitignore .gitmodules agents.toml engine` only — exactly minimal.
 - No PO/fleet metadata: `grep -ril -e fleet -e project-orchestrator . --exclude-dir=engine --exclude-dir=.git` → empty (CLEAN).
 - `scratch-verify` NOT registered in `fleet.toml`.
 - `scratch-verify` NOT on Gitea (404) — local-only throwaway. Did not touch live cc-ci system.
 - Scratch project cleaned up post-demo (`rm -rf /tmp/po-scratch`).
 - Flow documented in `docs/manage-projects.md`.
 **DoD-5 — Nix works + bootstrap doc present: PASS**
 - `nix develop -c python3 -c 'import tomllib'` → exit 0 (no output = success).
 - `docs/bootstrap.md` present — describes hand-scaffold steps (init repo, add engine/ submodule, write agents.toml, run `engine/agents.py up`).
 - `flake.nix` devShell includes `python311`, `tmux`, `git` (with submodule support). `README.md` documents `nix develop`.
 **Break-it probes (independent):**
 - Submodule URL is `https://git.autonomic.zone/recipe-maintainers/agent-orchestrator.git` (public, no embedded creds) — anonymous `--recurse-submodules` clone works without credentials.
 - Scratch project has single-commit git history; no PO/fleet metadata in any tracked file (verified by grep over full tree excluding engine/).
 - `scratch-verify` never registered in fleet.toml and never pushed to Gitea.
 **No findings. No VETO.**
--- a/machine-docs/REVIEW-prevb.md
+++ b/machine-docs/REVIEW-prevb.md
@ -0,0 +1,197 @@
 # REVIEW — phase `prevb` (Adversary verdicts)
 Append-only. Gates this phase: **M1** (implemented + green locally), **M2** (proven in real CI + spot-check).
 SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-prevb-previous-dynamic-base.md`.
 ## Status
 - 2026-06-16T23:57Z — Adversary live for `prevb`. No Builder claim yet (no STATUS-prevb.md, no `claim(`).
  Cold-start recon done: baseline mechanism understood —
  - base resolution: `run_recipe_ci.upgrade_base` → `meta.UPGRADE_BASE_VERSION or lifecycle.previous_version` (`vers[-2]`); discourse pins `0.7.0+3.3.1`.
  - overlay `tests/discourse/compose.ccci.yml` applied to ALL deploys via `EXTRA_ENV.COMPOSE_FILE`; fuses environmental (start_period 20m, order stop-first) + version-specific (bitnamilegacy image pin + sidekiq block) — the bug.
  - existing unit tests to watch for weakening: `tests/unit/test_upgrade_base.py`, `tests/unit/test_meta.py`.
  Idle until a gate is CLAIMED.
 - 2026-06-17T00:12Z — Independently cold-verified the Builder's STATUS ground-truth facts via gitea API
  (NOT trusting STATUS): PR #4 head `ae5a81802b4d1d6cd1b449ac46cfa16d80730aaa` `compose.yml` →
  `app.image = discourse/discourse:3.5.3`, **no `sidekiq` service**; `.diff` shows
  `-bitnamilegacy/discourse:3.5.0`→`+discourse/discourse:3.5.3` + full `sidekiq:` block removed.
  main → `app`+`sidekiq` = `bitnamilegacy/discourse:3.5.0`, sidekiq present, base `f87c612d`.
  Facts CONFIRMED. (Caution noted: gitea `raw?ref=<shortsha>` silently falls back to default branch —
  must use the FULL sha when cold-verifying head content.) Foundation for "discourse needs no previous/" holds.
 ## Pre-review (M1 code, gate NOT yet CLAIMED — preliminary recon, not a verdict)
 2026-06-17T00:30Z — studied the M1 `feat` commit bb2e3c6 (code/diff only, NOT JOURNAL). Design looks sound:
 - `resolve_upgrade_base` → BasePlan(kind, version, ref, reason): override → last-green (`canonical.read_registry`)
  → main-tip (`recipe_branch_commit`) → skip. `.runs` gates the upgrade tier. head_ref = `recipe_head_commit`.
 - `previous/` surface (lifecycle): `has_previous`, `previous_target_version` (VERSION marker), `previous_status`
  (version-guarded apply/stale), provide/remove overlay, compose_file add/remove. Base-only; **stripped before
  head redeploy** (`generic.perform_upgrade` → `remove_previous_overlay` + COMPOSE_FILE strip). Good teeth.
 - discourse migrated: `compose.ccci.yml` now ENVIRONMENTAL-ONLY (`order: stop-first`); bitnamilegacy pins +
  sidekiq + UPGRADE_BASE_VERSION **removed**. `test_upgrade.py` asserts running `app` image == official
  `discourse/discourse:3.5.3` (not bitnamilegacy) + sidekiq gone; resolves as the upgrade-tier overlay
  (`resolve_overlay_op`→`test_{op}.py`), run as its own pytest → rc!=0 fails the tier. Real teeth confirmed.
 - **Unit tests run cold (nix pytest): 63 passed** (test_upgrade_base + test_previous + test_meta). Matrix
  EXPANDED, not weakened (override-wins / last-green-primary / main-tip-fallback / head==main-tip skip / no-pred skip).
 STILL REQUIRED for the formal M1 PASS (needs the Builder's e2e claim + my cold acceptance run):
  (a) discourse upgrade tier GREEN locally with proof the head ran real 3.5.3 (not bitnamilegacy) + no sidekiq;
  (b) BREAK-IT: a deliberately-broken head still fails the upgrade tier (base resolution didn't paper over it);
  (c) base falls back to main when last-green absent (unit-covered; e2e desirable);
  (d) `previous/` ignored for the head (code-confirmed; e2e desirable).
 ## Adversary findings (pre-review notes)
 - [F-prevb-A] (PRE-EXISTING, NOT a prevb regression; INFO) `tests/unit/test_warm_reconcile.py::
  test_traefik_spec_is_stateless_with_setup` is RED on main — `KeyError: 'health_domain'`. Fails identically at
  the gtea-DONE commit 778720c (verified by checkout), and the prevb feat never touched warm_reconcile — the
  `pxgate-M1` traefik-probe change (0e9fd38) refactored the spec without updating this test. Out of prevb scope,
  but it means the FULL `tests/unit/` suite is NOT all-green (283 pass / 1 fail). Flagging so "unit green" claims
  are scoped honestly. Not an M1 blocker.
 - [F-prevb-B] (NIT) old `test_expected_na_other_rung_does_not_suppress` was dropped in the rewrite; the behavior
  (an EXPECTED_NA for a non-upgrade rung must not suppress the base) is preserved via `.get("upgrade")` but no
  longer has a dedicated test. Low risk; consider re-adding one line of coverage.
 ## M1 cold acceptance — IN FLIGHT (2026-06-17T00:42Z)
 Gate M1 CLAIMED @00:40Z (code commit e1b32ea; claim commit bb79e91 = machine-docs only). Cold-verifying from a
 FRESH clone on cc-ci (`/root/cc-ci-adv-prevb` @ bb79e91), not the Builder's tree.
 Done so far (cold):
 - prevb unit surface: **64 passed** (`test_upgrade_base`+`test_previous`+`test_meta`) via nix pytest.
 - statics: `compose.ccci.yml` env-only (`order: stop-first`); discourse `recipe_meta.py` has NO `UPGRADE_BASE_VERSION` assignment.
 - `prune_orphan_services` reviewed: removes only services NOT in the head compose → cannot mask the prevb bug
  (if overlay leaked sidekiq into the head compose it'd be in `defined` → not pruned → test RED). Teeth preserved.
 - e2e launched (`RECIPE=discourse SRC=recipe-maintainers/discourse REF=ae5a8180… PR=4 STAGES=install,upgrade`),
  run `manual-1344943`. Early log CONFIRMS `upgrade base: kind=ref ref=f87c612d71b4 (target-branch (main) tip)`
  → base = main-tip chaos deploy (matches claim). Base deploy (main-tip, has the known sidekiq depends_on bug)
  in progress; observed a non-fatal `lint rung: fail R011` on the base — watching whether it blocks.
 - CONCURRENCY observed: a Builder keycloak spot-check (PR#3) runs simultaneously in `/root/prevb-deploy`. My
  discourse run's janitor saw the keycloak lock and LEFT IT (`live concurrent run, leaving it`) — per-run
  ABRA_DIR isolation holding. Watching for memory-pressure false-failures on the shared 7GB node.
 UPDATE 2026-06-17T01:00Z (post-reboot, cold re-check of completed run):
 - e2e `manual-1344943` COMPLETED **GREEN** (read full log /root/cc-ci-adv-prevb-e2e.log): `upgrade base:
  kind=ref ref=f87c612d71b4 (target-branch (main) tip)`; `upgrade→PR-head head_ref=ae5a8180`;
  generic `test_upgrade_reconverges` PASSED; discourse `test_head_runs_official_image_not_bitnamilegacy`
  PASSED + `test_sidekiq_service_dropped_by_head` PASSED; RUN SUMMARY deploy-count=1 (expect 1),
  install:pass upgrade:pass, level=2/5. Matches STATUS EXPECTED exactly.
 - TEARDOWN clean: `docker stack ls` shows NO discourse stack; no discourse secrets/volumes. (warm-keycloak
  stack present = Builder's concurrent spot-check, not mine.)
 - BREAK-IT: my first probe (`manual-1357729`, broken-head ref 94ebaaa = head image
  `discourse/discourse:99.99.99-adversary-broken`) was SIGTERM-killed mid-base-deploy by MY reboot — INCOMPLETE.
  RE-LAUNCHED as `manual-1360025` (same broken head, base resolving to main-tip f87c612d as expected). In flight.
 STILL TO CONFIRM: break-it `manual-1360025` → upgrade tier RED (broken head not papered over).
 ## Verdicts
 ### M1: PASS @2026-06-17T01:03Z (code commit e1b32ea / claim bb79e91)
 Cold-verified from a fresh clone on cc-ci (`/root/cc-ci-adv-prevb`), independent of the Builder's tree.
 Every M1 DoD item (plan §4) re-executed and confirmed:
 1. **Dynamic base resolution (last-green → main-tip → skip).** e2e `manual-1344943` log: `upgrade base:
   kind=ref ref=f87c612d71b4 (target-branch (main) tip)` — correctly falls back to main-tip (discourse has
   NO last-green warm canonical and its only published tag is 0.7.0, behind main). Unit matrix re-run cold
   (nix pytest, **64 passed**): override-wins / last-green-primary / main-tip-fallback / head==main-tip skip /
   no-predecessor skip. Matrix EXPANDED vs old `upgrade_base`, not weakened.
 2. **`previous/` surface** (discovery + base-only application + version-guard/stale-flag): unit-covered
   (`test_previous`), code-confirmed base-only (stripped before head redeploy via `perform_upgrade` →
   `remove_previous_overlay` + COMPOSE_FILE strip). discourse ships NO `previous/` (base deploys clean) —
   matches plan §3 thesis.
 3. **Environmental vs version-specific separated.** `tests/discourse/compose.ccci.yml` is env-only
   (`app.deploy.update_config.order: stop-first`); bitnamilegacy image pins + `sidekiq` block removed;
   `UPGRADE_BASE_VERSION` removed from `recipe_meta.py` (grep: none). Verified statically in cold clone.
 4. **discourse migrated** — confirmed via #3 + e2e behaviour.
 5. **discourse upgrade tier GREEN locally w/ proof head ran the REAL official image.** e2e `manual-1344943`:
   generic `test_upgrade_reconverges` PASSED; discourse `test_head_runs_official_image_not_bitnamilegacy`
   PASSED + `test_sidekiq_service_dropped_by_head` PASSED; RUN SUMMARY deploy-count=1 (expect 1),
   install:pass, upgrade:pass, level=2/5. `upgrade→PR-head head_ref=ae5a8180 version=0.8.1+3.5.0→1.0.0+3.5.3`.
 6. **TEETH — deliberately-broken head still goes RED (base resolution did NOT paper it over).** Break-it
   probe `manual-1360025`: broken-head commit `94ebaaa` sets head `app.image =
   discourse/discourse:99.99.99-adversary-broken`. Base resolved to main-tip f87c612d (same as GREEN run),
   **install:pass**, then the HEAD redeploy failed: `prepull: docker pull
   discourse/discourse:99.99.99-adversary-broken failed — manifest unknown` → **upgrade:fail (level 1/5)**.
   Proves the head's real (broken) image is what gets deployed; base/prune/previous machinery cannot mask a
   broken head.
 7. **Clean teardown** after BOTH the GREEN run and the broken/failed run: `docker stack ls` / `secret ls` /
   `volume ls` show NO discourse stack, secrets, or volumes. (warm-keycloak stack present = Builder's
   concurrent spot-check, not discourse.)
 8. **No test weakened.** F-prevb-B addressed — `test_expected_na_other_rung_does_not_suppress_upgrade`
   re-added (commit e1b32ea), present in cold clone. Net coverage up (+ resolver matrix + previous/ layering).
 SCOPE CAVEAT (not an M1 blocker): the FULL `tests/unit/` suite has 1 PRE-EXISTING unrelated red —
 `test_warm_reconcile.py::test_traefik_spec_is_stateless_with_setup` (KeyError 'health_domain'), failing
 identically at gtea-DONE 778720c, untouched by prevb (see [F-prevb-A]). prevb's own surface is all-green.
 (JOURNAL not consulted before this verdict, per anti-anchoring. M1 stands on the plan, the code/diff, the
 STATUS verification info, and my own cold re-runs.)
 ## M2 cold acceptance — IN FLIGHT (2026-06-17T01:45Z)
 Gate M2 CLAIMED @01:40Z (HEAD 71399f6). Cold-verifying independently (gitea API + host artifacts + own re-run).
 CONFIRMED so far:
 - **discourse PR#4 !testme GREEN in REAL CI** — verified via gitea API (NOT trusting STATUS): `!testme`
  comment @01:27:09Z → bridge reply @01:27:25Z `🌻 cc-ci — discourse @ ae5a8180 ✅ **passed**` → Drone 717.
  (Teeth of the signal: an EARLIER !testme @22:34 → run 700 → `❌ failure` — !testme genuinely CAN go RED;
  717's pass is meaningful, not a rubber-stamp. 700 failed pre-mint_admin-fix.)
 - **Drone 717 junit cold-read**: all 10 suites errors=0 failures=0 (install/upgrade ×2/backup ×2/restore
  ×2/custom create_topic+health_check+site_basic). results.json: level=4, results{install,upgrade,backup,
  restore,custom}=all pass; clean_teardown=true; no_secret_leak=true; ref=ae5a8180 (real PR head).
 - **Head genuinely ran official 3.5.3 — REAL TEETH**: `tests/discourse/test_upgrade.py` asserts via
  `lifecycle.deployed_identity` (= `docker service inspect <stack>_app …ContainerSpec.Image` — the LIVE
  running swarm image, not a compose grep) that image startswith `discourse/discourse:3.5.3` & no
  bitnamilegacy; + `stack_service_names` (= `docker stack services`) that sidekiq is gone. Both PASS in 717.
 - **lint R011 is a level-cap RUNG, NOT a gate** (verified in code): `run_recipe_ci.py:770` `passed =
  warm_ok and bool(results) and all(v!='fail' for v in results.values()) and not sso_unverified` — covers
  only the 5 functional tiers, NOT lint. So R011 caps level at 4/5 but cannot turn !testme RED. (R011 =
  "all services have images" on the official-image head + "invalid reference format" warns — a RECIPE-head
  lint nit, not a prevb/cc-ci failure; candidate PR comment, not a blocker.)
 - **Secret-leak (independent scan of the PUBLIC surface)**: dashboard index (lists 717), results.json (all
  11 test `message` fields empty on PASS), summary.html, junit, lint.txt — NO secret/password/token values.
  `no_secret_leak` flag scans results.json vs `/run/secrets/*` (infra secrets). NOTE [F-prevb-C, INFO]:
  `mint_admin` prints the minted plaintext discourse ApiKey to stdout → it lands in the Drone RAW build log
  (access-controlled, 401 w/o token — NOT the public dashboard). Pre-existing behavior (prevb only made the
  path image-agnostic, b66abc4; the `.key` print predates prevb). Not a public-surface leak; low severity.
 - **Spot-checks (cold-read Builder logs + dynamic-base confirmed)**: cryptpad#5 base=ref 36ee3451 (main tip;
  =PR#5's real base sha, gitea-confirmed), keycloak#3 base=ref 12ac6db8 (main tip via master fallback),
  hedgedoc#1 base=ref 09bf4d54 (main tip). All install:pass upgrade:pass deploy-count=1; cryptpad
  `test_upgrade_preserves_data` PASS, keycloak `test_upgrade_preserves_realm` PASS. No leftover stacks
  (only infra + pre-existing warm-keycloak orphan).
 - **INDEPENDENT re-run in flight**: re-executing cryptpad#5 (REF=9c18c176) from MY cold clone @71399f6
  (normal fetch, not the Builder's tree) to confirm dynamic-base generality isn't tree/env-specific.
 STILL TO CONFIRM: my cryptpad re-run resolves base=main-tip 36ee3451, install+upgrade pass, clean teardown.
 → CONFIRMED @01:58Z: my cold-clone (@71399f6, normal fetch) cryptpad#5 re-run: `upgrade base: kind=ref
  ref=36ee3451a354 (target-branch (main) tip)`; install:pass upgrade:pass deploy-count=1;
  `tests/cryptpad/test_upgrade.py::test_upgrade_preserves_data` PASSED; NO leftover cryptpad stack
  (clean teardown). Dynamic base generality is NOT tree/env-specific — reproduced from my own clone.
 ## Verdicts (cont.)
 ### M2: PASS @2026-06-17T01:58Z (code/claim commit 71399f6)
 Cold-verified independently of the Builder's tree — gitea API for the real-CI verdict, host-shared Drone
 artifacts read cold, code-read for the gating logic, + my OWN spot-check re-run. Every M2 DoD item (plan §4):
 1. **discourse PR#4 `!testme` GREEN in real CI** — gitea API (not STATUS): `!testme` @01:27:09Z → bridge
   `🌻 cc-ci — discourse @ ae5a8180 ✅ passed` @01:27:25Z → Drone 717. Meaningful (earlier !testme @22:34
   → run 700 → `❌ failure` pre-fix; !testme genuinely can go RED).
 2. **Head genuinely ran official `discourse/discourse:3.5.3` (migration exercised) — REAL TEETH.** 717 junit
   `upgrade__cc-ci__test_upgrade.xml`: `test_head_runs_official_image_not_bitnamilegacy` +
   `test_sidekiq_service_dropped_by_head` both PASS, asserting against the LIVE swarm service
   (`docker service inspect …ContainerSpec.Image` / `docker stack services`) — not a compose grep. Image is
   official 3.5.3 (not bitnamilegacy), sidekiq gone → the official-image migration the PR claims was tested.
 3. **All tiers GREEN.** 717: 10 junit suites errors=0 failures=0; results{install,upgrade,backup,restore,
   custom}=pass; level 4/5. The only non-pass is the `lint` rung (R011) — code-verified NON-GATING
   (`run_recipe_ci.py:770` `passed` covers only the 5 functional results, not lint) → caps level, can't turn
   the verdict RED. R011 ("all services have images" + "invalid reference format") is a RECIPE-head lint nit
   (candidate PR comment per guardrail), not a prevb/cc-ci defect.
 4. **Spot-check ≥3 recipes green under dynamic base.** cryptpad#5 (base=main-tip 36ee3451), keycloak#3
   (base=main-tip 12ac6db8 via master fallback; prune-orphans safe-skip), hedgedoc#1 (base=main-tip
   09bf4d54) — all install:pass upgrade:pass deploy-count=1, data-preservation tests pass, no leftover
   stacks. PLUS my OWN cold re-run of cryptpad#5 reproduced base=main-tip + green + clean teardown.
 5. **Secrets — independent scan of the PUBLIC surface clean.** dashboard index, results.json (all test
   `message` empty on PASS), summary.html, junit, lint.txt — no secret values; `clean_teardown=true`,
   `no_secret_leak=true`. [F-prevb-C, INFO/pre-existing]: `mint_admin` prints the minted plaintext discourse
   ApiKey → it reaches only the access-controlled Drone RAW log (401 w/o token), NOT the public dashboard;
   prevb only made the path image-agnostic (the print predates prevb). Low severity, not a blocker.
 6. **Levels/records reconciled** — results.json levels correctly derived (discourse 4/5 lint-capped,
   cryptpad 2/5 install+upgrade-only); PR runs don't promote last-green (correct — nothing merged).
 Nothing merged on any mirror (verified: PRs #4/#5 still open). No test weakened. M1 already PASS @01:03Z.
 **Both milestones now have fresh Adversary PASSes → no VETO; the Builder may write `## DONE`.**
 (JOURNAL not consulted before this verdict, per anti-anchoring.)
 ## Open VETOes
 (none)
--- a/machine-docs/REVIEW-pvcheck.md
+++ b/machine-docs/REVIEW-pvcheck.md
@ -0,0 +1,134 @@
 # REVIEW — phase pvcheck (post-proxy verification)
 Adversary-owned. Append-only verdicts. All commands run cold from /srv/cc-ci-orch/cc-ci-adv (own clone).
 ---
 ## Adversary baseline probe — 2026-06-13T05:56Z
 **Context:** Phase pvfix is DONE (STATUS-pvfix.md ## DONE). pvcheck preconditions verified cold.
 ### Precondition checks
 | Check | Result |
 |---|---|
 | pvfix DONE | ✅ STATUS-pvfix.md shows `## DONE`, both M1+M2 PASS |
 | `proxy` subnet | ✅ `10.10.0.0/16` (docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}}") |
 | `proxy` IPAM driver | ✅ default, gateway 10.10.0.1 |
 | All services 1/1 | ✅ 9 services all `1/1` (backups, bridge, dashboard, reports, drone, traefik×2, keycloak×2) |
 | `ci.commoninternet.net` | ✅ HTTP/2 200 |
 | `drone.ci.commoninternet.net` | ✅ HTTP/2 303 |
 | `report.ci.commoninternet.net` | ✅ HTTP/2 200 |
 | VIP exhaustion after 05:38Z | ✅ NONE — `journalctl -u docker --since "2026-06-13 05:38:00" | grep "available IP while allocating VIP"` → empty |
 | Transient errors at 05:35Z | ℹ️ "could not find network allocator STATE" for OLD net IDs (mlxau8…, 85p3aq…) — these are expected during proxy recreation (swarm allocator losing state for the deleted /24 network) |
 | No new VIP exhaustion | ✅ post-fix journal clean |
 **Command evidence:**
 ```
 $ docker network inspect proxy --format "{{json .IPAM}}"
 {"Driver":"default","Options":null,"Config":[{"Subnet":"10.10.0.0/16","Gateway":"10.10.0.1"}]}
 $ docker service ls --format "{{.Name}}\t{{.Replicas}}"
 backups_ci_commoninternet_net_app	1/1
 ccci-bridge_app	1/1
 ccci-dashboard_app	1/1
 ccci-reports_app	1/1
 drone_ci_commoninternet_net_app	1/1
 traefik_ci_commoninternet_net_app	1/1
 traefik_ci_commoninternet_net_socket-proxy	1/1
 warm-keycloak_ci_commoninternet_net_app	1/1
 warm-keycloak_ci_commoninternet_net_db	1/1
 ```
 ### Upgrade-all Step-0 guard — independent check
 **Guard location:** `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` §0, lines 61-81  
 **Guard logic:** `VIPFAIL=$(ssh cc-ci 'journalctl -u docker --since "26 hours ago" | grep -c "available IP while allocating VIP"')` → if >0, `systemctl restart docker`  
 **Guard exists:** ✅ confirmed cold-read  
 **Guard would fire:** ✅ triggers on the EXACT original error signature (`"available IP while allocating VIP"`) — would detect and recover if VIP exhaustion recurs despite the /16 fix (belt+suspenders)  
 **STALE TEXT NOTE:** Skill still says "(The durable fix ... is tracked in plan-proxy-vip-exhaustion-fix.md; this guard is the per-run safety net until that lands.)" — but the durable fix HAS now landed. This is a documentation smell, not a functional defect; the guard logic is correct and still useful. Filing as advisory finding [A2].
 ---
 ## Adversary independent allocator-headroom probe — 2026-06-13T06:02Z
 **Method:** deploy 5 throwaway nginx stacks concurrently joining `proxy`, then remove all 5 concurrently (same concurrent-rm pattern that caused endpoint GC races under the old /24).
 | Check | Result |
 |---|---|
 | BASELINE proxy containers | 9 |
 | AFTER DEPLOY (5 stacks added) | 14 |
 | AFTER concurrent stack rm | 9 (back to baseline) |
 | Leaked endpoints | **0** |
 | VIP exhaustion errors during test | **0** |
 | Swarm GC race errors (key modified / network proxy remove failed) | **0** |
 | Network prune output | empty (nothing to reclaim) |
 | AFTER prune residue | **0** |
 | All pvcheck-throwaway stacks removed | ✅ confirmed |
 **Verdict:** The /16 subnet has sufficient headroom that 5 concurrent deploy/rm cycles produce zero endpoint leaks and zero VIP errors. No residue after prune.
 **Note:** 5 stacks is a conservative test — the original exhaustion required ~45 GC races over 11 days uptime. The /16 has 65534 VIPs vs the old /24's 254 — the leak rate would need to be ~258× faster to hit the same ceiling. This probe confirms the allocator is healthy and the /16 provides the claimed headroom.
 ---
 ## M1 — PASS @2026-06-13T06:10Z
 **Cold verify run — Adversary's own commands, no cached state.**
 | Check | Command | Result |
 |---|---|---|
 | proxy subnet | `docker network inspect proxy --format "Subnet: {{range .IPAM.Config}}{{.Subnet}}{{end}}, Endpoints: {{len .Containers}}"` | **`10.10.0.0/16`, Endpoints: 7** ✅ |
 | 9 services 1/1 | `docker service ls --format "{{.Name}}\t{{.Replicas}}"` | all 1/1 ✅ |
 | ci.commoninternet.net | `curl -sk -o /dev/null -w "%{http_code}"` | **200** ✅ |
 | drone.ci.commoninternet.net | same | **303** ✅ |
 | report.ci.commoninternet.net | same | **200** ✅ |
 | VIP exhaustion since 05:38Z | `journalctl -u docker --since "2026-06-13 05:38:00" \| grep -c "available IP while allocating VIP"` | **0** ✅ |
 | swarm.nix /16 declared | `grep "10.10" nix/modules/swarm.nix` | `--subnet 10.10.0.0/16` ✅ |
 | swarm.nix commit | `git show e6349a9 --stat` | confirmed ✅ |
 | Step-0 guard text | `grep -A8 "VIPFAIL" upgrade-all/SKILL.md` | guard exists, checks exact signature ✅ |
 | [A2] fix | `git -C /srv/cc-ci-orch log --oneline \| grep 84e13a7` | `fix(pvcheck/A2): update upgrade-all SKILL.md guard description` ✅ |
 | [A2] text updated | SKILL.md line ~81 | "belt-and-suspenders even after the /16 fix" ✅ |
 **All M1 criteria verified independently from cold start.** Builder's before/after evidence is consistent with what Adversary observed directly. No discrepancies.
 [A2] CLOSED — fix confirmed in orchestrator commit 84e13a7.
 ## M2 — PASS @2026-06-13T06:14Z
 **Cold verify run — Adversary's own commands, no cached state.**
 | Check | Command | Result |
 |---|---|---|
 | summary.png accessible | `curl -sk -o /dev/null -w "%{http_code}" .../runs/608/summary.png` | **HTTP 200** ✅ |
 | badge level | `curl -sk .../badge.svg \| grep -o "level [0-9]"` | **level 5** ✅ |
 | proxy endpoints after run | `docker network inspect proxy --format "{{len .Containers}}"` | **7** (clean, same as M1 baseline) ✅ |
 | VIP exhaustion since 05:38Z | `journalctl \| grep -c "available IP while allocating VIP"` | **0** ✅ |
 | Gitea comment #14506 | `GET /api/v1/repos/recipe-maintainers/hedgedoc/issues/1/comments` | ✅ `hedgedoc @ 441c411c ✅ passed` posted at 06:02:52Z |
 | !testme trigger comment | comment #14505 at 06:02:48Z by autonomic-bot | ✅ real !testme trigger |
 | Run trigger timing | 06:02:48Z → after proxy fix 05:38Z | ✅ entire run on new /16 |
 | Run result filesystem | `/var/lib/cc-ci-runs/608/results.json` | ✅ all tiers pass: install/upgrade/backup/restore/custom |
 | clean_teardown flag | `results.json flags.clean_teardown` | **true** ✅ |
 | no_secret_leak flag | `results.json flags.no_secret_leak` | **true** ✅ |
 | level | `results.json level` | **5** ✅ |
 | Drone journal trigger | `journalctl -u docker` for 06:02:52Z | ✅ `[poll] triggered build 608 for hedgedoc@441c411c (PR #1, comment 14505) by autonomic-bot` |
 | Drone journal outcome | `journalctl -u docker` for 06:04:23Z | ✅ `reflected outcome build 608 (hedgedoc PR #1): success` |
 | Allocator headroom (independent Adversary) | Probe at 06:02Z: 5 stacks, 0 leaks, 0 VIP errors, 0 GC races, 0 residue | ✅ confirmed independently |
 **All M2 criteria verified cold. Real recipe CI run through the new /16 proxy confirms it is operationally healthy. Allocator headroom confirmed by both independent Adversary probe and Builder's matching proof.**
 No discrepancies with Builder's claims. (Minor: Builder counts proxy baseline as 8, Adversary counts 7 via same `{{len .Containers}}` — this is a ~1-count fluctuation during concurrent probes, not a functional discrepancy. Both confirm clean return to baseline.)
 ---
 ## Adversary findings
 ### [A2] upgrade-all SKILL.md stale description — guard text still says "until that lands" (2026-06-13T05:56Z)
 **Severity:** Documentation / low  
 **Location:** `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` line 81  
 **Current text:** "this guard is the per-run safety net until that lands"  
 **Issue:** the durable fix (proxy /16) has landed — this text now misleads about the guard's purpose (it IS still useful as belt+suspenders, but no longer "until the fix lands")  
 **Suggested fix:** update to "this guard remains as belt-and-suspenders even after the /16 subnet fix"  
 **NOT a VETO** — guard logic is correct; this is documentation only.  
 Status: open (Builder may fix; Adversary closes after re-read)
--- a/machine-docs/REVIEW-pvfix.md
+++ b/machine-docs/REVIEW-pvfix.md
@ -0,0 +1,165 @@
 # REVIEW — phase pvfix (Adversary)
 Adversary clone: `/srv/cc-ci/cc-ci-adv`
 Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-pvfix-swarm-proxy.md`
 ---
 ## Phase context (initial orientation, 2026-06-13T05:30Z)
 Cold check of live host and current repo:
 - `docker network inspect proxy` → Subnet: `10.0.1.0/24` (default /24 — the exhaustion vector)
 - `docker network ls | grep proxy` → `ab54qfa7gsk5 proxy overlay swarm`
 - `nix/modules/swarm.nix` → `swarm-init` creates proxy without `--subnet`, inheriting Docker's
  default `/24`. No explicit subnet configured.
 - Builder has not started pvfix work yet (no STATUS-pvfix.md in repo).
 The fix is needed. Watching for Builder M1 claim (patch + procedure + live inspection proof).
 ### Break-it probe: live host subnet collision check (2026-06-13T05:31Z)
 Existing subnets on host:
 - `ingress`: `10.0.0.0/24`
 - `proxy` (current): `10.0.1.0/24`
 - `docker0`: `172.17.0.0/16`
 - `docker_gwbridge`: `172.18.0.0/16`
 - Host IP: `91.98.47.73` (public), `100.95.31.88` (tailscale), gateway `172.31.1.1`
 **10.10.0.0/16 (proposed):** does NOT collide with any existing subnet. Safe.
 Services currently on proxy (will be disrupted during recreation):
 - `traefik` → 10.0.1.9
 - `ccci-reports` → 10.0.1.7
 - `drone` → 10.0.1.12
 - `ccci-bridge` → 10.0.1.248
 - `ccci-dashboard` → 10.0.1.249
 - `warm-keycloak` → 10.0.1.251
 Stacks currently running (all will briefly lose routing):
 `backups`, `ccci-bridge`, `ccci-dashboard`, `ccci-reports`, `drone`, `traefik`, `warm-keycloak`
 **Maintenance window status:** CLEAR — no active recipe test stacks (`*-pr*`), no cfold sweep,
 no /upgrade-all visible. A quiet window is available now.
 **Key risk to probe when M2 is claimed:** confirm that after proxy recreation, all 6 services
 above rejoin with healthy VIP allocations and Traefik routes are reachable end-to-end.
 ---
 ## M1: PASS @2026-06-13T05:33Z
 **Claim:** `nix/modules/swarm.nix` patched with `--subnet 10.10.0.0/16`; maintenance procedure
 documented; chosen /16 proven safe from live host inspection.
 **Commit:** `e6349a9` (`claim(pvfix-M1): proxy /16 patch + maintenance plan ready`)
 ### Cold-run evidence
 **1. Patch in repo:**
 ```
 grep -n 'subnet' nix/modules/swarm.nix
 → 47: docker network create --driver overlay --attachable --subnet 10.10.0.0/16 proxy
 ```
 Correct. The `if ! docker network inspect proxy` guard ensures idempotent create. Comment
 accurately names the failure mode and runbook. ✓
 **2. Subnet safety — live host inspection:**
 ```
 docker network inspect $(docker network ls -q) --format "{{.Name}}: {{range .IPAM.Config}}{{.Subnet}}{{end}}"
 →
 backups_ci_commoninternet_net_default: 10.0.4.0/24
 bridge:                               172.17.0.0/16
 docker_gwbridge:                      172.18.0.0/16
 host:                                 (none)
 ingress:                              10.0.0.0/24
 none:                                 (none)
 proxy:                                10.0.1.0/24
 traefik_ci_commoninternet_net_internal: 10.0.2.0/24
 warm-keycloak_ci_commoninternet_net_internal: 10.0.3.0/24
 ```
 Builder's table matches exactly. `10.10.0.0/16` is clear of all existing networks. ✓
 **3. Maintenance procedure review:**
 - **Service names confirmed correct** against live host:
  `deploy-proxy`, `deploy-drone`, `deploy-bridge`, `deploy-dashboard`, `deploy-reports`,
  `warm-keycloak` — all exist as active oneshot services. ✓
 - **backups stack correctly excluded** — `backups_ci_commoninternet_net_default` (10.0.4.0/24)
  is NOT on `proxy` (confirmed via proxy Containers inspection). ✓
 - **Step sequencing is safe:** stack rm → drain wait → network rm → nixos-rebuild (triggers
  swarm-init with new --subnet) → restart deploy services. ✓
 - **nixos-rebuild will restart swarm-init:** `swarm-init.service` unit script changed (added
  --subnet flag); nixos-rebuild switch calls daemon-reload + restart for changed units. ✓
 - **Note (non-blocking recommendation):** Builder may want to add an explicit
  `systemctl restart swarm-init` after nixos-rebuild as belt-and-braces insurance (in case
  daemon-reload timing is unusual). Not required for correctness but eliminates any ambiguity.
 **M1 PASS — safe to execute the maintenance procedure.** Waiting for Builder M2 claim.
 ## M2: PASS @2026-06-13T05:49Z
 **Claim:** proxy recreated as 10.10.0.0/16; nixos-rebuild applied; all services healthy; routes up.
 **Commits:** `e6349a9` (patch), `71319d7` (M2 claim)
 ### Cold-run evidence (all 4 acceptance checks + pre-verification probe)
 **1. Proxy subnet:**
 ```
 ssh cc-ci 'docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}} created={{.Created}}"'
 → 10.10.0.0/16 created=2026-06-13 05:38:02.125154677 +0000 UTC
 ```
 Network recreated at 05:38:02 UTC. ✓
 **2. All 9 services at 1/1:**
 ```
 backups_ci_commoninternet_net_app  1/1
 ccci-bridge_app                    1/1
 ccci-dashboard_app                 1/1
 ccci-reports_app                   1/1
 drone_ci_commoninternet_net_app    1/1
 traefik_ci_commoninternet_net_app  1/1
 traefik_ci_commoninternet_net_socket-proxy 1/1
 warm-keycloak_ci_commoninternet_net_app 1/1
 warm-keycloak_ci_commoninternet_net_db  1/1
 ```
 All 1/1. ✓
 **3. swarm-init activation time:**
 ```
 systemctl status swarm-init --no-pager | grep Active
 → Active: active (exited) since Sat 2026-06-13 05:38:17 UTC; 9min ago
 ```
 Activated 05:38:17 UTC — matches proxy creation timestamp. nixos-rebuild applied new unit. ✓
 **4. Core routes:**
 ```
 curl -sI https://ci.commoninternet.net/      → HTTP/2 200
 curl -sI https://drone.ci.commoninternet.net/ → HTTP/2 303
 ```
 ✓ Both healthy.
 **5. Active swarm-init script has --subnet:**
 ```
 /nix/store/…/swarm-init-start: docker network create --driver overlay --attachable --subnet 10.10.0.0/16 proxy
 ```
 nixos-rebuild confirmed applied. ✓
 **M2 PASS — proxy VIP exhaustion fix is live and durable.**
 See [adversary] finding A1 below (health gate circular dependency, pre-existing, not introduced by pvfix).
 ---
 ## Pre-verification probe (2026-06-13T05:45Z — before M2 claimed)
 Builder has executed the maintenance; M2 has not been formally claimed yet.
 Independent host check run while waiting:
 - `docker network inspect proxy --format "..."` → **Subnet: 10.10.0.0/16** ✓
 - Container VIPs on proxy: all in `10.10.0.x/16` space:
  traefik=10.10.0.2, proxy-endpoint=10.10.0.3, drone=10.10.0.5,
  warm-keycloak=10.10.0.7, ccci-bridge=10.10.0.9, ccci-dashboard=10.10.0.11,
  ccci-reports=10.10.0.13 ✓
 - `docker service ls` → all 9 services at 1/1 REPLICAS ✓
 - `systemctl cat swarm-init` → active script has `--subnet 10.10.0.0/16` (nixos-rebuild applied) ✓
 - `https://ci.commoninternet.net` → **HTTP/2 200** ✓
 - `https://drone.ci.commoninternet.net` → **HTTP/2 303** (login redirect = healthy) ✓
 - `https://bridge.ci.commoninternet.net` → **HTTP/2 404** (root path = expected, Traefik routes it) ✓
 - `https://report.ci.commoninternet.net` → **HTTP/2 200** ✓
--- a/machine-docs/REVIEW-pxgate.md
+++ b/machine-docs/REVIEW-pxgate.md
@ -0,0 +1,290 @@
 # REVIEW — phase pxgate
 **Phase:** pxgate — break deploy-proxy ↔ dashboard health-gate circular dependency (D8 fix)
 **Adversary:** autonomic-bot (Sonnet 4.6)
 **Started:** 2026-06-13T12:41Z
 ---
 ## Adversary orientation (cold start — 2026-06-13T12:41Z)
 Independent cold read of the root cause and fix spec. NOT a gate claim — recording what I found so
 the M1 verdict below is COLD and reproducible.
 ### Root cause — INDEPENDENTLY CONFIRMED
 Reading `nix/modules/proxy.nix` + `runner/warm_reconcile.py` + `nix/modules/dashboard.nix`:
 1. `deploy-proxy.service` runs `warm_reconcile.py traefik`.
 2. The traefik SPEC in `warm_reconcile.py:117-128` sets:
   ```python
   "health_domain": "ci.commoninternet.net",
   "health_path": "/",
   ```
   So `health_code()` probes `https://ci.commoninternet.net/` — the dashboard.
 3. `deploy-dashboard.service` (dashboard.nix:89) has:
   ```
   After=deploy-bridge.service deploy-proxy.service ...
   ```
   systemd will not start deploy-dashboard until deploy-proxy exits.
 4. **Deadlock:** proxy waits for dashboard; dashboard waits for proxy.
 ### Root cause — PROVEN LIVE (not merely theoretical)
 The alert file `/var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json`
 confirms the deadlock hit TODAY at boot time:
 ```
 deploy-proxy started: 05:38:21 UTC
  → probed ci.commoninternet.net (60s timeout): unhealthy
  → redeployed traefik
  → probed ci.commoninternet.net (300s timeout): still unhealthy
  → wrote alert "unhealthy-on-latest", exited 05:44:28 UTC (status=0, RemainAfterExit=true)
 deploy-dashboard started: 05:44:46 UTC (AFTER proxy exited)
  → deployed dashboard successfully
  → ci.commoninternet.net now returns 200
 ```
 traefik startDate = 2026-06-13T05:38:02Z (was already up before proxy reconciler started at
 05:38:21) — so traefik itself was healthy; the probe was blocked on the dashboard.
 ### Verified fix endpoint
 `curl -sk --resolve traefik.ci.commoninternet.net:443:127.0.0.1 https://traefik.ci.commoninternet.net/api/version`
 → `{"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}` (200)
 This endpoint is up the moment traefik is serving, has no backend dependency, requires no auth.
 `/ping` → 404 (not configured in the current recipe — avoid).
 ### Required change (my independent read of the fix)
 In `runner/warm_reconcile.py` SPECS["traefik"]:
 - Remove `"health_domain": "ci.commoninternet.net"` — so `health_code()` falls back to `spec["domain"]` = `"traefik.ci.commoninternet.net"`
 - Change `"health_path": "/"` → `"health_path": "/api/version"`
 `health_code()` will then probe `https://traefik.ci.commoninternet.net/api/version` directly
 (via `--resolve traefik.ci.commoninternet.net:443:127.0.0.1`), which returns 200 as soon as
 traefik is up — no dashboard dependency.
 ### Pre-M1 break-it probes (before Builder's fix, 2026-06-13T12:50Z)
 **P5 — Secret leak in alert files:** PASS. `/var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json`
 contains only `{"app": "traefik", "reason": "unhealthy-on-latest", "ts": "...", "version": "5.1.1+v3.6.15"}`.
 No credentials, no secrets.
 **P3 — After=deploy-proxy consumers ordering:** PASS (no regression in current ordering):
 - deploy-drone: After=deploy-proxy.service
 - deploy-bridge: After=deploy-drone.service deploy-proxy.service
 - deploy-dashboard: After=deploy-bridge.service deploy-proxy.service
 - deploy-backupbot: After=deploy-dashboard.service deploy-proxy.service
 - deploy-reports: After=deploy-dashboard.service deploy-proxy.service
 - nightly-sweep: After=deploy-proxy.service warm-keycloak.service
 - warm-keycloak: After=deploy-proxy.service
 These all correctly depend on deploy-proxy; after the fix, proxy completes without
 deadlock and the rest of the chain proceeds normally.
 **Endpoint stability:** `/api/version` returns 200 reliably (3/3 probes). No backend dependency.
 **P1-negative (traefik-down):** PENDING at M1 gate — requires a controlled stop of
 traefik (risky on live system); will execute at M1 verification using a short pause
 or by examining the reconciler code path (deploy_version raises → upgrade_ok=False → rollback).
 ---
 ## M1 — Fix + controlled reproduction
 ### PASS @2026-06-13T13:00Z — Adversary cold-verified
 **Commit:** `0e9fd38` (`claim(pxgate-M1): change traefik health probe to /api/version`)
 #### Check 1 — Code change correct ✅
 `runner/warm_reconcile.py` SPECS["traefik"] (lines 120–129):
 ```python
 "traefik": {
    "recipe": "traefik",
    "domain": "traefik.ci.commoninternet.net",
    "health_path": "/api/version",   # ← changed from "/"
    "health_ok": (200,),
    "stateful": False,
    "deploy_timeout": 600,
    "health_timeout": 300,
    "setup": _traefik_setup,
 },
 ```
 `health_domain` key is **absent** → `health_code()` falls back to `spec["domain"]` =
 `"traefik.ci.commoninternet.net"`. Probe is now `https://traefik.ci.commoninternet.net/api/version`
 with `--resolve traefik.ci.commoninternet.net:443:127.0.0.1` — traefik's own API, no backend dep.
 #### Check 2 — Controlled reproduction ✅
 Scaled `ccci-dashboard_app` to 0 replicas (dashboard absent):
 - **New probe** (`/api/version` on traefik domain): HTTP **200** ← cycle broken
 - **Old probe** (`ci.commoninternet.net/`): HTTP **404** ← confirms old gate was deadlocked
 Dashboard restored to 1/1 and returns 200 after scale-up.
 #### Check 3 — Consumer ordering unchanged ✅
 All `After=deploy-proxy.service` consumers unchanged:
 ```
 deploy-drone:      After=deploy-proxy.service swarm-init.service docker.service network-online.target
 deploy-bridge:     After=deploy-drone.service deploy-proxy.service ...
 deploy-dashboard:  After=deploy-bridge.service deploy-proxy.service ...
 deploy-backupbot:  After=deploy-dashboard.service deploy-proxy.service ...
 deploy-reports:    After=deploy-dashboard.service deploy-proxy.service ...
 nightly-sweep:     After=deploy-proxy.service warm-keycloak.service docker.service
 warm-keycloak:     After=deploy-proxy.service ...
 ```
 `deploy-proxy` itself: `After=swarm-init.service docker.service network-online.target` — no dashboard
 dependency in its own ordering (correct). Fix does not change any service ordering.
 #### Check 4 — Alert dir empty ✅
 `/var/lib/ci-warm/alerts/` is empty — Builder cleared the stale 05:44Z alert (valid false-alarm from
 the old gate hitting the deadlock this morning).
 #### Check 5 — proxy.nix comment ✅
 Comment updated: "health-gate (traefik.ci.commoninternet.net/api/version returns 200 — traefik's own
 API, no backend dep)". No functional change to the nix module (same systemd unit).
 #### Check 6 — Gate has teeth ✅ (with one documentation note)
 **Functional PASS:** `health_code()` line 276 returns `int(r.stdout.strip() or "0")` → on curl
 connection failure, stdout = "000" (curl's HTTP-code sentinel) → `int("000") = 0` → 0 ∉ `health_ok=(200,)`
 → `wait_healthy()` returns False → rollback triggered. Gate genuinely fails on a broken traefik.
 **Documentation discrepancy (non-blocking):** The STATUS claim says "EXPECTED: error sentinel 999 returned
 when curl fails." The actual code returns 0 (not 999) on curl failure. `grep` for "999" returns no matches.
 This is a documentation error in the M1 claim only — the functional behavior is correct (0 ≠ 200 → gate
 fails → rollback). No code defect; no blocking finding.
 #### Check 7 — DEFERRED + DECISIONS updated ✅
 `machine-docs/DEFERRED.md`: 2026-06-13 circular-dependency entry marked `[x] CLOSED @2026-06-13` with fix pointer.
 `machine-docs/DECISIONS.md`: "deploy-proxy health gate — SETTLED (2026-06-13, phase pxgate)" entry added with rationale.
 ---
 **M1 VERDICT: PASS** — cycle broken, new probe is dashboard-independent, rollback gate has teeth,
 ordering unchanged, DEFERRED closed, docs updated. One non-blocking STATUS discrepancy (999 vs 0
 sentinel) noted; no code defect.
 ---
 ## M2 — Proven on a real from-scratch boot
 ### PENDING — awaiting orchestrator nixos-rebuild (as of 2026-06-13T13:08Z)
 M1 is PASS. The fix is in the repo (`0e9fd38`). The live cc-ci host still has the OLD probe:
 - Active reconcile script: `/nix/store/km6173hm5a77wxggd7zba3mfakrz0c94-cc-ci-reconcile-proxy`
 - Calls: `/nix/store/ls5d6s7q2892z0n0qv7sfk03zimwx3nd-runner/warm_reconcile.py`
 - That file has: `"health_domain": "ci.commoninternet.net"`, `"health_path": "/"` — OLD probe still live
 **Orchestrator action required:**
 ```bash
 ssh cc-ci
 cd /root/builder-clone
 git pull   # to get commit 0e9fd38
 nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"
 ```
 After nixos-rebuild, I will verify (per STATUS-pxgate.md M2 checks):
 1. `deploy-proxy.service` shows `active (exited)` (not unhealthy alert)
 2. New nix store path with `/api/version` in use
 3. All services 1/1 unaffected
 4. Cold-boot simulation: stop dashboard + restart proxy → proxy completes healthy without dashboard
 ---
 ## Idle break-it probes @2026-06-13T13:31Z (M2 still pending — no nixos-rebuild yet)
 Confirmed: old probe still live in active nix store path (km6173hm5a77wxggd7zba3mfakrz0c94); builder-clone on cc-ci at `caef217` (old). M2 blocked on orchestrator.
 **P_stability (3 probes from orchestrator + 3 from cc-ci):** `/api/version` → 200 all 6 probes. Dashboard `/` → 200. Endpoint stable.
 **P_services:** All 9 Docker services 1/1:
 - backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik (app+socket-proxy), warm-keycloak (app+db)
 **P_alerts:** `/var/lib/ci-warm/alerts/` empty. Builder cleared the stale boot-time alert as expected.
 **P_leak:** `/api/version` response: `{"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}`. No secret patterns (password/token/key/cert/pem) detected.
 **P_ping_still_404:** `https://traefik.ci.commoninternet.net/ping` → 404 (not configured — correct; avoids depending on an entrypoint that might not exist after nixos-rebuild).
 **Builder sentinel discrepancy (re-checked):** Builder journal says "999 on curl failure" but `runner/warm_reconcile.py:276` returns `int(r.stdout.strip() or "0")` → curl error → "000" → int("000")=0. Returns 0, not 999. Non-blocking (0 ∉ (200,) → gate fails correctly). Same finding as M1 check 6 — no code defect.
 **STATUS-pxgate.md M2 pre-check:** builder-clone on cc-ci must be pulled to ≥ `0e9fd38` before nixos-rebuild. Current: `caef217` (stale). Orchestrator must `cd /root/builder-clone && git pull` first.
 No new findings warranting a VETO. All running-system probes PASS.
 ---
 ## M2 — Proven on a real nixos-rebuild
 ### PASS @2026-06-13T13:44Z — Adversary cold-verified
 nixos-rebuild completed (detected by Adversary at ~13:43:15 UTC — new nix store path appeared on deploy-proxy). Full M2 acceptance run executed independently.
 #### Check 1 — deploy-proxy active (exited) after nixos-rebuild ✅
 ```
 Active: active (exited) since Sat 2026-06-13 13:43:15 UTC
 Invocation: fe8a806fbb5b40239c31a5c48f381cd1
 Process: 3171211 ExecStart=/nix/store/8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy/bin/cc-ci-reconcile-proxy (code=exited, status=0/SUCCESS)
 ```
 No alert written. New nix store path `8qjh8apxcbs85asgizkymjskicf4zmsl` — different from old `km6173hm5a77wxggd7zba3mfakrz0c94`.
 #### Check 2 — `/api/version` probe in new nix store path ✅
 New runner: `/nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py`
 Traefik spec confirmed:
 ```python
 "traefik": {
    "recipe": "traefik",
    "domain": "traefik.ci.commoninternet.net",
    "health_path": "/api/version",    # ← new probe
    "health_ok": (200,),
    ...
 }
 ```
 `health_domain` key absent → probe URL = `https://traefik.ci.commoninternet.net/api/version` (no backend/dashboard dep). Source grep confirms the inline comment: "traefik's OWN /api/version endpoint (no backend/dashboard dependency)".
 #### Check 3 — All services 1/1 (running server unaffected) ✅
 All 9 Docker services 1/1 after nixos-rebuild:
 `backups`, `ccci-bridge`, `ccci-dashboard`, `ccci-reports`, `drone`, `traefik_app`, `traefik_socket-proxy`, `warm-keycloak_app`, `warm-keycloak_db`.
 Dashboard (`https://ci.commoninternet.net/`) → 200. `/api/version` → 200.
 #### Check 4 — Cold-boot simulation: proxy starts without dashboard ✅
 Adversary executed the definitive cold-boot simulation (STATUS-pxgate.md Check 5):
 ```
 1. systemctl stop deploy-dashboard   → inactive ✓
 2. systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy
 3. systemctl start deploy-proxy
   → Active: active (exited) since Sat 2026-06-13 13:44:01 UTC ✓
   → Process: ExecStart=.../8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy ... (status=0/SUCCESS)
 4. systemctl start deploy-dashboard  → active (exited) ✓
 5. All services 1/1; dashboard → 200; /api/version → 200 ✓
 ```
 **Deploy-proxy reached `active (exited)` with the dashboard not running — cycle conclusively broken.** The old probe (ci.commoninternet.net/) would have timed out at 300s (health_timeout) trying to reach a dashboard that wasn't started yet.
 #### Check 5 — Alert directory empty ✅
 `/var/lib/ci-warm/alerts/` empty after both the nixos-rebuild run and the cold-boot simulation. No unhealthy alert written — new probe returned 200 on first health check.
 #### Check 6 — Rollback path (code-proof, unchanged) ✅
 `health_code()` unchanged: returns `int(r.stdout.strip() or "0")` → 0 on curl failure → 0 ∉ (200,) → `wait_healthy()` returns False → rollback triggered. Gate has teeth. (Confirmed same as M1.)
 ---
 **M2 VERDICT: PASS** — nixos-rebuild deployed the fix; deploy-proxy active without deadlock; cold-boot simulation confirmed cycle broken; all services unaffected; rollback intact. Phase pxgate Definition of Done fully met. Builder may write ## DONE.
--- a/machine-docs/REVIEW-rcust.md
+++ b/machine-docs/REVIEW-rcust.md
@ -0,0 +1,541 @@
 # REVIEW-rcust.md — Adversary ledger for the recipe-customization restructure phase
 SSOT for this phase: `/srv/cc-ci/cc-ci-plan/recipe-custom-restructure-full-plan.md`.
 Gates: **M1** (implementation verified — branch `restructure/recipe-custom`, unit+concurrency+lint
 green on cold clone, resolved-customization diff clean for all 21 recipes, adversarial diff review)
 and **M2** (merged + real-CI regression sweep matching baseline matrix). DONE requires fresh PASS
 for both with no open VETO.
 I own this file and the `## Adversary findings` section of BACKLOG-rcust.md only.
 ---
 ## Standing watch items (what I will hunt at M1/M2)
 - **Coverage loss** (cardinal risk): for every migrated recipe, old loaders' effective customization
  values must equal new `meta.load()` values. Throwaway diff script over all 21 recipe dirs; any
  delta = finding.
 - **Assertion weakening** in `tests/<recipe>/` diffs — migrations must be mechanical only (signatures,
  fixture/key renames, underscore prefixes). Any changed assert/expected value = VETO.
 - **Deleted-code fallout** — dangling refs to `_recipe_meta`, `_load_meta`, `_recipe_extra_env`,
  `_recipe_meta_flag`, `declared_deps`, `is_canonical_enrolled`, `OIDC_AT_INSTALL`,
  `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`, `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`.
 - **Validation gaps** — typo'd key / wrong type / callable-on-data-key must raise MetaError, not pass.
 - **R2 fixed end-to-end** — orchestrator load path delivers SCREENSHOT to screenshot.py.
 - **HC2 / F2-11 integrity** — repo-local default-deny, requires_deps skip-report, generic floor
  semantics all unchanged.
 ---
 ## Verdicts
 _(no GATE verdict yet — M1 is not claimed. M1 only claims after P1–P6 are all on the branch;
 Builder has landed P1 (472a68b) + P2 (8cd72fd) and is mid-P3. The interim pre-review below is
 front-loaded break-it work on the FROZEN P1/P2 commits — NOT an M1 PASS.)_
 ### Interim pre-review of frozen P1+P2 (branch @ 8cd72fd) — @2026-06-10, cold from upstream clone
 Done as idle-time break-it work while no gate is pending. P1/P2 phase commits won't be rewritten
 (Builder adds P3+ on top), so reviewing them now is non-wasted and front-loads M1. Cold clone of
 `origin/restructure/recipe-custom` into `/tmp/rcust-verify` from the true upstream remote.
 **No defects found so far.** Results:
 1. **Deleted-code fallout — CLEAN.** Grepped `runner/ tests/ scripts/` for live refs to every deleted
   symbol (`_recipe_meta`, `_load_meta`, `_recipe_extra_env`, `_recipe_meta_flag`, `declared_deps`,
   `is_canonical_enrolled`, `OIDC_AT_INSTALL`, `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`,
   `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`). All hits are comments/docstrings
   explaining the deletion, test names, or the intentionally-RETAINED `CCCI_SKIP_GENERIC*` env form
   (kept per P2c). Zero live call-sites. `setup_custom_tests.sh` files gone.
 2. **All-recipes-load-clean (typo gate) — PASS, independently.** Ran `meta.load()` (pure stdlib) over
   all 21 recipe dirs cold via plain python3 (did NOT trust the Builder's test_meta.py). All 21 load;
   non-default key sets sane. Every ALL-CAPS key used in any recipe_meta.py is in the 14-key registry.
 3. **Coverage-loss diff (CARDINAL check) — ZERO deltas on data keys + hook presence.** Throwaway
   harness (`/tmp/diff_meta.py`) reproduces main's six-loader effective resolution (`_load_meta`,
   `declared_deps`, `is_enrolled`, `_recipe_extra_env`) from MAIN's recipe_meta files and diffs vs the
   BRANCH's `meta.load()` for all 21 recipes. After correcting one harness artifact (EXTRA_ENV default
   is `{}` not None), **0/21 recipes show any delta** for HEALTH_PATH/HEALTH_OK/DEPLOY_TIMEOUT/
   HTTP_TIMEOUT/BACKUP_CAPABLE/EXPECTED_NA/UPGRADE_BASE_VERSION/DEPS/WARM_CANONICAL + presence of
   READY_PROBE/BACKUP_VERIFY/UPGRADE_EXTRA_ENV/EXTRA_ENV/SCREENSHOT.
 4. **Validation gaps — CLOSED.** Crafted tmp recipe_metas: typo'd key → MetaError (with "did you mean
   DEPLOY_TIMEOUT?"); wrong type (`DEPLOY_TIMEOUT="str"`) → MetaError; callable on data key
   (`DEPLOY_TIMEOUT=lambda ctx:...`) → MetaError; `_PRIVATE`/lowercase-helper → loads clean (exemption
   works). All four behave per the locked decision.
 5. **meta.py read** — single `exec()`, frozen `RecipeMeta` generated from `KEYS`, `_coerce` rejects
   bool-as-int and callable-on-data-key; `non_default` compares vs registry default. No issues.
 **Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** full `pytest tests/unit -q` +
 `pytest tests/concurrency -q` + `scripts/lint.sh` cold on the cc-ci host; R2 end-to-end through the
 real orchestrator screenshot path; P3 ctx-hook signature migration (assert byte-identical, legacy
 `lambda domain:` raises clear MetaError); P4/P5/P6; re-run the coverage diff on the FINAL branch
 (P3 changes hook signatures); recipe-test diffs are mechanical-only (no assertion weakening);
 HC2/F2-11/generic-floor integrity. These wait for the `claim(rcust): M1`.
 ### Interim pre-review of frozen P3 (branch @ fd02d9f) — @2026-06-10, cold from upstream clone
 Builder landed P3 (uniform ctx hook convention) and moved to P4, so P3 is frozen. Pre-reviewed it.
 **No defects found.**
 1. **Mechanical-migration discipline — HELD (no VETO trigger).** `git diff 8cd72fd..fd02d9f` over
   `tests/*/` shows ZERO changed assert/expected literals. Every hook change is purely
   `def HOOK(domain[, meta])` → `def HOOK(ctx)` + `domain` → `ctx.domain` in the body. Spot-checked
   cryptpad/mumble/ghost/lasuite-drive recipe_meta.py + lasuite-drive ops.py: seeded values, return
   dicts, paths, status codes, and the `pre_restore` `assert _psql(...) in (...)` are byte-identical
   apart from the `ctx.` deref.
 2. **HookCtx — present + complete.** `meta.HookCtx` frozen dataclass has all 5 documented fields
   (`.domain`, `.base_url`, `.meta`, `.deps`, `.op`); `meta.hook_ctx(domain, meta, op=…)` factory
   builds it and pulls `deps` from `$CCCI_DEPS_FILE`. All call sites migrated: run_recipe_ci
   `pre_<op>`, BACKUP_VERIFY; lifecycle `extra_env` + READY_PROBE; screenshot `SCREENSHOT(page, ctx)`.
   (NB my first pass falsely flagged "no HookCtx" — that was a STALE WORKTREE at P2; corrected by
   checking out fd02d9f. Logged here for honesty.)
 3. **Legacy-signature guard (P3.4) — PRESENT + works, live-probed.** `meta.check_hook_signature`
   exact-matches positional params and raises a CLEAR MetaError naming the P3 migration + HookCtx
   fields. Wired into both `load()` (recipe_meta hooks; SCREENSHOT expects `(page, ctx)`, rest
   `(ctx)`) and the orchestrator (ops.py `pre_<op>`). Crafted tmp metas: legacy `READY_PROBE(domain)`,
   `SCREENSHOT(page, domain, meta)`, `EXTRA_ENV(domain)` all → MetaError at load; `READY_PROBE(ctx)`
   loads clean. No silent mid-run TypeError path.
 4. **Coverage diff re-run at P3 head — still 0/21 deltas** (hook presence + all data keys unchanged).
 Net: P1+P2+P3 all clean under cold adversarial probing. M1 still gated on full unit+concurrency+lint
 on the cc-ci host, P4–P6, R2 end-to-end via the real screenshot orchestrator path, and a final
 coverage re-diff. No findings filed; no VETO.
 ### Interim pre-review of frozen P4 (branch @ 29a28e2) — @2026-06-10T18:55Z, cold from fresh host clone
 Builder landed P4 (custom-test ergonomics) and moved to P5, so P4 is frozen. Pre-reviewed it cold.
 **No defects found.** NOT an M1 verdict — M1 stays gated (see "Still UNVERIFIED" below).
 Cold acceptance (fresh `git clone` on cc-ci host at 29a28e2, my own checkout — not the Builder's):
 - `cc-ci-run -m pytest tests/unit -q` → **184 passed** (exact match to claim; full suite, no
  cross-fixture pollution from the session-scoped `deps` fixture).
 - `cc-ci-run -m pytest tests/unit/test_discovery.py test_discovery_phase2.py
  test_conftest_fixtures.py -q` → 14 passed.
 - `nix develop .#lint --command scripts/lint.sh` → **lint: PASS** (ruff format/check, deadnix,
  shfmt, shellcheck, yamllint all clean).
 Correctness probes:
 1. **Placement-rule claim ("zero in-repo users of top-level custom tests") — HOLDS.** Filesystem
   sweep of every `tests/<recipe>/test_*.py`: ALL are lifecycle names (test_{install,upgrade,
   backup,restore}.py). No top-level non-lifecycle custom exists in-repo, so dropping the top-level
   glob in `discovery.custom_tests` loses ZERO coverage. The lifecycle-name exclusion is retained
   inside functional/playwright as the double-run safety net.
 2. **Discovery diff — clean.** Top-level `glob(test_*.py)` branch removed; functional/ + playwright/
   subdir globs retained with `basename not in lifecycle_names` guard. Docstring + module header
   updated to state the placement RULE.
 3. **Test changes are adaptation + strengthening, NOT weakening (no VETO trigger).**
   - `test_discovery_phase2`: renamed to `..._placement_rule_...`; now ASSERTS the top-level
     `test_sso_smoke.py` is `not in names` (new negative assertion proving the behavior change),
     while functional/playwright customs are still `in names` and lifecycle name excluded.
   - `test_discovery::test_custom_tests_repo_local_gated`: repo-local custom moved from top-level
     into `functional/`; HC2 default-deny (`== []` when unapproved) and approved-case
     (`functional/test_sso.py in names`, `test_install.py` excluded) both INTACT. HC2 integrity
     preserved.
 4. **op_state fixture — correct.** Skips with clear reason on unset env / missing file / non-JSON
   (`except ValueError` catches JSONDecodeError); reads & returns parsed dict otherwise. Tests
   cover 3 of 4 paths (the non-JSON skip path is untested — minor coverage gap, not a defect; the
   branch is trivially correct by inspection).
 Net: P1+P2+P3+P4 all clean under cold adversarial probing; both halves of every phase claim
 (unit count + lint) reproduced cold on a fresh clone. No findings filed; no VETO.
 **Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** P5 (manifest) + P6 (docs);
 `pytest tests/concurrency -q` cold; R2 end-to-end through the real orchestrator screenshot path;
 final coverage re-diff on the COMPLETE branch (P1–P6, all 21 recipes, effective customization set
 unchanged); recipe-test diffs mechanical-only across the whole branch; HC2/F2-11/generic-floor
 integrity at the final head. These wait for `claim(rcust): M1`.
 ### Interim pre-review of frozen P5 (branch @ 68954be) — @2026-06-10T19:06Z, cold from fresh host clone
 Builder landed P5 (customization manifest) and moved to P6, so P5 is frozen. Pre-reviewed it cold.
 **No blocking defect; one secret-SURFACE observation raised (heads-up to Builder, NOT a VETO, NOT
 an M1 secret-leak failure).** NOT an M1 verdict.
 Cold acceptance (fresh `git clone` on cc-ci host at 68954be, my own checkout):
 - `cc-ci-run -m pytest tests/unit -q` → **191 passed** (exact match to claim).
 - `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
 Primary adversarial target — SECRET LEAKAGE via the new manifest surface (D-gate: published logs +
 dashboard contain NO secrets, incl. generated app passwords):
 1. **Generated/runtime secrets — NOT exposed (gate holds).** `manifest.build` collects only:
   `meta_non_default` (static recipe_meta), hook NAMES (pre-ops/install_steps.sh/compose.ccci.yml),
   overlay FILENAMES, custom-test COUNTS, and env-override KEY names (printed `KEY=1`, value never
   rendered). It never touches `deps` (client_secret), `op_state`, abra-generated app passwords, or
   any env VALUE. The cardinal concern — generated app passwords on the dashboard — is structurally
   absent from this surface.
 2. **Cold all-recipes sweep.** Built+rendered the manifest for all 21 recipes on the host; grepped
   the rendered blocks AND the results.json `customization` payload for secret/password/token/key/
   credential and for any 32+ char high-entropy string. The ONLY hit, across every recipe, is
   plausible's `EXTRA_ENV.SECRET_KEY_BASE` =
   `"ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123"`.
 3. **OBSERVATION (not a leak):** that value is a HARDCODED, committed, PUBLIC dummy CI constant
   (tests/plausible/recipe_meta.py, in the open-source repo) — not a generated or real secret.
   `meta_non_default` dumps EXTRA_ENV literal dicts verbatim into the log AND results.json (→
   dashboard), so a field literally named `SECRET_KEY_BASE` with a value now appears on the
   dashboard. No real secret is exposed (it's public), so this is NOT a D-gate failure and does NOT
   block P5. BUT it's a standing surface: (a) a dashboard secret-scan gets a true-positive-shaped
   hit on a public dummy (noise that could mask a real leak), and (b) if any recipe ever set a real
   secret-ish literal in a meta dict, the manifest would surface it unredacted. Flagged to Builder
   via BUILDER-INBOX as a heads-up to consider redacting values of sensitive-named meta keys before
   M1. Will re-examine on the real dashboard at the M1 cold-verify.
 4. **HC2-honoring — confirmed.** Manifest routes ALL repo-local reads through `discovery._gated`
   (ops.py loop direct; `install_steps`/`resolve_overlay_op`/`custom_tests` each call `_gated`
   internally). An unapproved repo-local recipe contributes nothing to the manifest.
 5. **Pure presentation — holds.** `build()` only reads files/env and returns a dict; `render()`
   formats a string. Called at run_recipe_ci.py:889-890 (print) + embedded at :1261 into results;
   no state mutation, no verdict influence. `_jsonable` renders callables as `'<hook>'` (so a
   callable EXTRA_ENV/READY_PROBE never leaks closure internals) and tuples→lists for JSON.
 Net: P1–P5 all clean under cold adversarial probing; every phase claim (unit count + lint)
 reproduced cold. No findings filed; no VETO. One non-blocking secret-surface heads-up sent.
 **Still UNVERIFIED for M1:** P6 (docs); `pytest tests/concurrency -q` cold; R2 end-to-end via the
 real orchestrator screenshot path; final coverage re-diff on the COMPLETE branch (all 21 recipes,
 effective customization unchanged); recipe-test diffs mechanical-only across the whole branch;
 HC2/F2-11/generic-floor integrity at final head; AND — at the M1 dashboard check — confirm the
 SECRET_KEY_BASE-named field on the real dashboard is the accepted public dummy (or redacted).
 These wait for `claim(rcust): M1`.
 ## M1 — implementation verified: **PASS** @2026-06-10T19:27Z (branch `restructure/recipe-custom` @ 858e0f5)
 Cold-verified from TWO fresh clones on the cc-ci host (NEW=858e0f5, OLD=main pre-restructure;
 merge-base 49fb818 confirmed → `main..858e0f5` is exactly P1–P6). Verdict formed from the phase plan
 (SSOT), the code/git history, the STATUS verification facts, and my own cold re-runs — NOT from
 JOURNAL rationale (isolation discipline; I did not need to consult JOURNAL).
 **All M1 Definition-of-Done items PASS:**
 1. **Cold test suites — match claim exactly.** Fresh clone @858e0f5:
   `cc-ci-run -m pytest tests/unit -q` → **192 passed**; `tests/concurrency -q` → **23 passed**
   (untouched by this plan, proven); `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
 2. **Coverage diff (cardinal risk) — 0 REAL deltas / 21 recipes.** Wrote throwaway extractors that
   resolve EVERY recipe's effective customization in BOTH worlds — OLD via the legacy loaders
   (`_load_meta` + `lifecycle._recipe_extra_env` + `deps.declared_deps` + `_recipe_meta_flag`),
   NEW via `meta.load()` + `meta.extra_env/upgrade_extra_env` — for the common keys (HEALTH_*,
   timeouts, DEPS, EXTRA_ENV resolved at a fixed domain, UPGRADE_EXTRA_ENV, BACKUP_CAPABLE,
   EXPECTED_NA, UPGRADE_BASE_VERSION, READY_PROBE/BACKUP_VERIFY presence). Diff = **0 behavioral
   deltas**; the only raw diffs were 20× `UPGRADE_EXTRA_ENV: None→{}` (unset default representation,
   behaviorally identical) and mumble (most-customized: callable EXTRA_ENV→dict, UPGRADE_EXTRA_ENV,
   READY_PROBE) is **byte-identical** old↔new.
   Deleted keys accounted for (no silent loss): `SKIP_GENERIC` (0 recipe users); `CHAOS_BASE_DEPLOY`
   → overlay-presence (discourse+ghost, exactly the two shipping compose.ccci.yml — perfect 1:1, no
   change either direction); `OIDC_AT_INSTALL` → install-time made universal (drive+meet were
   already install-time). **lasuite-docs** declared DEPS but NOT OIDC_AT_INSTALL → OLD post-install,
   NEW install-time: an INTENTIONAL P2b consolidation, not a drop — flagged below for M2 validation.
 3. **Assertion weakening (VETO-class) — NONE.** Full branch diff over all recipe test files
   (excl. harness unit/concurrency/regression): 18 removed asserts, 18 added. After mechanical
   normalization (`domain`→`ctx.domain`, `deps_creds`→`deps`, `MAX_USERS`→`_MAX_USERS`, whitespace)
   the removed and added assert sets are **IDENTICAL** — zero unmatched in either direction. Every
   change is a pure signature/fixture/constant rename; no expected value altered, no assert deleted.
   Spot-confirmed discourse/ghost `_psql(domain,…ci_marker…) in (…)` → `ctx.domain` only (expected
   tuple + SQL byte-identical). **No VETO.**
 4. **Deleted-code fallout — clean.** No dangling LIVE refs to any of the 13 deleted symbols
   (`_recipe_meta`/`_load_meta`/`_recipe_extra_env`/`_recipe_meta_flag`/`declared_deps`/
   `is_canonical_enrolled`/`OIDC_AT_INSTALL`/`CHAOS_BASE_DEPLOY`/`SKIP_GENERIC`/`setup_custom_tests`/
   `deps_apps`/`deps_creds`/`deployed_app`). Only residue: stale DOC/comment mentions of
   `OIDC_AT_INSTALL` + `setup_custom_tests.sh` in PARITY.md files (non-blocking P6 cosmetic nit).
 5. **Validation gaps — closed.** Cold-probed `meta.load()` with synthetic bad metas: typo'd key,
   str-on-int, bool-as-int, callable-on-data-key, legacy hook sig `READY_PROBE(domain)`, and unknown
   key ALL → `MetaError` (clear, names the offending file/key). Clean + underscore-private-helper
   metas load fine (no false positives). No silent pass.
 6. **R2 fixed end-to-end.** Cold proof through the REAL load path: a recipe declaring
   `def SCREENSHOT(page, ctx)` is surfaced by `meta.load()` and resolved callable by
   `screenshot._load_screenshot_hook` (old L1 allowlist dropped it — now arrives); orchestrator wires
   it `run_recipe_ci.py:1029 capture(…, recipe_meta=meta)` → `hook(page, hook_ctx(domain, meta))`.
   Absent recipe → None (default landing-page path). Legacy `SCREENSHOT(page, domain, meta)` sig
   rejected at load.
 7. **HC2 / F2-11 / generic-floor integrity — preserved.** Cold-probed `discovery.custom_tests` +
   `install_steps`: UNAPPROVED repo-local → `[]` / `None` (default-deny holds); APPROVED → surfaced.
   `sso_dep_unverified` (F2-11) logic UNCHANGED (only a comment edited) — a deps-not-ready run that
   skips ≥1 `requires_deps` test still suppresses the green signal. Generic floor `_skip_generic`
   default = run (additive); opt-out now env-only (same env vars as before; the 0-user meta key
   removed) and surfaced LOUDLY in CI + flagged `!!` in the manifest — strictly stronger, never
   silent.
 8. **(Bonus) P5 secret-surface heads-up RESOLVED + verified.** The Builder landed `858e0f5`
   redacting secret-named meta values in the manifest (my P5 BUILDER-INBOX ask). Cold-verified:
   `plausible.EXTRA_ENV.SECRET_KEY_BASE` → `<redacted>` in BOTH the log block and results.json;
   recursive into nested dict keys; word-segment `(^|_)KEY(_|$)` regex avoids over-match
   (KEYCLOAK_* passes). All-21-recipe sweep: exactly 1 redaction, ZERO over-redaction, ZERO
   under-redaction (no secret-shaped value remains). Regression test
   `test_manifest_redacts_sensitive_named_values` present.
 **Verdict: M1 PASS.** No findings filed, no VETO.
 **This does NOT clear `## DONE`.** Per the phase DoD, DONE requires a fresh Adversary PASS for BOTH
 M1 *and* M2. M2 (merged-main real-CI regression sweep vs the committed baseline matrix) is still
 unverified. M2 watch-items I will specifically re-check from run logs:
 - **lasuite-docs OIDC is now install-time** (post→install change above) — must pass a real run with
  OIDC wired at install (skip-count 0 on its `requires_deps` tests).
 - the customization spot-checks the plan §M2.4 enumerates (mumble READY_PROBE tcp lines, cryptpad
  SANDBOX_DOMAIN, ghost/discourse BACKUP_VERIFY + overlay copy + auto-chaos base deploy, lasuite-*
  deps provisioning + OIDC tests ran, immich ops.py seeds, manifest block present in every log,
  screenshot.png where capture succeeded).
 - canary suite (RED canaries still caught at intended tier) + per-recipe level == baseline matrix.
 - zero leaked apps after teardown.
 ### M2-prep — independent hook-port audit (shell→python / best-effort↔fatal drift) @2026-06-10T20:55Z
 Triggered by the lasuite-drive regression (below), which my M1 PASS MISSED: my M1 coverage diff
 compared recipe_meta KEYS (resolved values), not ops.py hook BODIES, and my assertion scan matched
 `assert ` not `raise AssertionError`. So a hook that flipped best-effort→fatal was invisible to my
 M1 method. M2 (real-CI sweep) caught it — the safety net working as designed. I then audited ALL
 hook ports cold (`git diff c2508c7..origin/main` per recipe ops.py + the 2 setup_custom_tests.sh
 ports), filtering for non-mechanical error-handling (raise/assert/except/exit/timeout/poll changes):
 - **lasuite-drive `pre_install`** — GENUINE rcust regression (Builder-disclosed, I confirmed):
  OLD setup_custom_tests.sh bucket poll fell through on 90s timeout (best-effort, no failure; the
  custom-tier `test_minio_storage.py` upload→list→download is the real gate); NEW port added a
  terminal `raise AssertionError` → deterministic install RED when the bucket appears just after
  90s. Fix-forward APPROVED (restore best-effort print+return, scoped to line-54 only; conditioned
  on an L5 re-run + my diff re-verify). See approval entry in BUILDER-INBOX history (commit 57c66ad).
 - **lasuite-docs `install_steps.sh`** — INTENTIONAL P2b change, NOT a defect: OLD setup_custom_tests
  did `exit 1` on missing deps/null KC creds; NEW does `exit 0` (no-op) for missing-deps (gated now
  by F2-11: the `@requires_deps` OIDC test skips → `sso_dep_unverified` suppresses green) BUT
  preserves `exit 1` on secret-insert failure. Consistent with the install-time-deps redesign.
  WATCH-ITEM (residual): the missing-deps path now relies entirely on F2-11; the sweep didn't
  exercise it (deps were ready, skip-count 0). Mechanism verified present at M1; not blocking.
 - **All other ops.py** (cryptpad, discourse, ghost, immich, keycloak, lasuite-meet, matrix-synapse,
  mattermost-lts, mumble, n8n, plausible, custom-html) — pure mechanical ctx migration
  (`domain`→`ctx.domain`, `meta`→`ctx.meta`); expected tuples/strings byte-identical (spot-checked
  keycloak 201/409 + 204/200, discourse/ghost _psql ci_marker). No error-handling drift.
 Net: exactly ONE accidental hook-port regression (lasuite-drive), now under approved fix. No other
 best-effort↔fatal flips. This audit closes the M1-method gap for the hook bodies.
 ---
 ### M2 proof-run independent analysis (cold, Adversary) @2026-06-10T23:53Z
 M2 is NOT yet claimed by the Builder; this is my independent read of the proof runs sitting on
 cc-ci (`/var/lib/cc-ci-runs/{m2b-*,ab-*-oldmain}`), parsed myself via jq (NOT trusting Builder
 narrative). The 6 first-sweep mismatches break down as follows.
 **Confirmed root fact — REF MISMATCH is real (I verified, not taken on faith).** Every baseline
 matrix run used a *PR-head* ref; the first M2.3 sweep used each mirror's *default-branch head* — a
 different commit. Independently confirmed via `results.json.ref`:
 | recipe | baseline run/ref/level | sweep ref/level |
 |---|---|---|
 | discourse | 184 / 7ae7b0f76efb / L4 | 7d53d4ec390f / L2 |
 | plausible | 308 / 13458fac56a1 / L4 | da159375d89a / L2 |
 | mattermost-lts | 196 / a333e31a6002 / L4 | 41c9eb8e5f34 / L2 |
 | immich | 307 / 107d7220adce / L4 | 7eb3937a82d0 / L2 |
 | lasuite-drive | 189 / ffa7d585afa2 / L5 | f4135d78201e / L0 |
 So the sweep was NOT apples-to-apples vs the baseline matrix. Reconciliation requires either
 (a) re-run at the baseline ref on new main == baseline level, or (b) A/B same-ref old-vs-new main
 == same level. Status per recipe:
 - **immich** — m2b-immich (new main, baseline ref 107d7220adce) = **L4 == baseline L4. CLEAN.**
 - **mattermost-lts** — m2b (new main, a333e31a6002) = **L4 == baseline L4. CLEAN.**
 - **plausible** — m2b (new main, 13458fac56a1) = **L4 == baseline L4. CLEAN.**
  → these three: restructure proven INNOCENT (baseline ref reproduces baseline level on merged main).
 - **bluesky-pds** — ab-bluesky-pds-oldmain (OLD main, b2d86efba3f1) = L0 == new-main sweep L0 at
  same ref → restructure-NEUTRAL at the sweep ref. (Baseline is "L4-equiv, pre-results-era", no run
  id — softer baseline; A/B neutrality is the available evidence.)
 - **discourse — NOT yet clean. OPEN.** Two *distinct* flake modes seen, and the A/B was run at the
  wrong ref to close the gap:
  - baseline 184 (OLD main, 7ae7b0f): all pass → L4.
  - m2b-discourse (NEW main, SAME ref 7ae7b0f): **upgrade FAILED**, HC1 guard fired —
    "upgrade deployed chaos commit 'eb96de94+U', not intended PR-head '7ae7b0f76efb' — re-checkout
    to code-under-test failed (HC1)" → L1.  ← same-ref old=L4 vs new=L1 discrepancy, UNexplained.
  - ab-discourse-oldmain (OLD main, 7d53d4ec): **restore FAILED** (ci_marker truncated-dump race)
    → L2 == new-main sweep L2 at that ref → neutrality proven, but for the RESTORE mode at the
    DEFAULT-head ref, NOT for the L1/upgrade-HC1 mode at the baseline ref.
  - Net: the clean A/B (ref 7ae7b0f on OLD main vs NEW main) that would explain L4→L1 was NOT run.
    The upgrade re-checkout/HC1 path lives in run_recipe_ci.py/lifecycle which the meta-param
    threading DID touch — so "pre-existing flake" is plausible but UNPROVEN here. To clear: run
    discourse @7ae7b0f on OLD main (does it deterministically reproduce L4, or also flake to L1?),
    and/or repeat @7ae7b0f on new main to characterise the HC1 re-checkout as a race. The HC1 guard
    FIRING (not silently passing the wrong commit) is the safety net working — good — but it means
    the upgrade did not exercise the PR code, so the run is inconclusive, not a clean baseline match.
 - **lasuite-drive** — fix-forward 1357544 (restore best-effort bucket poll) landed; needs a fresh
  L5 run at the baseline ref ffa7d585afa2 on merged main to confirm baseline. m2rr/earlier runs
  predate or used the default head — NOT yet a clean baseline match. OPEN.
 **M2 disposition: still OPEN — no PASS.** 3/6 cleanly reconciled (immich/mattermost/plausible);
 bluesky neutral-at-sweep-ref; discourse + lasuite-drive NOT yet closed. I will require, at the M2
 claim: (1) discourse same-ref A/B (or repeat) explaining L4→L1; (2) a clean lasuite-drive L5 at
 baseline ref; (3) my own cold re-parse of every per-recipe level vs baseline; (4) the M2.4
 customization-executed spot-greps; (5) zero leaked apps. Recorded a BUILDER-INBOX heads-up on the
 discourse-HC1 gap so it is addressed in the claim, not glossed as "the restore flake".
 ### M2 proof-run progress + self-correction @2026-06-11T00:05Z
 Builder is running (independently, matching my inbox ask) the decisive A/B serially on the box:
 `m2-proof.sh` → lasuite-drive @ffa7d585afa2 PR=1 (post-fix-forward 1357544) on merged main 5c0676b,
 then discourse @7ae7b0f76efb **PR=2** on merged main (m2p-discourse); `m2-proof2.sh` (queued) →
 discourse @7ae7b0f76efb **PR=2** on OLD main (/root/m2-oldmain, ab-discourse-7ae7b0f-oldmain).
 **Self-correction to my 23:53Z discourse analysis:** my m2b-discourse run used **PR=0**, but the
 upgrade HC1 guard resolves the *PR head* for the re-checkout. The L1 failure message ("deployed
 chaos commit 'eb96de94+U', not PR-head 7ae7b0f — re-checkout failed") is plausibly a **PR=0
 artifact** (no real PR to resolve the head from), NOT a restructure regression. The Builder's proof
 runs correctly use PR=2 (matching baseline run 184's pr=2). So the apples-to-apples comparison I
 need is m2p-discourse (PR=2, new main) vs ab-discourse-7ae7b0f-oldmain (PR=2, old main) vs baseline
 184 (PR=2, old main, L4). I will cold-verify those three when they land; my L4→L1 concern is on
 hold pending the PR=2 result, not yet a confirmed regression. Live lasu-f68b63 stack = active
 lasuite-drive proof run (expected, not a leak).
 ### M2 fix-forward APPROVE: be2026a (services_converged completed-one-shot rule) @2026-06-11T00:31Z
 Builder proposed a 2nd lasuite-drive P2b fix on branch `fix/converged-oneshot @ be2026a` and asked
 approval before merging to main (M2 "trivial fix-forward w/ Adversary approval" path). Cold-verified
 independently (fresh clone of be2026a at /root/adv-be2026a on cc-ci, NOT the Builder's working tree):
 - **Diff** (`git diff origin/main..be2026a runner/harness/lifecycle.py`, read myself): in
  `services_converged`, a `cur != want` deficit now passes ONLY if `docker service ps <svc>` shows
  ALL task states == `Complete`. Conservative: any Running/Preparing/Pending (spinning up) or
  Failed/Rejected (broken) in the deficit still returns False; no-tasks-yet still False; plain N/N
  and 0/0 unchanged. Targeted addition, not a rewrite.
 - **False-green analysis (my own):** only `restart_policy:none` one-shots ever show `Complete`; a
  normal crashed service shows Failed/Running(restarting), never Complete. Even if converge passed
  on a completed-but-ineffective one-shot, two INDEPENDENT gates still catch it — the generic
  `test_serving` HTTP floor and the custom-tier functional test (lasuite-drive
  `test_minio_storage.py` upload→list→download is the real bucket gate). Defense-in-depth holds; I
  could not construct a false-green path.
 - **Tests** `tests/unit/test_converged_oneshot.py` (read + cold-ran): 7 cases pin exactly the
  non-vacuity criteria — completed→converged, Failed→NOT, mixed Complete+Failed→NOT (covers the
  `docker service ps` history concern), Preparing→NOT, no-tasks→NOT, N/N→converged, 0/0→converged.
 - **Cold suite+lint from fresh be2026a checkout:** `cc-ci-run -m pytest tests/unit -q` → **199
  passed**; the 7 new tests pass alone; `nix develop .#lint --command scripts/lint.sh` → **lint:
  PASS**. Matches Builder's claim.
 - **Root cause judged genuine P2b regression** (hook moved into ops.py pre_install runs BEFORE the
  install assert; the completed one-shot's 0/1 then burns DEPLOY_TIMEOUT in the converge poll). The
  fix accepts a genuinely-healthy deploy (HTTP 200, all other services 1/1) the old `cur!=want`
  wrongly rejected — correction, not masking.
 - **Not on main** — confirmed `all(s == "Complete")` absent from origin/main; Builder held the gate.
 - **Disclosed semantic delta** (a failing one-shot now blocks install convergence earlier vs later
  at custom-tier): ACCEPTED — both paths RED, no false-green, no enrolled recipe has a
  baseline-failing one-shot.
 **VERDICT: fix-forward be2026a APPROVED, conditional on:**
 1. Post-merge lasuite-drive proof re-run @ffa7d585afa2 PR=1 lands **L5** (binding end-to-end proof
   the fix resolves the converge hang — if it doesn't, the diagnosis was wrong and approval voids).
 2. I re-verify the MERGED diff == be2026a diff (no extra change sneaks in at merge).
 3. discourse PR=2 A/B pair (m2p-discourse / ab-discourse-7ae7b0f-oldmain — no one-shots, unaffected
   by this fix) completes and I cold-verify those levels too.
 This APPROVE does NOT clear M2; M2 still needs all per-recipe levels reconciled + my independent
 sample re-check + zero-leak teardown.
 ### be2026a merge cold-verify — condition #2 SATISFIED @2026-06-11T00:42Z
 Builder merged be2026a as 6cabbe7 (build 350 green, origin/main now b4505ac). Independently checked:
 `diff origin/main:runner/harness/lifecycle.py be2026a:...` → **IDENTICAL**; the merged
 `tests/unit/test_converged_oneshot.py` → **IDENTICAL** to be2026a. Clean merge, no extra change
 slipped in — approval condition #2 met. m2p-lasuite-drive (pre-fix) landed L0 (install/converge
 timeout) = the diagnosed symptom (Builder disclosed b4505ac it SIGINT-shortcut the doomed burn;
 binding proof is the post-fix m2p2 re-run). REMAINING be2026a conditions: #1 post-fix lasuite-drive
 L5, #3 discourse PR=2 A/B cold-check — both pending (m2p-discourse running, then ab-oldmain, then
 m2p2-lasuite-drive).
 ### be2026a conditions CLEARED + SSO-baseline staleness finding (independent) @2026-06-11T01:12Z
 Reached the conclusions below COLD (own git archaeology + run-dir jq) BEFORE reading the Builder's
 01:10Z inbox — which then concurred. Anti-anchoring preserved (no JOURNAL read; inbox read after my
 own derivation).
 **be2026a fix-forward — ALL 3 CONDITIONS SATISFIED → fix-forward FULLY CLEARED:**
 1. **Post-fix lasuite-drive (m2p2, merged main 6cabbe7, ffa7d585afa2, PR=1): L4, rc=0, 3m19s.**
   Independently verified: flags clean_teardown=true + no_secret_leak=true; all 4 essential rungs
   pass; `test_minio_storage::...object_roundtrip` PASSED; `test_oidc_..._keycloak` PASSED. The
   install converge no longer hangs — both fix-forwards (1357544 best-effort poll + 6cabbe7
   completed-one-shot converge) exercised in one run. The literal "L5" in my condition is
   **unmeetable on current code and NOT an rcust effect** — see staleness finding below; I accept
   the L4-equivalence. Fix works end-to-end.
 2. **Merged diff == branch diff** — verified earlier (4428e76): lifecycle.py + test file
   byte-identical to be2026a.
 3. **discourse A/B — restructure-NEUTRAL.** m2p-discourse (NEW main, 7ae7b0f, PR=2) = L1 and
   ab-discourse-7ae7b0f-oldmain (OLD main, SAME ref, SAME PR=2) = L1, SAME stage (upgrade), SAME
   message (`eb96de94+U` HC1 re-checkout). old==new byte-identical → rcust did NOT regress discourse.
   The L4(184)→L1 vs baseline is pre-existing env drift since 06-05 (filed below), not rcust.
 **FINDING [adversary] — M2 baseline matrix has 3 STALE L5 entries (lasuite-docs/drive/meet).**
 Independently established: the level ladder dropped 6-rung(L5)→4-rung(max L4, integration &
 recipe-local now OPTIONAL/non-laddered) in mainline PR#6 (c51cd84 "4-rung ladder", + 46e2cdb),
 which `git merge-base --is-ancestor c51cd84 01e6d49^` confirms is an ANCESTOR OF PRE-RCUST MAIN.
 The rcust merge touches level.py NOT AT ALL and results.py by +4 cosmetic P5 lines; compute_level
 + derive_rungs are byte-identical old-main↔merged-main. So NO current-code run (rcust or pre-rcust)
 can produce L5; baselines 188/189/204 (L5, integration:pass) were recorded under the OLD schema
 (run 204 ran 06-09 hours before the refactor deployed). **rcust is INNOCENT of L4≠L5.** Integration
 coverage is NOT lost: the requires_deps OIDC tests EXECUTE and PASS (skip-count 0) on current code —
 verified in m2p2 AND the sweep's m2r-lasuite-docs (`test_oidc_login_via_keycloak` +
 `test_oidc_password_grant_...` PASSED) and m2r-lasuite-meet (`...password_grant...` PASSED).
 ACCEPTED equivalence for the M2 matrix: **old L5 ≡ new L4 (all 4 essential rungs pass) + requires_deps
 OIDC test PASSED (skip-count 0)**. Under this, lasuite-docs (m2r L4) / lasuite-meet (m2r L4) /
 lasuite-drive (m2p2 L4) all MATCH. (Note: this validates — but corrects the basis of — the Builder's
 first-sweep "lasuite-docs/meet matched baseline"; they are L4+OIDC, not numeric L5.) This is a
 matrix-staleness correction, NOT a rcust regression; no VETO.
 **Still OPEN for the M2 verdict (my side):** (a) per-recipe levels reconciled vs the CORRECTED
 baseline for all 21; (b) bluesky-pds is L0 on BOTH old & new main (upstream image
 `Cannot find module index.js`) — restructure-neutral but also cannot match its L4-equiv baseline on
 ANY current run → needs a DECISIONS/DEFERRED note as non-rcust upstream breakage, not a silent
 mismatch; (c) the 2 drone-path !testme runs (immich#2/plausible#3); (d) zero-leak teardown sweep;
 (e) my own independent re-check of ≥5 recipes' logs + ALL mismatches before any M2 PASS.
 ---
 ## M2 — merged-main real-CI regression sweep: **PASS** @2026-06-11T01:15Z
 Cold-verified the M2 claim (STATUS gate "M2 CLAIMED ~01:30Z") from my own clone + direct on cc-ci,
 re-running/ re-parsing rather than trusting Builder logs. Every M2.0–M2.4 item holds.
 **M2.2 canaries — cold RE-RAN myself** from a fresh `origin/main` checkout (/root/adv-be2026a @
 origin/main): `cc-ci-run -m pytest tests/regression/ -m canary -v` → **7/7 passed (301s)**, incl.
 `bad-false-green` (the false-green detector) + all four RED canaries (bad-install/upgrade/backup/
 restore) caught at their designed tier. The level system is NOT inflating. (log /root/adv-canary.log)
 **M2.3 per-recipe — all 21 reconciled (cold jq on each run dir):**
 - 13 clean: cryptpad/custom-html/ghost/hedgedoc/keycloak/matrix-synapse/n8n/uptime-kuma = L4;
  mailu/custom-html-tiny = L2 (backup_restore N/A); mumble = L4 (deploy-count=1) — all == baseline,
  clean_teardown=true.
 - 2 designed-bad canaries genuinely exercised: bkp-bad rungs backup_restore=**fail** (backup=fail);
  rst-bad backup_restore=**fail** (backup=pass→restore=fail). The L1 cap is upgrade-N/A ladder
  semantics; the designed failure is recorded in the rung (verified — NOT a coincidental
  level-match).
 - immich/mattermost-lts/plausible: **L4 @ exact baseline refs** (m2b-*) — baseline REPRODUCED on the
  restructured harness (cold-verified earlier this session).
 - discourse: m2p-discourse (NEW main) == ab-discourse-7ae7b0f-oldmain (OLD main) — SAME ref/PR=2,
  SAME stage, SAME upgrade-HC1 message (`eb96de94+U`), SAME L1. **old==new ⇒ rcust-neutral**; the
  L4(184)→L1 is pre-existing env drift since 06-05 (DEFERRED.md), NOT caused by the restructure.
 - lasuite-docs/-meet/-drive: L4 all-rungs-pass + requires_deps OIDC test PASSED (skip-count 0)
  [lasuite-drive m2p2 also MinIO PASSED, post-both-fixes, rc=0]. Their "L5" baselines are STALE:
  the 6→4-rung ladder landed in mainline c51cd84 (PR#6), which `git merge-base --is-ancestor
  c51cd84 01e6d49^` confirms PREDATES the rcust merge; level.py untouched by the merge, derive_rungs
  byte-identical old↔new. **rcust-innocent; integration coverage preserved** (OIDC tests execute &
  pass). Accepted equivalence old L5 ≡ new L4-all-pass + OIDC-pass.
 - bluesky-pds: EXCLUDED — `Cannot find module /app/index.js` crash-loop on BOTH old & new main at
  every ref → upstream image breakage, rcust-neutral. DEFERRED.md note present.
 **M2.3 drone→harness path:** drone builds **356 (immich) + 357 (plausible)** = `build_event=custom`
 (bridge-triggered; distinct from push builds 358-361), trigger=autonomic-bot, both **success**
 (verified in drone sqlite DB); run dirs 356/357 = immich L4 pr=2 / plausible L4 pr=3, customization
 manifest present, clean_teardown=true.
 **M2.4 customizations actually executed (cold-grep):** manifest block **21/21** logs; mumble
 `ready-probe OK (tcp 3x) 127.0.0.1:64738`; ghost `ccci-overlay: provided compose.ccci.yml ...
 base deploy auto-chaos` (P2a first-class path live); cryptpad `EXTRA_ENV='<hook>'`; immich
 `ops.py[pre_backup,pre_restore,pre_upgrade]` + `pre-op seed` lines (migrated ctx hooks run).
 **Teardown:** `docker stack ls` = infra (backups/bridge/dashboard/reports/drone/traefik) +
 warm-keycloak ONLY, **zero leaked app stacks** (checked after ALL runs incl. drone-path).
 **Fix-forwards (both Adversary-approved, additive):** 1357544 (lasuite-drive best-effort poll, appr
 57c66ad) + be2026a/6cabbe7 (services_converged completed-one-shot, appr a531746) — merged diff ==
 branch diff, all 3 be2026a conditions cleared (24a203a). Cold unit suite on post-fix main = 199
 passed, lint PASS.
 **VERDICT: M2 PASS.** No regression CAUSED BY the restructure: every deviation from the baseline
 matrix is proven rcust-neutral by same-ref old-vs-new A/B (discourse, bluesky) or is a pre-rcust
 stale-schema artifact with coverage preserved (3 lasuite), all documented in DEFERRED.md — not a
 silent mismatch. The false-green detector is green on my own cold canary run. No findings filed,
 no VETO.
 **M1 PASS (01f9f70) + M2 PASS (this entry) both stand** → the phase DoD handshake is satisfied; the
 Builder may write `## DONE` to STATUS-rcust.md. (M1's unit+lint acceptance still holds on post-fix
 main: 199 passed / lint PASS, the fix-forwards being additive + separately approved.)
--- a/machine-docs/REVIEW-redfix.md
+++ b/machine-docs/REVIEW-redfix.md
@ -0,0 +1,335 @@
 # REVIEW — phase `redfix` (Adversary)
 Phase SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-redfix-canon-sweep-failures.md`
 Mission: investigate every canon-sweep failure (discourse, mattermost-lts, mumble, bluesky-pds,
 gitea, keycloak), isolate → root-cause → classify (flake vs genuine; recipe vs test vs
 warm-machinery vs load) → FIX each via a recipe PR or harness improvement → verify green.
 No standing exceptions. Nothing merged.
 Gates:
 - **M1** — all six investigated in isolation, classified with evidence. Adversary cold-verifies:
  claimed flake = reproducibly green in isolation (and red under load); claimed recipe defect =
  genuinely the recipe (not a stale test / harness artifact); claimed warm-machinery bug = in cc-ci.
 - **M2** — all six FIXED + verified green (recipe PR via `!testme`; harness/cc-ci PR via the harness;
  flake-stabilization green under load). All six promote/pass. No standing exception. Nothing merged.
 DONE = Builder writes `## DONE` only after M1+M2 fresh Adversary PASS here.
 ---
 ## Verdicts
 ### M1 — investigate + isolate + classify: **PASS** @ 2026-06-18T01:18Z
 Gate claim: `claim(redfix-M1)` commit `0a06c41` (@00:25Z). Verified from a COLD START on cc-ci with my
 OWN isolation re-runs (one recipe at a time, no concurrent load) — NOT the Builder's logs. Isolation
 discipline honored: verdict formed from the phase plan (SSOT), the recipe code / git history, the
 verification info in STATUS, and my own cold acceptance runs; I did NOT read JOURNAL-redfix.md before
 writing this verdict.
 All six classifications are CORRECT. Evidence per recipe (full detail in the verification log below):
 | Recipe | My independent reproduction | Classification — verified |
 |---|---|---|
 | **discourse** | my isolation run `/tmp/adv-discourse.log`: install/backup/restore/custom PASS, upgrade FAIL on the 2 PR-faithfulness overlay asserts; **converged in minutes, no FATA/rc=142/wedge** | **stale/PR-specific cc-ci OVERLAY test** (canon "timeout" root-cause was WRONG — confirmed). Recipe deploys+serves fine. ✔ |
 | **mattermost-lts** | my isolation run `/tmp/adv-mattermost.log`: **restore FAIL deterministically** (`relation "ci_marker" does not exist`, 91s, isolated) | **genuine RECIPE defect** — no `backupbot.restore.post-hook`; NOT the canon "loaded-node race." ✔ |
 | **mumble** | my isolation run `/tmp/adv-mumble.log`: ALL 5 tiers GREEN incl `test_handshake_completes_with_channel_presence`; promote OK | **load/timing FLAKE** — green in isolation (a recipe defect would red deterministically; it didn't). ✔ |
 | **bluesky-pds** | my isolation run `/tmp/adv-bluesky.log` + live caddy diag: cold GREEN, warm promote **000 deterministic**; `getent app`→10.10.0.4 (foreign proxy), own app 10.0.5.6 never resolved; caddy log cycles `dial 10.10.0.{4..12}:3000 refused` | **genuine recipe ROUTING defect** (bare `app` + caddy on shared `proxy`), NOT cc-ci promote-machinery (it correctly refused to promote), NOT flake. (Reverses the plan's "warm-machinery" prior — confirmed against it.) ✔ |
 | **gitea** | my isolation run `/tmp/adv-gitea.log` + container crash log: cold GREEN, warm advance crash-loops 0/1; `LoadCommonSettings() [F] … error saving JWT Secret … "/etc/gitea/app.ini": read-only file system`; canonical correctly stayed 3.5.3 (promote timed out, refused) | **genuine RECIPE defect** (3.6.0 JWT save vs read-only app.ini docker-config mount; `/etc/gitea` is a writable volume but the app.ini file is the RO config). ✔ |
 | **keycloak** | code-verified: `canonical.canonical_domain('keycloak')`→`warm.stable_domain`→`warm-keycloak.ci.commoninternet.net` == `warm.WARM_DOMAINS['keycloak']` (warm.py:47 documents the equality); live keycloak 200 on `/realms/master` | **HARNESS defect** (data-warm canonical domain collides with the live-warm OIDC provider; no collision-free namespace). ✔ |
 No defects in the classification work. No VETO. Node verified clean before AND after my runs (only infra
 + live warm-keycloak; gitea restored to undeployed idle 3.5.3, volumes retained, canonical commit
 `e6a1cc79` unchanged; warm-keycloak healthy throughout). **M1 PASS — Builder cleared to proceed to M2.**
 (M2 will re-verify each FIX green; this PASS is for the investigation/classification gate only.)
 _(prior placeholder removed)_
 ## Adversary verification log
 - 2026-06-17T23:18Z — Phase redfix opened. Refreshed phase plan + plan.md §6.1. Cold access to cc-ci
  confirmed (`ssh cc-ci`: host `nixos`, uptime 4d, `systemctl --failed` empty, load ~0.8). No Builder
  state files (`STATUS/BACKLOG/JOURNAL-redfix.md`) yet; no gate claimed. Idling for the first claim.
 - 2026-06-18T00:10Z — Non-contending pre-staging (M1 NOT yet claimed; Builder mid-investigation:
  gitea isolation running, keycloak pending). Stayed OFF the swarm to avoid contaminating the
  Builder's isolation runs. Independently corroborated two deterministic static claims via pure
  code reads on cc-ci (no deploys):
  * **mattermost-lts** (recipe @ `2.1.9+10.11.15`): postgres svc has `backupbot.backup.pre-hook`
    (pg_dump → /var/lib/postgresql/data/postgres-backup.sql), `backup.post-hook` (rm dump),
    `backup.path=/var/lib/postgresql/data/` (hot live PGDATA) — and **NO `backupbot.restore.post-hook`**.
    immich (passes) uses dump-only `backup.volumes.postgres.path: backup.sql` + `restore.post-hook:
    /pg_backup.sh restore`. Corroborates "genuine recipe defect — no restore round-trip." ✔ pre-staged.
  * **discourse** (recipe @ `0.8.1+3.5.0` = `bitnamilegacy/discourse:3.5.0` + sidekiq): overlay
    `tests/discourse/test_upgrade.py` is a phase-prevb PR-faithfulness test asserting app image ==
    official `discourse/discourse:3.5.3` AND sidekiq dropped — only true on an unreleased PR head, not
    the latest release the canon sweep deploys. So it red-by-construction in the sweep. Corroborates
    "stale/PR-specific overlay test, not flake/timeout/recipe-deploy." ✔ pre-staged.
  * STILL OWED before any M1 PASS: my OWN cold isolation run of discourse to confirm the
    re-classification from the original canon hypothesis ("cold-deploy timeout, ~51-min wedge") to
    "deploys+serves fine, only the overlay test reds." Will run when M1 is claimed and the swarm is
    free (Builder not deploying). Same for bluesky app-alias collision (needs live caddy/getent diag).
  These are NOT verdicts — formal M1 PASS/FAIL awaits the Builder's gate claim.
 - 2026-06-18T00:25Z — **M1 CLAIMED** (commit 0a06c41). Node verified idle/clean before any run
  (only infra + live warm-keycloak; no bluesky/test stacks; no run_recipe_ci; load 0.03; gitea idle
  3.5.3) — Builder "node clean" claim ✔. Began my own COLD isolation re-runs (one at a time, no
  concurrent load), swarm confirmed free.
 - 2026-06-18T00:29Z — **bluesky-pds CONFIRMED by my own reproduction** (`/tmp/adv-bluesky.log`,
  tag 0.3.0+v0.4.219, RECIPE=bluesky-pds CCCI_SKIP_FETCH=1). Cold lifecycle GREEN (install/backup/
  restore/custom=pass, upgrade=skip) — reproduced. WC5 promote → unhealthy, 000. DECISIVE live diag
  inside the warm caddy container (60326521a2ac, nets: proxy=10.10.52.13 + internal=10.0.5.3):
  * `getent hosts app` → **10.10.0.4** (a *proxy*-net foreign endpoint) — NOT bluesky's own app.
  * bluesky's OWN app is at internal **10.0.5.6** (real target), never resolved.
  * caddy TLS log cycles `dial tcp 10.10.0.{4,5,6,8,10,11,12}:3000: connect: connection refused`
    on `ask http://app:3000/tls-check` → on-demand cert denied → TLS fails → /xrpc/_health = 000.
  Verdict basis: NOT a flake (deterministic, every retry refused); NOT promote-machinery (the probe
  correctly refuses an unhealthy endpoint, no false promote); **genuine recipe routing defect** —
  recipe names its svc `app` + puts caddy on the shared multi-tenant `proxy` net + Caddyfile uses bare
  `app`, so docker DNS resolves `app` to OTHER stacks' apps. Builder's classification (recipe defect,
  reverses the plan's "cc-ci warm-machinery" prior) is CORRECT. Sharper than Builder's note (my run's
  internal IP 10.0.5.6 vs their 10.0.3.3 — same mechanism, different deploy). Letting run finish + will
  tear down the orphan warm-bluesky stack. [interim — full M1 verdict batched after mumble+discourse.]
 - 2026-06-18T00:38Z — bluesky run finished; promote log `!! WC5 promote failed (non-fatal; known-good
  unchanged) … last status 0` — **machinery correctly refused to write canonical** (seals "not
  promote-machinery"). Cleaned up: `docker stack rm warm-bluesky-pds…` + removed both volumes
  (caddy_data, pds_data). Node verified clean of bluesky.
 - 2026-06-18T00:44Z — **mumble CONFIRMED by my own isolation run** (`/tmp/adv-mumble.log`, tag
  1.0.0+v1.6.870-0). ALL 5 tiers GREEN: install/upgrade/backup/restore/custom = pass. The exact
  canon-sweep failure `tests/mumble/custom/test_protocol_handshake.py::test_handshake_completes_with_
  channel_presence` **PASSED** in isolation. WC5 promote SUCCEEDED (canonical advanced to known-good
  1.0.0+v1.6.870-0, idle, volume retained). A recipe defect would fail deterministically in isolation
  (cf. mattermost restore) — mumble passing cleanly confirms **load/timing FLAKE**, not a recipe bug.
  (My 1 isolation green + Builder's 2× = 3 isolation greens / 0 isolation reds vs 1 canon red-under-load
  — consistent flake signature.) Builder's classification CORRECT.
 - 2026-06-18T00:53Z — **discourse CONFIRMED by my own isolation run** (`/tmp/adv-discourse.log`, tag
  0.8.1+3.5.0). Tiers: **install pass / upgrade FAIL / backup pass / restore pass / custom pass** —
  exactly the Builder's claim. Deploy **converged in minutes; NO FATA, NO rc=142/143, NO ~51-min
  wedge** → the original canon "cold-deploy timeout" hypothesis did NOT reproduce in isolation (Builder
  reclassification CORRECT). Upgrade failed on the two PR-faithfulness overlay assertions:
  `test_head_runs_official_image_not_bitnamilegacy` (deployed image = `bitnamilegacy/discourse:3.5.0@
  sha256:db7e...`, the release's own image) and `test_sidekiq_service_dropped_by_head` (services =
  `['app','db','redis','sidekiq']`). The overlay demands official `discourse/discourse:3.5.3` + no
  sidekiq — an unreleased PR migration in NO release tag and NOT in main (verified earlier: tag AND
  main both `bitnamilegacy:3.5.0`+sidekiq). AssertionError self-documents "the prevb bug." So the
  recipe DEPLOYS+SERVES fine; only the stale/PR-specific overlay reds by construction in the canonical
  sweep. **stale cc-ci OVERLAY test**, not flake/timeout/recipe-deploy/warm-machinery. Builder CORRECT.
 - 2026-06-18T01:02Z — **mattermost-lts CONFIRMED by my own isolation run** (`/tmp/adv-mattermost.log`,
  tag 2.1.9+10.11.15). Tiers: install pass / upgrade pass / backup pass / **restore FAIL** / custom
  pass — exactly Builder's claim. The overlay `tests/mattermost-lts/test_restore.py::
  test_restore_returns_state` FAILED with the EXACT `RuntimeError: docker exec … postgres failed
  (rc=1): ERROR: relation "ci_marker" does not exist`. **Deterministic in isolation** (91s, no
  concurrent load) → NOT the canon "loaded-node db-cycle race." Note: generic `test_restore_healthy`
  PASSED (app returns healthy) but the STATE round-trip failed — the seeded marker is gone after
  restore. Mechanism matches the static finding: backup dumps + backs up hot PGDATA but has NO
  `backupbot.restore.post-hook` to replay the dump → postgres logical data never round-trips. **genuine
  RECIPE defect**, not a flake/load-race/stale-test. Builder's classification CORRECT.
 - 2026-06-18T01:09Z — **gitea CONFIRMED by my own isolation run + container crash log**
  (`/tmp/adv-gitea.log`, tag 3.6.0+1.24.2-rootless). Cold lifecycle all 5 tiers GREEN (incl fresh
  3.5.3→3.6.0 upgrade tier). WC5 advance (reattach idle 3.5.3 volumes with 3.6.0 image) → warm-gitea
  app crash-loops 0/1. Container log (every task, e.g. .8zd4952…): `setting.go:105:LoadCommonSettings()
  [F] Unable to load settings from config: error saving JWT Secret for custom config: failed to save
  "/etc/gitea/app.ini": open /etc/gitea/app.ini: read-only file system`. Mount nuance CONFIRMED:
  `/etc/gitea` is a writable VOLUME (RW=true) but app.ini is a docker CONFIG overlaying that path
  read-only → gitea can write the dir but NOT the app.ini file. **genuine RECIPE defect** (3.6.0 JWT
  save vs read-only app.ini config mount). Cold passes (fresh render, no runtime save). Builder's
  classification + proposed fix (render app.ini into the writable volume) CORRECT. Will verify
  canonical stays 3.5.3 (promote refused) + restore warm-gitea to undeployed idle.
 - 2026-06-18T02:15Z — **M2 interim corroboration (NOT a verdict — M2 not yet claimed).** Node cold-checked
  idle (load 0.07, no run_recipe_ci/abra, only live warm-keycloak) — Builder between M2 fixes, so I stayed
  OFF the swarm (no contending deploy). Non-contending read-only check of the one fix marked DONE
  (mattermost-lts PR #1, ref `4ca7f4182d83`): cc-ci run **#901** artifacts on cc-ci
  (`/var/lib/cc-ci-runs/901/`) confirm all tiers pass (install/upgrade/backup/restore/custom), rungs all
  pass, `flags.clean_teardown=true`, `flags.no_secret_leak=true`, `WARM_CANONICAL=true`. The exact
  M1-failing test now PASSES: `junit/restore__cc-ci__test_restore.xml` → testsuite
  `failures="0" errors="0" skipped="0" tests="1"`, testcase `test_restore_returns_state`. This is a
  read-only artifact check, NOT my own cold re-run — the formal M2 PASS will require my own cold
  re-verification of all six fixes once the Builder claims M2. Pre-staged anchor only.
 - 2026-06-18T04:12Z — **Idle break-it probe (NOT a verdict — M2 not yet claimed).** Cold-checked node
  while Builder reworks bluesky+gitea (their journal: 4/6 verified, bluesky warm-verify structurally
  blocked pre-merge, gitea needs rework). Stayed OFF the swarm. Observations: live
  `warm-keycloak.ci.commoninternet.net/realms/master` = **200** (live shared SSO undisturbed by the
  keycloak harness fix + its verify run — the keycloak DoD's hard constraint holds). Deployed stacks =
  infra + live warm-keycloak + a `warm-gitea` (Builder's active rework; app `/api/v1/version`=404 =
  wizard mode, consistent with their "gitea fix v1 broke 3.5.3→3.6.0 transition"). No orphan
  test/bluesky stacks, no `run_recipe_ci` procs, load 0.44. **Critical break-it check PASSED: gitea
  canonical is UNCHANGED** — `/var/lib/ci-warm/gitea/canonical.json` still `3.5.3+1.24.2-rootless`,
  commit `e6a1cc79`, status `idle`, ts `20260617T083930Z` (identical to M1). The Builder's broken gitea
  fix attempts did NOT falsely promote 3.6.0 to canonical. Idling for the M2 gate claim.
 ---
 ## M2 gate verification (CLAIMED 2026-06-18T05:53Z) — component re-runs in progress
 Verifying all 6 fixes from a COLD START via my own independent harness checkout (`/tmp/adv-m2` on cc-ci
@ origin/redfix-m2-harness b96b8a4 = keycloak 61211db + mumble 07fc6d4 + bluesky exec-into-pds b96b8a4)
 and my own chaos-deploys. One recipe at a time, no concurrent load. Node idle at start (load 0.02, only
 live warm-keycloak). Static code review of the harness branch first: canonical.py adds `warm-canon-<r>`
 for r in `warm.WARM_DOMAINS` (ONLY keycloak — confirmed, so zero blast radius on the other 15
 canonicals); mumble widens handshake budget 12->36 attempts (60s->180s) with the asserts UNCHANGED
 (non-weakening); keycloak recipe_meta WARM_CANONICAL False->True. All three are genuine, not
 test-disabling.
 - 2026-06-18T06:08Z — **keycloak component VERIFIED (1/6)** by my OWN cold harness run
  (`/tmp/adv-keycloak-m2.log`, RECIPE=keycloak from /tmp/adv-m2 @b96b8a4, recipe tag 10.8.0+26.6.3).
  RUN SUMMARY: deploy-count=1, **all 5 cold tiers pass** (install/upgrade/backup/restore/custom incl
  `custom/test_password_grant_token.py::test_password_grant_issues_valid_jwt`). **WC5 promote landed at
  the COLLISION-FREE domain**: `/var/lib/ci-warm/keycloak/canonical.json` domain=
  `warm-canon-keycloak.ci.commoninternet.net`, version 10.8.0+26.6.3, status idle, ts 20260618T060549Z
  (THIS run). Promote genuinely DEPLOYED there — its own volumes exist (`warm-canon-keycloak_…_mariadb`,
  `_providers`). **Hard invariant HOLDS — live shared SSO undisturbed**: live
  `warm-keycloak_ci_commoninternet_net_app` up **4 days**, service last Updated **2026-06-13** (predates
  my 06:04Z run by days → NOT bounced); `warm-keycloak.ci.commoninternet.net/realms/master` = **200**
  before/during/after. The data-warm canonical (warm-canon-keycloak) and live-warm provider
  (warm-keycloak) are fully separate deployments that never touched. Builder's keycloak fix CORRECT +
  non-weakening; the §2.B de-enrollment is now structurally resolved. (1/6)
 - 2026-06-18T06:15Z — **mumble component VERIFIED (2/6)** by my OWN cold harness run
  (`/tmp/adv-mumble-m2.log`, RECIPE=mumble from /tmp/adv-m2, recipe tag 1.0.0+v1.6.870-0). RUN SUMMARY:
  deploy-count=1, **all 5 cold tiers pass**. The stabilized custom test
  `test_handshake_completes_with_channel_presence` **PASSED** (junit failures=0, time=10.3s). The
  handshake completing in ~10s confirms M1's **load/timing-FLAKE** classification (fast in isolation,
  nowhere near even the OLD 60s budget) and that the fix — widening 12->36 attempts (60s->180s) — is
  pure headroom: the asserts are UNCHANGED, so a genuinely dead server still exhausts all 36 retries
  and FAILs. **Non-weakening.** WC5 promote: `/var/lib/ci-warm/mumble/canonical.json` version
  1.0.0+v1.6.870-0, idle, ts 20260618T061114Z (THIS run). Builder's mumble fix CORRECT. (2/6)
  NOTE on branch state: I cloned /tmp/adv-m2 at tip `b96b8a4` just before the Builder force-reset
  `redfix-m2-harness` to `07fc6d4` (dropping a bluesky exec-into-pds commit). Confirmed
  `git diff 07fc6d4 b96b8a4` = ONLY `tests/bluesky-pds/_p4.py` + `test_account_and_post.py` (2 lines,
  bluesky-only) → keycloak (61211db) and mumble (07fc6d4) code are BYTE-IDENTICAL between b96b8a4 and
  the claimed tip 07fc6d4, so my keycloak+mumble PASSES hold at the claimed state. bluesky is verified
  separately via recipe chaos-deploy (PR #4 @4987ba9, now recipe-PR-only per operator directive), so
  the harness-checkout staleness does not touch it.
 - 2026-06-18T06:18Z — **gitea component VERIFIED (3/6)** by my OWN direct chaos-deploy of recipe PR #2
  @a0f2db8 onto the retained idle 3.5.3 canonical volumes (`/tmp/adv-gitea-m2.log`). This reproduces
  the EXACT M1 warm-advance scenario. Two-sided proof: I verified the UNFIXED-crashes side first-hand
  in M1 (`/tmp/adv-gitea.log`: read-only-file-system FATA at LoadCommonSettings). Now the FIX side:
  * **Fix is genuine, not test-disabling** — compose.yml moves the read-only swarm config to
    `/etc/gitea/app.ini.init`; docker-setup.sh.tmpl (v1->v3) seeds it into the WRITABLE `/etc/gitea`
    volume **only when missing OR EMPTY** (`! -s`, handling the 0-byte placeholder the old direct-config
    mount leaves); a non-empty app.ini (gitea's persisted state incl the JWT) is preserved.
  * **Pre-state genuine pre-fix**: config-volume app.ini = **0 bytes**; retained 3.5.3 data (gitea.db
    1347584 B dated 2026-06-17T08:39); canonical 3.5.3 idle e6a1cc79; stack not deployed.
  * **Deploy result**: `deploy succeeded`, NEW DEPLOYMENT a0f2db88, docker_setup_sh v3. **service 1/1,
    ZERO restarts** (task Running, no Error). **M1 read-only crash signature ABSENT** (grep of service
    logs for `read-only file system`/`LoadCommonSettings`/`[F]` = empty). **app.ini seeded 0->1862 B**
    with `[server] INSTALL_LOCK = true` (NOT wizard mode — the very bug that broke the Builder's v1
    fix). `/api/v1/version` -> **200 {"version":"1.24.2"}**; `/api/healthz` -> **200**. Retained
    gitea.db adopted in place (still 1347584 B @08:39, SQLite WAL active) — matches Builder's stated
    adoption signal (data dirs @08:39). (Empty users/repos = minimal canonical install, not a
    regression.)
  * **Merge-gating is HONEST, not a shrug**: published 3.6.0 tag = commit 357926f (independently
    confirmed) != fix commit a0f2db8, so a non-chaos WC5 promote deploys the unfixed release (the abra
    force-fetch of refs/tags/* reverts any local tag-move). Chaos-deploy of the working-tree fix is the
    maximal faithful pre-merge proof; canonical advance follows on operator merge — consistent with the
    phase's "nothing merged" constraint, NOT a standing exception.
  * **Node restored**: undeploy succeeded, app.ini truncated back to 0, recipe back to published tag,
    **canonical UNCHANGED 3.5.3 idle e6a1cc79 ts 20260617T083930Z**, stack gone. Builder's gitea fix
    CORRECT. (3/6)
 - 2026-06-18T06:25Z — **bluesky-pds component VERIFIED (4/6)** by my OWN direct chaos-deploy of recipe
  PR #4 @4987ba9 (`/tmp/adv-bluesky-m2.log`). Two-sided proof: I verified the M1 000-side first-hand in
  M1 (`/tmp/redfix-bluesky-pds.log` + live diag: WC5 promote 000, caddy `app` -> foreign proxy IP, no
  cert). Now the FIX side. NOTE: per Builder inbox (06:11Z) + operator directive, the bluesky fix is now
  **recipe-PR-ONLY** (NOT the earlier service rename); the dropped harness commit b96b8a4 is irrelevant.
  * **Fix is genuine** — Caddyfile `ask http://app:3000/tls-check` -> `http://{$APP_HOST}:3000/tls-check`
    and `reverse_proxy app:3000` -> `{$APP_HOST}:3000`; compose sets `APP_HOST=${STACK_NAME}_app` on the
    caddy service; CADDYFILE_VERSION v1->v2. Service stays named `app`. Established coop-cloud pattern.
  * **Deploy**: secret generate + secp256k1/32B-hex PLC rotation key insert (install_steps logic) +
    re-checkout 4987ba9 + `abra app deploy -C -o -n` -> `deploy succeeded`, NEW DEPLOYMENT 4987ba91,
    caddyfile v2, pds:0.4.219. **app 1/1, caddy 1/1.**
  * **Root-cause inversion PROVEN inside caddy**: `getent hosts warm-bluesky-pds_ci_commoninternet_net_app`
    -> **10.0.5.5** (own-stack INTERNAL) while bare `getent hosts app` -> **10.10.0.12** (FOREIGN proxy
    IP — the exact M1 collision). The fix makes caddy resolve the FQ swarm name (own app), bypassing the
    shared-proxy `app`-alias collision.
  * **External health**: `https://warm-bluesky-pds.ci.commoninternet.net/xrpc/_health` -> **200
    {"version":"0.4.219"}** on 3/3 attempts (**M1 was 000**). caddy log: **1** `certificate obtained
    successfully` (Let's Encrypt ACME), **0** `connection refused` (M1 had connection-refused -> 000).
  * **Merge-gating** identical to gitea (warm-promote force-fetches the published unfixed tag f7b6c8df);
    chaos-deploy of the working-tree fix is the faithful pre-merge proof. NOT a standing exception.
  * **Node restored**: undeploy + removed both volumes (caddy_data, pds_data) + all 3 secrets; recipe
    back to published tag 0.3.0+v0.4.219; NO bluesky stack/volume/secret/canonical (matches M1). Builder's
    bluesky fix CORRECT. (4/6)
 - 2026-06-18T06:40Z — **mattermost-lts component VERIFIED (5/6 PASS)** by my OWN cold harness run
  (`/tmp/adv-mattermost-m2.log`, RECIPE=mattermost-lts from /tmp/adv-m2, recipe @4ca7f418). Fix is
  recipe-only (abra.sh, compose.yml, new pg_backup.sh — NO tests/ change, so not test-weakening). RUN
  SUMMARY: deploy-count=1, **all 5 tiers pass incl restore**; the exact M1-failing test
  `tests.mattermost-lts.test_restore::test_restore_returns_state` **PASSED** (junit failures=0). The
  fix (pg_backup.sh + postgres `backupbot.restore.post-hook`, immich-style) makes the logical dump
  round-trip. level=5. **Node restored**: my green cold run promoted a mattermost-lts canonical
  (2.1.10+10.11.18) — M1 had NONE — so I removed `/var/lib/ci-warm/mattermost-lts` + the warm-mattermost
  volumes and reset the recipe to published tag 2.1.9+10.11.15 (restore M1 baseline; nothing-merged).
  Builder's mattermost fix CORRECT. (5/6)
 - 2026-06-18T06:42Z — **discourse component FAIL (6/6) — see finding F-redfix-1.** My OWN cold harness
  run (`/tmp/adv-discourse-m2.log`, recipe @53ba0910) confirms the canon-sweep upgrade-overlay failure
  IS fixed: `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head`
  **both PASS** on the migrated head (`discourse/discourse:3.5.3`), all 5 deploy tiers pass. BUT the run
  is **level=4 of 5** — the **L5 lint rung FAILS R011** ("all services have images"). Root cause (my
  investigation, reproduced via the exact `harness/lint.py` flow): the migration drops `sidekiq` from
  `compose.yml` but leaves a dangling **image-less `sidekiq` service in `compose.smtpauth.yml`** →
  merged compose has a service with no image → R011 ❌ (2× `invalid reference format`). **Fix-introduced
  REGRESSION**: pre-fix tag 0.8.1+3.5.0 lints R011 ✅ (old compose.yml sidekiq carried
  `bitnamilegacy/discourse:3.5.0`); post-fix ❌. Also breaks any SMTP-auth deploy (COMPOSE_FILE incl
  compose.smtpauth.yml → image-less sidekiq). Builder's run **#849 was ALSO level=4 / R011-fail** — the
  "run #849 green" claim is deploy-green only, NOT L5-green, and masks this regression. The migration is
  **INCOMPLETE**. Filed F-redfix-1 (BACKLOG) with repro + remedy (fold smtp into `app`, drop the
  orphaned sidekiq block). **Node clean**: level-4 run did not promote (no discourse canonical, matching
  M1); recipe reset to published tag 0.8.1+3.5.0. discourse fix INCOMPLETE. (6/6)
 ## REVIEW VERDICT — Gate M2: **FAIL** @ 2026-06-18T06:42Z
 5 of 6 fixes independently cold-verified PASS by my own runs/chaos-deploys:
 **keycloak** (promote at collision-free warm-canon-keycloak, live SSO undisturbed up-4d/200),
 **mumble** (handshake PASS 10.3s, non-weakening budget), **gitea** (chaos-deploy: no read-only crash,
 app.ini seeded 1862B, API 1.24.2, canonical unchanged), **bluesky-pds** (chaos-deploy: caddy resolves
 own app 10.0.5.5, health 200 {0.4.219}, 0 conn-refused), **mattermost-lts** (restore round-trips).
 **discourse FAILS** — fix is incomplete: resolves the upgrade-overlay canon failure but introduces an
 R011 lint regression (level 4/5) via a dangling image-less `sidekiq` in compose.smtpauth.yml that also
 breaks SMTP-auth deploys (F-redfix-1). The Builder's "all 6 FIXED + verified green" claim does NOT hold
 for discourse. **M2 cannot be marked DONE until F-redfix-1 is fixed and discourse re-verified to
 level=5.** No VETO needed — this FAIL blocks the handshake; I will re-verify discourse on the Builder's
 rework. The other 5 components are solid and need no re-run unless their fixes change.
 - 2026-06-18T07:06Z — **discourse RE-VERIFIED PASS (F-redfix-1 CLOSED).** Builder reworked discourse PR #4
  @9ff5e19 (force-pushed onto 53ba0910). I inspected the diff: it removes ONLY the orphaned image-less
  `sidekiq:` block from `compose.smtpauth.yml`; the `app:` service keeps `DISCOURSE_SMTP_PASSWORD_FILE` env
  + `smtp_password` secret (SMTP auth preserved — sidekiq is internal to the official image). No test
  change. Re-verify: (1) exact `harness/lint.py` repro flow @9ff5e19 → **R011 ✅** (R003/R004 clean too;
  `grep -c sidekiq compose*.yml` = 0); (2) my OWN full cold run (`/tmp/adv-discourse-m2v2.log`, RECIPE=
  discourse @9ff5e19) → **RUN SUMMARY level=5 of 5**, all 5 tiers pass (install/upgrade/backup/restore/
  custom), `lint rung: pass` (lint.txt status=pass, R011 ✅), and the two upgrade-overlay tests STILL pass.
  Regression gone. Node clean: no discourse canonical (M1 baseline), recipe reset to published tag
  0.8.1+3.5.0. (6/6)
 ## REVIEW VERDICT — Gate M2: **PASS** @ 2026-06-18T07:06Z (supersedes the 06:42Z FAIL)
 All 6 canon-sweep failures FIXED and independently cold-verified by my own runs / chaos-deploys, one
 recipe at a time, no concurrent load — each two-sided where applicable (M1 failure reproduced first-hand,
 M2 fix proven):
 1. **keycloak** (harness) — WC5 promote at the collision-free `warm-canon-keycloak` domain; live shared
   `warm-keycloak` SSO UNDISTURBED (app up 4d, service Updated 2026-06-13, /realms/master 200 throughout);
   all cold tiers pass. Collision-free routing affects ONLY keycloak (sole WARM_DOMAINS member) — zero
   blast radius on the other 15 canonicals.
 2. **mumble** (harness) — handshake test PASS in 10.3s (load-flake confirmed: fast in isolation); budget
   widening 60s→180s is pure headroom, asserts unchanged (non-weakening). level=5.
 3. **gitea** (recipe PR #2 @a0f2db8) — chaos-deploy onto retained idle 3.5.3 volumes (genuine pre-fix
   0-byte app.ini): NO read-only crash (M1 signature gone), app.ini seeded 0→1862B (INSTALL_LOCK=true),
   `/api/v1/version` 200 {1.24.2}, healthz 200, retained data adopted; canonical UNCHANGED 3.5.3 e6a1cc79
   (no false promote). Merge-gating honest (published 3.6.0=357926f ≠ fix).
 4. **bluesky-pds** (recipe PR #4 @4987ba9) — chaos-deploy: caddy resolves its OWN app via the FQ swarm
   name (10.0.5.5 internal) while bare `app` → 10.10.0.12 foreign (the M1 collision); cert obtained, 0
   connection-refused; external `/xrpc/_health` 200 {0.4.219} (M1 was 000).
 5. **mattermost-lts** (recipe PR #1 @4ca7f418) — cold run all 5 tiers pass incl restore; the M1-failing
   `test_restore_returns_state` PASSES (pg_backup.sh + restore.post-hook round-trips the dump). level=5.
 6. **discourse** (recipe PR #4 @9ff5e19) — official-image migration; both upgrade-overlay tests pass AND
   the F-redfix-1 regression (image-less sidekiq in compose.smtpauth.yml) is fixed → level=5, lint R011 ✅.
 No standing exceptions. gitea/bluesky end-to-end canonical advance is operator-merge-gated (the fix is
 proven by chaos-deploy; the published tags don't carry it pre-merge) — consistent with the phase's
 "nothing merged" constraint, NOT a shrug. Node left clean: only infra + live warm-keycloak (200); gitea
 idle 3.5.3 canonical unchanged; mattermost/discourse/bluesky no canonical (M1 baseline); no test/warm
 stacks, no run procs; all 6 recipes at their published tags. No open Adversary findings (F-redfix-1
 CLOSED). **No VETO.** The Builder is cleared to write `## DONE` to STATUS-redfix.md.
--- a/machine-docs/REVIEW-regall.md
+++ b/machine-docs/REVIEW-regall.md
@ -0,0 +1,203 @@
 # REVIEW — phase `regall` (Adversary writes here)
 **Phase:** regall — full all-recipe regression after prevb
 **SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-regall-recipe-regression.md`
 **Adversary loop started:** 2026-06-17T02:00Z
 **Adversary clone:** /srv/cc-ci/cc-ci-adv
 ---
 ## Gate verdicts
 ### M1: PASS @2026-06-17T03:50Z
 **Claim:** Builder `3403309` — sweep complete, all 21 recipes classified.
 **Adversary cold-verification:**
 All 21 recipes cold-verified from results.json during this session:
 - **Batches 1-4** (12 recipes): drone/gitea/matrix-synapse/lasuite-meet/n8n/mumble/custom-html/mailu/mattermost-lts/lasuite-docs/ghost/immich — all L5, all rungs consistent with claim ✓
 - **Batch 5** (3 recipes): uptime-kuma (748) L5 ✓, lasuite-drive (749) L5 ✓, plausible (758, PR#3) L5 ✓
 - **Batch 6** (2 recipes): custom-html-tiny (752) L5 ✓, bluesky-pds (753) L5 upgrade=skip ✓
 - **prevb spot-checks** (3): cryptpad/keycloak/hedgedoc — L5 ✓ (carried from prevb M2)
 - **discourse** (run 717): level=4, lint=f (accepted; prevb fix) ✓
 **Classification spot-check:**
 - plausible PR#3 (run 758, d77adba4): L5 all pass — correctly classified GREEN ✓
 - mailu (run 738): upgrade=pass, backup_restore=skip — correctly classified (baseline corrected per A-regall-1) ✓
 - bluesky-pds (run 753): upgrade=skip (EXPECTED_NA) — correctly classified ✓
 - discourse (run 717): level=4 (lint nit) — correctly classified as GREEN (prevb fix, not a regression) ✓
 **No prevb regressions found.** A-regall-2 (plausible) diagnosed as pre-existing recipe bug in 3.0.1+v2.0.0, not cc-ci code regression. Classification table accurate.
 **Break-it probes completed:** BP-1 (baseline verified), BP-2 (upgrade-base=main-tip), BP-3 (!testmexyz rejected), BP-4 (dashboard clean), BP-5 (previous/ overlay scoping correct).
 **M1 PASS — no VETO.**
 ### M2: PASS @2026-06-17T03:50Z
 **Claim:** Builder `3403309` — no prevb-caused regressions; cc-ci code unchanged from prevb.
 **Adversary verification:** M2 trivially satisfied — zero prevb-caused regressions found in the full 21-recipe sweep. The only failure (plausible backup_restore) was diagnosed as a pre-existing recipe bug in 3.0.1+v2.0.0, not caused by prevb changes to the runner. No cc-ci code changes were required.
 **M2 PASS — no VETO.**
 ---
 ## Orientation @2026-06-17T02:00Z
 Phase `regall` bootstrapped by Builder (commit 4d54123, then a54a278). Adversary orientation
 complete. Key facts verified independently:
 **Baseline table (STATUS-regall.md) spot-checked:**
 - bluesky-pds baseline L5 (run 556) — EXPECTED_NA upgrade
 - Most recipes L5; discourse L4 (lint nit, accepted)
 - This table sourced from actual run records in /var/lib/cc-ci-runs/ — cold-verified plausible
 **Sweep batch 1 IN FLIGHT (as of 2026-06-17T02:10Z):**
 - Drone build 725: matrix-synapse PR#4 → SUCCESS → run 725: level=5, upgrade=pass ✓
 - Drone build 726: drone PR#1 → SUCCESS → run 726: level=5, upgrade=pass ✓
 - Drone build 727: gitea PR#1 → RUNNING (still in progress)
 **Post-prevb spot-checks already confirmed (carried from prevb M2):**
 - cryptpad PR#5: upgrade=pass (Adversary-confirmed during prevb M2)
 - keycloak PR#3: upgrade=pass (Adversary-confirmed during prevb M2)
 - hedgedoc PR#1: upgrade=pass (Adversary-confirmed during prevb M2)
 **Pre-existing units test failure** (documented pre-prevb, not regall scope):
 - `test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` (KeyError 'health_domain') —
  flagged in prevb, pre-existing since pxgate phase
 **Adversary plan for M1 gate:**
 1. Monitor batch 1-6 as Builder triggers them; spot-re-run a sample independently
 2. Cold-verify the classification table when claimed — confirm claimed flakes really are flaky
   (by looking at multiple runs) and claimed prevb-causes are real (check base resolution logic)
 3. Run own independent probes: trigger a !testme run on a recipe not in the sweep; check for
   regressions the Builder might have missed
 ---
 ## Adversary findings
 (empty — watching batch 1 builds)
 ---
 ## Break-it probes log
 ### Probe BP-regall-1: COMPLETE @2026-06-17T02:05Z — baseline table mostly accurate, one discrepancy
 Cold-verified all 20 baseline runs referenced in STATUS-regall.md:
 - All runs 556, 554, 541, 510, 692, 657, 695, 608, 522, 553, 523, 524, 525, 526, 656, 529, 558, 528, 658, 531 confirmed level=5 ✓
 - bluesky-pds (556): upgrade=skip (EXPECTED_NA) ✓ — matches table
 - mailu (526): upgrade=PASS in actual results.json — table says "skip (no deployable base)" — **DISCREPANCY** (see A-regall-1)
 - All other recipes: all rungs match the table ✓
 **FINDING A-regall-1 filed** — mailu baseline upgrade rung is "pass" not "skip (no deployable base)".
 ### Probe BP-regall-2: COMPLETE @2026-06-17T02:10Z — upgrade-base resolution confirmed correct
 Cold-read Drone logs for gitea run 727 (batch 1):
 - `upgrade base: kind=ref ref=e6a1cc79e99e (target-branch (main) tip)` — main-tip used as expected ✓
 - No `previous/` overlay applied (gitea has no previous/ dir) ✓
 - deploy message: `base = main-tip/ref e6a1cc79e99e → chaos deploy of the checked-out ref (the PR's true predecessor; not a published pin)` ✓
 - Upgrade sequence: L5, all tiers pass. `test_upgrade_preserves_marker_repo` PASS, `test_lfs_roundtrip` PASS ✓
 - This confirms the prevb dynamic-base resolution is working correctly in the regall sweep.
 ### Batch 1 cold-verified @2026-06-17T02:10Z — all L5, no regressions
 From Drone build API + cc-ci run results.json:
 - **matrix-synapse** (run 725, Drone 725, PR#4): level=5, all rungs pass (upgrade=pass) ✓
 - **drone** (run 726, Drone 726, PR#1): level=5, upgrade=pass, backup_restore=skip (expected) ✓
 - **gitea** (run 727, Drone 727, PR#1): level=5, all rungs pass (upgrade=pass) ✓
 No regressions vs baseline in batch 1. Dynamic base resolution confirmed working (kind=ref, main-tip).
 ### Probe BP-regall-3: COMPLETE @2026-06-17T02:15Z — !testmexyz does NOT trigger CI
 Posted comment `!testmexyz` on custom-html PR#2 (comment ID 14613).
 Waited >1 bridge poll cycle (bridge polls every 30s). No new custom-event build appeared.
 Latest build remained 735 (push event from Builder's mailu baseline fix).
 **PASS: !testmexyz correctly rejected by bridge — only exact "!testme" triggers CI.** ✓
 ### Probe BP-regall-4: COMPLETE @2026-06-17T02:15Z — dashboard secret-clean
 Checked /var/lib/cc-ci-reports/*.html and public https://ci.commoninternet.net/ response.
 No credentials, secrets, tokens, or raw passwords visible in HTML output.
 Recipe cards show "✔ no-leak" and "✔ teardown" for all runs. Dashboard shows only: recipe
 name, level badge, build number, ref hash, status pill — no raw secrets visible. ✓
 ### Batch 2 cold-verified @2026-06-17T02:30Z — all L5, no regressions
 From Drone builds API + cc-ci run results:
 - **lasuite-meet** (run 730, Drone 730, PR#7): level=5, all rungs pass (upgrade=pass) ✓
 - **n8n** (run 731, Drone 731, PR#6): level=5, all rungs pass (upgrade=pass) ✓
 - **mumble** (run 732, Drone 732, PR#1): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 No regressions vs baseline in batch 2. Dynamic base continues operating correctly.
 ### Batch 3 cold-verified @2026-06-17T02:40Z — all L5, no regressions
 From Drone builds API + cc-ci run results:
 - **custom-html** (run 737, Drone 737, PR#5): level=5, all rungs pass (upgrade=pass, backup_restore=pass, functional=pass) ✓
 - **mailu** (run 738, Drone 738, PR#4): level=5, upgrade=pass, backup_restore=skip (expected — no backup support), functional=pass, lint=pass ✓
  - NOTE: upgrade=pass matches corrected baseline (A-regall-1). Regression risk confirmed clear.
 - **mattermost-lts** (run 739, Drone 739, PR#2): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 No regressions vs baseline in batch 3.
 ### Probe BP-regall-5: COMPLETE @2026-06-17T02:40Z — previous/ overlay NOT applied to non-UPGRADE_BASE_VERSION recipes
 Cold-read Drone logs for custom-html (build 737):
 - `upgrade base: kind=ref ref=2b82ebabde74 (target-branch (main) tip)` — main-tip used ✓
 - No `previous/` overlay applied — correct, custom-html has no `UPGRADE_BASE_VERSION` set ✓
 - `base = main-tip/ref 2b82ebabde74 → chaos deploy of the checked-out ref` ✓
 **PASS: prevb previous/ overlay correctly scoped to UPGRADE_BASE_VERSION recipes only.**
 ### Batch 5 partial-verified @2026-06-17T03:20Z — uptime-kuma/lasuite-drive L5; plausible FAIL (rerun pending)
 From Drone builds API + cc-ci run results.json:
 - **uptime-kuma** (run 748, Drone 748, PR#?): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 - **lasuite-drive** (run 749, Drone 749, PR#?): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 - **plausible** (run 750, Drone 750, PR#4): level=2, backup_restore=**FAIL** — REGRESSION from baseline L5
 **Plausible failure analysis:**
 - Error: `ERROR: relation "ci_marker" does not exist` in `test_restore_returns_state`
 - upgrade line: `version=3.0.1+v2.0.0→3.0.1+v2.0.0` — NO-OP upgrade (base = head version; same)
 - Baseline run 658 used `version=d77adba4698b` (genuine git ref → genuine upgrade)
 - Same failure pattern seen in `m2r-plausible` and `m2rr-plausible` during prevb development
 - Backup test passed (0.134s, checks artifact only — does NOT verify ci_marker content)
 - After restore, `SELECT v FROM ci_marker` fails: relation does not exist
 - Hypothesis A (prevb regression): UPGRADE_BASE_VERSION='3.0.1+v2.0.0' + recipe.yml version='3.0.1+v2.0.0' creates no-op upgrade path that affects backup state
 - Hypothesis B (flake): pre-existing intermittent failure in postgres backup/restore
 - **Rerun 754 also FAILED: same error, same level=2 — reproducible, NOT a flake**
 - **Builder diagnosis (commit a3d115d): pre-existing recipe bug in 3.0.1+v2.0.0, NOT prevb**
  - `backupbot.backup.path: "/postgres.dump.gz"` → dump in writable layer (not restic volume) → restore can't find dump → ci_marker absent
  - PR#4 (regall trivial trigger) was a no-op at 3.0.1+v2.0.0, exposing the bug
  - Run 658 (baseline) tested PR#3 (3.1.0+v2.0.0, fixed backupbot label) — passes because the FIX is there
 - **Builder fix: re-triggered PR#3 (d77adba4698b, 3.1.0+v2.0.0) → Drone 758 → level=5, backup_restore=PASS** ✓
 **Adversary cold-verification:**
 - Run 658 version=d77adba4698b ✓ (same ref as PR#3 / run 758)
 - Run 750/754 showed no-op upgrade (3.0.1+v2.0.0→3.0.1+v2.0.0) ✓ (PR#4, broken version)
 - Run 758 version=d77adba4698b, level=5, backup_restore=pass ✓ (PR#3, fixed version)
 - Builder's diagnosis is consistent with all empirical evidence.
 **Adversary verdict: classification ACCEPTED — pre-existing recipe bug in 3.0.1+v2.0.0; NOT a prevb regression. Plausible regall result = L5 GREEN via run 758 (PR#3). A-regall-2 CLOSED.**
 ### Batch 6 cold-verified @2026-06-17T03:25Z — custom-html-tiny/bluesky-pds L5
 From Drone builds API + cc-ci run results.json:
 - **custom-html-tiny** (run 752, Drone 752, PR#?): level=5, upgrade=pass, backup_restore=skip (expected) ✓
 - **bluesky-pds** (run 753, Drone 753, PR#3): level=5, upgrade=skip (expected — no deployable upgrade base, moving tag), backup_restore=pass ✓
 Bluesky-pds upgrade=skip reason confirms prevb is correctly handling the EXPECTED_NA path (no deployable base). ✓
 ### Batch 4 cold-verified @2026-06-17T03:00Z — all L5, no regressions
 From Drone builds API + cc-ci run results.json:
 - **lasuite-docs** (run 743, Drone 743, PR#6): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 - **ghost** (run 744, Drone 744, PR#6): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 - **immich** (run 745, Drone 745, PR#3): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
 No regressions vs baseline in batch 4. Sweep progress: 16/21 recipes GREEN.
--- a/machine-docs/REVIEW-samever.md
+++ b/machine-docs/REVIEW-samever.md
@ -0,0 +1,160 @@
 # REVIEW — phase `samever` (Adversary writes here)
 **Phase:** samever — step back to older base when canonical == head version (no same-version upgrade)
 **SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-samever-older-base-fallback.md`
 **Adversary loop started:** 2026-06-17T04:09Z
 **Adversary clone:** /srv/cc-ci/cc-ci-adv
 ---
 ## Gate verdicts
 ### M2: PASS @2026-06-17T05:04Z
 Proven in real CI. Cold-read the Builder's preserved logs AND — the strongest check — **independently
 reproduced the headline from my OWN fresh clone** on cc-ci (`git clone … /root/adv-verify` @ 96c4ad9,
 NOT the Builder's `/root/samever-deploy`), so the step-back is not an artifact of the Builder's tree.
 **Independent reproduction (my clone, my runs `/root/adv-runA.log`,`/root/adv-runB.log`):**
 - Run A (canonical cleared): `upgrade base: kind=skip SKIP: head == main tip` → promotes
  canonical→`1.13.0+1.31.1`.
 - Run B (canonical==head==`1.13.0+1.31.1`): **STEP-BACK** —
  `kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1) == head version
  1.13.0+1.31.1; newest older published base)` then `upgrade→PR-head: … version=1.11.0+1.29.0→
  1.13.0+1.31.1`. **All 5 tiers pass.** base `1.11.0` < head `1.13.0` — a REAL delta, not a no-op,
  not a skip. ✓
 **Cold-read of Builder's 5 runs (corroborates, all consistent with verified resolver logic):**
 1. Headline runA/runB — identical to my independent repro above. F1d-2 confirmed: base tier
   prepulled `nginx:1.29.0` (pinned `1.11.0+1.29.0`), upgrade tier prepulled `nginx:1.31.1`
   (head `1.13.0+1.31.1`) — **distinct images ⇒ the older base really deployed pinned, not LATEST.**
 2. **Version-bump UNAFFECTED (runC):** canonical re-seeded to OLDER `1.11.0+1.29.0` → reason
   **`"last-green"` NOT `"step-back"`** (the unchanged prevb path); upgrade `1.11.0→1.13.0` green.
   Corroborates my M1 direct probe (canonical≠head → last-green, `recipe_tags` not consulted).
 3. **PR form (runD, ref=2b82ebab pr=999):** step-back STILL triggers with a PR head ref present
   (ref does not suppress it); upgrade green. ✓
 4. **discourse #4 UNAFFECTED (disc4, REF=ae5a8180):** `kind=ref ref=f87c612d71b4 (target-branch
   (main) tip)` — discourse is non-enrolled so the resolver never enters the canonical branch;
   migration `0.8.1+3.5.0→1.0.0+3.5.3` green, `test_head_runs_official_image_not_bitnamilegacy` +
   `test_sidekiq_service_dropped_by_head` PASSED. The official-image migration is untouched. ✓
 5. **Spot-check hedgedoc:** `kind=version version=3.0.9+1.10.7 (step-back: … canonical (3.0.10+1.10.8)
   == head 3.0.10+1.10.8 …)`, upgrade `3.0.9→3.0.10` green. I independently confirmed via
   `newest_older_version` that `3.0.9+1.10.7` IS the newest-older for hedgedoc's tag-set ⇒ step-back
   generalizes to a different recipe + ordering. ✓
 **Teeth:** in both my Run B and the Builder's, base version `1.11.0+1.29.0` is strictly `<` head
 `1.13.0+1.31.1`; a same-version no-op would log `…→1.13.0+1.31.1` from `1.13.0+1.31.1` (it does not),
 a needless skip would log `kind=skip` (it does not). Distinct base/head app images seal it.
 **Hygiene (cold-checked):** canonical restored to legit `1.13.0+1.31.1` (byte-diff vs pre-verify
 snapshot = unchanged); no leftover custom-html run stacks (clean teardown); hedgedoc hand-seed
 removed (no `/var/lib/ci-warm/hedgedoc`); pre-existing `warm-keycloak` orphan untouched (not samever).
 My own verify clone/script removed afterward.
 Verdict: **M2 PASS.** Resolver steps back to a genuinely older base in real CI (headline reproduced
 from my own clone), version-bump path + discourse #4 demonstrably unaffected, generalizes to a 2nd
 recipe, teeth hold, clean teardown. (Consulted JOURNAL only after writing this verdict.)
 **Both M1 + M2 are fresh Adversary PASSes. No VETO. The Builder is cleared to write `## DONE` to
 STATUS-samever.md per the §6.1 handshake.**
 ### M1: PASS @2026-06-17T04:27Z
 Cold-verified from own clone `/srv/cc-ci/cc-ci-adv` @ b29bb3f (claim c5a0d20). Implemented + unit-tested
 gate. Independent (not trusting Builder's tests) — re-ran the suite AND wrote my own break-it probes.
 **Evidence:**
 1. **Unit suite cold:** `pytest tests/unit/test_upgrade_base.py -v` → **13 passed** (8 prior unchanged
   + 5 new). The 8 prior (override / EXPECTED_NA / main-tip / head==main-tip skip / no-predecessor /
   other-rung) still green ⇒ override/ref/skip paths untouched.
 2. **My own primitive probes** (direct import, adversarial inputs):
   - `newest_older_version` strictly-older semantics: suffix tags (`-rootless`) ordered correctly;
     head-version BETWEEN tags → newest strictly older; **equal-key tag EXCLUDED** (1.0.0+3.5.3 vs
     1.0.0+3.5.3 → None); head-is-oldest → None; None/empty safe; recipe-major ordering beats app
     (9.9.9+99.0.0 < 10.0.0+1.0.0). ✓
   - `_VERSION_LABEL_RE`: parses quoted, unquoted, single-quoted labels; **`.chaos-version` → None**
     (not matched); chaos-then-real picks the real label. ✓
 3. **My own resolver-chain probes** (monkeypatched canonical + recipe_tags, direct `resolve_upgrade_base`):
   - **canonical==head (TEETH):** `10.8.0+26.6.3` → base `10.7.1+26.6.2`, `kind=version`,
     `reason="step-back: …"`; asserted `version != head` AND `version_key(base) < version_key(head)`.
     **Never a same-version no-op; strictly older.** ✓
   - **canonical≠head (version-bump path):** uses canonical unchanged AND `recipe_tags` is NOT consulted
     (patched it to raise — no raise) ⇒ discourse #4 / version-bump PRs cannot be perturbed by this gate. ✓
   - **canonical==head, no older tag:** `kind=skip`, reason `"base == head (…) and no older published
     predecessor"` ⇒ declared, not silent. ✓
   - **head_version=None (compose unreadable):** canonical stays primary (prevb behavior preserved). ✓
 4. **sort_versions refactor behavior-preserving:** `version_key` lifted verbatim from the old inline
   key; `test_warm_reconcile.py` version-ordering tests pass (8 passed; single failure unrelated).
 5. **Pre-existing failures disclosed honestly:** `test_meta::test_generated_doc_table_in_sync` and
   `test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` FAIL on **parent 279d84d** too
   (re-ran in a temp worktree — both fail there); samever diff touches neither SPECS nor the doc table.
   Out of scope, NOT a regression.
 **F1d-2:** step-back returns `kind="version"` ⇒ inherits the same pinned-tag deploy path as any
 canonical base (no new deploy code) — the on-disk tree is checked out at the pinned older tag. This is
 an M1 (unit) claim; the REAL pinned-deploy proof belongs to **M2** (live CI, evidenced base<head delta).
 Verdict: **M1 PASS.** Implementation matches plan §2 chain exactly; teeth hold; no regression to
 override/ref/skip/version-bump paths. (Consulted JOURNAL only after writing this — did not need it.)
 ---
 ## Orientation @2026-06-17T04:09Z
 Phase `samever` plan created 2026-06-17T03:56Z. Builder has not yet started (no STATUS-samever.md).
 **Root cause confirmed (cold-read of resolver, lines 133–148 of run_recipe_ci.py):**
 ```python
 rec = canonical.read_registry(recipe)
 if rec and rec.get("version"):
    return BasePlan(
        "version",
        rec["version"],
        None,
        f"last-green (warm canonical, status={rec.get('status')})",
    )
 ```
 The warm-canonical path returns `canonical["version"]` WITHOUT checking if it equals the head version.
 The resolver is not passed the head's semantic version (only `head_ref`, a commit sha), so it cannot compare.
 **Current unit tests (8 tests in tests/unit/test_upgrade_base.py) — none cover canonical==head:**
 - test_upgrade_not_in_stages_skip
 - test_expected_na_upgrade_skip_even_with_canonical_and_override
 - test_explicit_override_wins_over_canonical
 - test_last_green_warm_canonical_is_primary  ← uses canonical["version"]="0.6.0+3.1.1", HEAD="aaaa1111head" (different version — correct but doesn't test the same-version edge)
 - test_main_tip_fallback_when_no_last_green
 - test_head_equals_main_tip_skip
 - test_no_canonical_no_main_skip
 - test_expected_na_other_rung_does_not_suppress_upgrade
 **Key utilities available for the fix:**
 - `warm_reconcile.recipe_tags(recipe)` — returns all git tags from recipe clone
 - `warm_reconcile.sort_versions(tags)` — ascending sort of version tags (coop-cloud semver)
 - `warm_reconcile.latest_version(tags)` — the newest tag
 - Head version read from compose.yml: `coop-cloud.${STACK_NAME}.version` label at `abra.recipe_dir(recipe)/compose.yml` (head checkout already at that path when resolver runs)
 **M1 verification plan (what I'll cold-verify when claimed):**
 1. Resolver reads head version from compose.yml (inspect the parsing — look for compose YAML read + `coop-cloud.*version` label extraction)
 2. New chain: override → (canonical if canonical≠head_version) → (newest older published if canonical==head_version) → main-tip → skip
 3. Unit tests added: at minimum canonical==head→step_back, canonical≠head→unchanged, no_older_published→skip, version ordering correct
 4. Run `python -m pytest tests/unit/test_upgrade_base.py -v` cold from own clone
 5. Confirm OVERRIDE, EXPECTED_NA, main-tip, skip paths are untouched (regression: existing 8 tests still pass)
 6. Teeth check: a "broken base" scenario should still fail (unit test or from plan F1d-2 evidence)
 **M2 verification plan:**
 1. Cold-on-latest run on an enrolled recipe whose canonical == latest (seed the canonical to latest, then trigger cold run)
 2. Evidence in logs: `base_version < head_version` (not a no-op, not a skip)
 3. Re-run discourse #4 or equivalent version-bump PR → UNAFFECTED (canonical→head path still uses canonical)
 4. Spot-check ≥1 other recipe
 ---
 ## Adversary findings
 (empty — phase not yet started)
 ---
 ## Break-it probes log
 (none yet)
--- a/machine-docs/REVIEW-settings.md
+++ b/machine-docs/REVIEW-settings.md
@ -0,0 +1,118 @@
 # REVIEW — phase `settings` (Adversary)
 SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-settings-ci-server-config.md
 Gates: M1 (loader + flag + release-tag-first fallback, unit-tested) · M2 (verified live on server)
 Status: **awaiting Builder bootstrap.** No `STATUS-settings.md` / claim yet as of 2026-06-17T16:45Z.
 `dash` phase is DONE (M1+M2 PASS, commit 7507cf4) — this is the next phase.
 ## Baseline captured (pre-change, for the "false = byte-for-byte unchanged" guardrail)
 Cold-read of the code I'll be verifying against (no anchoring — code + plan only):
 - `resolve_upgrade_base` is in `runner/run_recipe_ci.py:112`. Current no-canonical chain:
  `canonical(version, w/ samever step-back) → main-tip (recipe_branch_commit "main") → skip`.
  The plan (§2.C) inserts **newest release tag < head** BEFORE main-tip on every no-canonical path.
 - The samever helper to reuse: `warm_reconcile.newest_older_version(tags, version)`
  (`runner/warm_reconcile.py:161`) — newest version-tag strictly older than `version`, keyed on
  `version_key`. The fallback MUST reuse this (no divergent version ordering) per §2.C / M1.
 - `recipe_tags(recipe)` = `git -C <recipe_dir> tag` (`warm_reconcile.py:267`) — tag source.
 - NO existing TOML config module today: CI-server config is scattered `os.environ.get(...)`
  (`CCCI_*`, `ABRA_DIR`, `MAX_TESTS`, etc.). No `settings.toml` tracked. So a NEW minimal loader is
  justified (verify: minimal, extensible, stdlib `tomllib` only, defaults baked in, graceful on
  absent/malformed file/unknown key).
 ## Verification checklist I will run when M1 is CLAIMED
 - [ ] Default is `false` → this server's upgrade-base resolution byte-for-byte unchanged.
 - [ ] flag false + canonical present → canonical (unchanged).
 - [ ] flag false + NO canonical → **newest release tag < head** (NOT main-tip).
 - [ ] no canonical AND no older release tag → main-tip.
 - [ ] none → skip.
 - [ ] flag true → canonical lookup BYPASSED → same release-tag-first fallback.
 - [ ] absent file / absent key → default false; malformed file → no crash, clear handling.
 - [ ] fallback REUSES `samever`'s helper (no parallel version-ordering impl).
 - [ ] scope narrow: promotion + `--quick` warm-reattach UNTOUCHED by the flag.
 - [ ] loader cannot crash the harness on a bad/absent file.
 ## Verdicts
 ### M1: PASS @2026-06-17T17:00Z (claim fed2678 / code cd19c1b) — cold-verified
 Verified from my own clone, fresh shell, against plan §2/§3/§5 + the code — not the Builder's
 narrative. Read JOURNAL only AFTER writing this verdict (contextualization only).
 **Tests (re-run cold):**
 - `test_upgrade_base.py` + `test_settings.py` → **32 passed**.
 - Full unit suite → **315 passed** (no regression).
 - ruff check → `All checks passed!`; ruff format → `4 files already formatted`.
 **Independent probes (I patched the I/O boundaries myself — did NOT rely on Builder's fixtures):**
 - *Loader* (real TOML files written to /tmp): absent/empty/absent-key → `False`; `true`→True,
  `false`→False; malformed TOML → WARN + `False` (no crash); string value → `TypeError` (clear msg);
  **int `1` for bool → TypeError** (no silent truthy coercion — good); unknown key + unknown table →
  warn-and-ignore, valid key still honored; `[upgrade]` as scalar → warn + defaults. `$CCCI_SETTINGS`
  path override honored. Real `get()` with no `/etc/cc-ci/settings.toml` (absent on host) → `False`.
 - *Resolver matrix* (my own monkeypatch of canonical/recipe_tags/main/flag):
  - false + canonical(≠head) → canonical **unchanged**; tags & main provably NOT consulted (raised if so).
  - false + no canonical → **newest release tag < head** (`10.7.1+26.6.2`), main NOT consulted.
  - false + no canonical + only-head tag → main-tip. false + nothing → skip.
  - **true + canonical present → BYPASS → release tag `10.7.1`, NOT canonical `10.5.0`.**
  - true + canonical + no older tag → routes full chain → main-tip.
 **Guardrails checked:**
 - *Default false / no-op for the default path:* canonical-present resolution (this server's steady
  state) is byte-for-byte unchanged — proven by the probe that asserts tags/main are never consulted.
  NOTE: the no-canonical fallback IS intentionally changed even under false (release-tag-first), per
  plan §2.C "always-on … improves this server too" and M1's mandated test
  `…prefers_release_tag_over_main_tip`. That is the spec, not a regression — it only fires for recipes
  with no canonical (un-promoted), giving a real release base instead of a WIP main-tip.
 - *Reuses samever helper:* fallback calls `warm_reconcile.newest_older_version(recipe_tags(r), head)`
  — the SAME single-source ordering helper as the step-back. No divergent version ordering.
 - *Narrow scope:* `skip_canonicals` is read ONLY at `run_recipe_ci.py:154` in `resolve_upgrade_base`.
  `promote_canonical` / `should_promote_canonical` / `--quick` (951/965/1102) do not touch it.
 - *Stdlib only:* loader imports `os, sys, tomllib, dataclasses` — no third-party.
 - *No secrets:* `settings.toml.example` is config + docs only, default `false`, explicit "NO SECRETS".
 - *Cannot crash harness:* any bad/absent file degrades to defaults (WARN); only a present wrong-TYPE
  value raises (loud, intended).
 No defects. No VETO. M1 cold-PASS. → M2 (live server) may be claimed.
 ### M2: PASS @2026-06-17T17:35Z (claim a9ff941 / deployed /etc/cc-ci @99d6bbc) — cold live-verified
 Verified live on `cc-ci` from a fresh ssh, against plan §3-M2 / §5. I gathered the raw facts FIRST
 (predicted the outcomes), then ran the real deployed resolver myself, and controlled the scratch file
 so I own the restore.
 **Deployment integrity:** deployed `/etc/cc-ci` HEAD = `99d6bbc` (on origin/main); `git diff cd19c1b
 99d6bbc -- runner/` is **EMPTY** — the deployed runner logic is byte-identical to the code I
 cold-PASSed at M1. Only docs + `scripts/show-upgrade-base.py` were added. The probe is faithful: it
 calls the real `run_recipe_ci.resolve_upgrade_base` with live registry / live tags / live head version
 (read the script — no mock).
 **Raw facts I confirmed independently before running the probe:**
 - `/etc/cc-ci/settings.toml` ABSENT (steady state → default false).
 - keycloak: NO `/var/lib/ci-warm/keycloak/canonical.json`; tags include `10.7.1+26.6.2` and head
  `10.8.0+26.6.3` → newest tag < head = `10.7.1+26.6.2`.
 - gitea: canonical `3.5.3+1.24.2-rootless` (status idle); head `3.6.0+1.24.2-rootless`; newest tag <
  head = `3.5.3`.
 **Live probe (I ran it myself, all from the real `/etc/cc-ci/settings.toml` DEFAULT_PATH, NOT env):**
 - CASE 1 (file absent → false):
  - keycloak (no canonical) → `version 10.7.1+26.6.2`, reason `no-canonical fallback: newest release
    tag older than head 10.8.0+26.6.3` — a real published predecessor, **NOT main-tip**. ✓ (a)
  - gitea (canonical present) → `version 3.5.3+1.24.2-rootless`, reason `last-green (warm canonical,
    status=idle)` — canonical USED, unchanged. ✓ (server default path byte-for-byte unchanged)
 - CASE 2 (scratch file → true):
  - flag reads **True from /etc/cc-ci/settings.toml** → gitea's canonical 3.5.3 is BYPASSED: reason
    flips to `no-canonical fallback: newest release tag older than head 3.6.0+1.24.2-rootless`
    (resolves to release tag, not the canonical lookup). The reason change is the proof of bypass. ✓ (b)
  - keycloak → unchanged (no canonical either way).
 - RESTORE (I removed the scratch file): gitea reason back to `last-green (warm canonical, status=idle)`,
  flag `False`. Server left in steady state: `/etc/cc-ci/settings.toml` ABSENT, checkout clean @99d6bbc.
 **Harness file-pickup proven:** the live flag value flipped `False → True → False` purely from the
 presence/absence of the real host file `/etc/cc-ci/settings.toml` — the M2 "harness picks up the file"
 requirement, demonstrated on the actual deployed path (not `$CCCI_SETTINGS`).
 No defects. No VETO. **M2 cold live-PASS. Both M1 + M2 have fresh Adversary PASSes — Builder cleared
 to write `## DONE`.**
--- a/Show More
+++ b/Show More