chore(lvl5): ruff format lint.py

fix(lvl5): lint table parser — abra renders HEAVY box verticals (┃ U+2503); accept both; meta registry EXPECTED_NA/BACKUP_CAPABLE wording → regenerated doc table
Found by real-abra smoke on cc-ci: hedgedoc clean → pass; +lightweight tag → fail R014. Full suite 246 passed on cc-ci venv.
2026-06-11 07:49:47 +00:00 · 2026-06-11 07:49:29 +00:00 · 2026-06-11 07:45:18 +00:00 · 2026-06-11 07:43:25 +00:00 · 2026-06-11 07:42:30 +00:00 · 2026-06-11 07:22:53 +00:00
192 changed files with 8728 additions and 1980 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -35,10 +35,12 @@ steps:
 # the comment-bridge). Deploys the recipe at the PR head, runs install/upgrade/backup + any
 # recipe-local tests via the shared harness, then guarantees teardown (plan §4.2/§4.3).
 #
-# Resource safety (plan §4.2/§4.3): MAX_TESTS=DRONE_RUNNER_CAPACITY=1 (nix/modules/drone-runner.nix) is
-# the primary concurrency cap; concurrency.limit below is a redundant belt. CCCI_JANITOR_MAX_AGE=0
-# makes the run-start janitor reap ANY orphaned run app before deploying — safe because capacity=1
-# means no concurrent run exists (a SIGKILL'd/timed-out build leaves an orphan with no teardown).
+# Resource safety (plan §4.2/§4.3): DRONE_RUNNER_CAPACITY=2 (nix/modules/drone-runner.nix, the
+# single concurrency knob) allows two recipe runs in parallel. Concurrent-run safety is enforced by
+# the harness, not by serialisation: every run holds an exclusive flock on its app domain
+# (/run/lock/cc-ci-app-<domain>.lock) for its whole process lifetime, the run-start janitor probes
+# that lock to reap only orphans (held lock = live run, never touched), and recipe working trees
+# are per-run ($ABRA_DIR/recipes — no shared checkout, no recipe lock). See docs/concurrency.md.
 kind: pipeline
 type: exec
 name: recipe-ci
@ -51,21 +53,37 @@ trigger:
  event:
    - custom

-concurrency:
-  limit: 1
+# NB deliberately NO `concurrency.limit` here: DRONE_RUNNER_CAPACITY (nix/modules/drone-runner.nix
+# maxTests) is the single concurrency knob (P4 — two knobs in two files drifted).

 steps:
  - name: ci
    environment:
      STAGES: install,upgrade,backup,restore,custom
-      CCCI_JANITOR_MAX_AGE: "0"
-      # The exec runner points HOME at a per-build workspace; force it to /root so abra finds its
-      # server config + recipes under /root/.abra (as the manual M4/M5 runs did). Safe: capacity=1
-      # means no concurrent build shares /root/.abra.
+      # The exec runner points HOME at a per-build workspace; force it to /root so abra's server
+      # config is found via the per-run ABRA_DIR's servers/ symlink -> /root/.abra/servers.
+      # Recipe trees are PER-RUN ($ABRA_DIR/recipes, exported by run_recipe_ci before any abra
+      # call), so concurrent builds never share a recipe checkout; app .env files are per-domain
+      # in the shared canonical servers/ path, guarded by the app-domain flock.
      HOME: /root
    commands:
      # RECIPE/REF/PR/SRC (+ CCCI_QUICK for `!testme --quick`) are injected as env vars from the
      # build's custom params. CCCI_QUICK=1 makes run_recipe_ci take the opt-in fast lane (WC7);
      # absent => full cold (default). run_quick ignores STAGES (always upgrade+custom).
      - 'echo "recipe-ci: RECIPE=$RECIPE REF=$REF PR=$PR SRC=$SRC stages=$STAGES quick=${CCCI_QUICK:-0}"'
-      - cc-ci-run runner/run_recipe_ci.py
+      # P1 lock-lifetime hardening: run the harness in its own session/process group (setsid) and
+      # forward a drone cancel (TERM to this step shell) to the WHOLE group, so the harness's
+      # SIGTERM handler runs its teardown funnel instead of being leaked (the exec runner kills
+      # only the step shell, not the tree). PDEATHSIG inside the harness backstops the case where
+      # this shell dies without the trap firing. The harness exit code is captured explicitly and
+      # the traps cleared before exiting: the runner shell is `set -e`, and an EXIT-trap kill of
+      # the already-gone process group returns ESRCH, which otherwise poisons a GREEN run's exit
+      # status to 1 (observed live, build 269: all tiers pass, step exit 1).
+      - |
+        setsid cc-ci-run runner/run_recipe_ci.py &
+        PID=$!
+        trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
+        rc=0
+        wait "$PID" || rc=$?
+        trap - TERM EXIT
+        exit "$rc"
--- a/BACKLOG-conc.md
+++ b/BACKLOG-conc.md
@ -0,0 +1,68 @@
+# BACKLOG — sub-phase conc
+
+## Build backlog
+
+- [x] P1 lock-lifetime hardening: prctl PDEATHSIG + ppid race check + SIGTERM handler →
+      teardown funnel + signal.alarm(3600) hard deadline; .drone.yml setsid/trap wrap;
+      PEP 446 comment on lock open()
+- [x] P2 flock-probe janitor: acquire_app_lock(domain) at register_run_app's call site;
+      janitor probes per-domain lockfiles (acquired→reap under probe lock, held→leave,
+      >120min mtime→warn); delete registry symbols
+- [x] P3 per-run ABRA_DIR: /var/lib/cc-ci-runs/<build>/abra with servers+catalogue symlinks,
+      fresh recipes/; fetch_recipe = plain clone; delete acquire_recipe_lock; route harness
+      recipe paths through ABRA_DIR
+- [x] P4 config cleanup: remove concurrency.limit from .drone.yml; maxTests is the single knob
+- [x] tests/concurrency suite (19 cases, real-kernel flock, explicit invocation only)
+- [x] P5 docs/concurrency.md rewrite to the new model
+- [ ] M1 claim (branch complete, both suites + lint green)
+- [ ] M2: merge to main after M1 PASS, push build green, live verification a–d
+
+## Adversary findings
+
+### [adversary] CONC-A1 — double-!testme same domain corrupts the shared deploy-count file (M2(c) FAIL)
+
+**Severity:** blocks M2(c). Both runs of a same-domain double-!testme go RED.
+
+**Root cause (two coupled defects, one shared root):**
+1. The DG4.1 deploy-counter file is keyed by DOMAIN in the *shared* system tempdir, NOT per-run:
+   `run_recipe_ci.py:930  countfile = /tmp/ccci-deploys-<domain>`. P3 isolated `ABRA_DIR` per run
+   but this per-run state file was missed — it predates the restructure (ef44d46) and the OLD
+   recipe-flock used to serialize same-recipe runs end-to-end, incidentally masking it.
+2. `lifecycle.deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE
+   `acquire_app_lock(domain)` (lifecycle.py:254, introduced by P2 b302f3a). So the counter
+   increment happens OUTSIDE the serialization window — a second same-domain run bumps the
+   shared counter before it ever blocks on the lock.
+
+**Observed (live, builds 279 + 281, immich PR#2, same domain immi-ad3e33, 2026-06-10T05:04Z):**
+- Lock serialization itself WORKS: 281 logged `== app lock: ... in flight — waiting ==` at 2s,
+  then `== app lock: acquired ==` at 194s — exactly when 279 exited (279 finished 05:07:35).
+- 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`. The `2` = 281's pre-lock `_record_deploy`
+  (fired ~2s, before 281 blocked) polluting the shared counter 279 was actively using.
+- 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33...` at run_recipe_ci.py:1213 —
+  279's end-of-run `os.remove(countfile)` (line 1215) deleted the shared file out from under 281,
+  whose single `_record_deploy` had already fired at 2s and never recreates it.
+- Control: isolated immich (build 275, same fixed wrapper) → `deploy-count = 1`, GREEN. So this
+  is concurrency-specific, not a pre-existing immich/wrapper issue.
+
+**Repro:** two `!testme` comments on the same recipe PR (same domain) in quick succession on the
+deployed main harness → both builds RED (one DG4.1 false-violation, one FileNotFoundError).
+
+**Fix direction (Builder owns):** key the deploy-counter per RUN, not per domain — e.g. put it in
+`/var/lib/cc-ci-runs/<build>/` (alongside the per-run artifacts) or include the build/run id in the
+filename, and export that path via `CCCI_DEPLOY_COUNT_FILE`. Per-run keying fixes BOTH defects at
+once (no cross-run pollution; no shared remove). Moving `_record_deploy()` after `acquire_app_lock`
+alone is INSUFFICIENT — the shared `os.remove`/`FileNotFoundError` collision survives. Add a
+tests/concurrency case: two same-domain runs serialized on the app lock → each sees its own
+deploy-count, neither removes the other's file (this is the gap vs the 19 planned cases — case 4
+serialises acquire but never asserts deploy-count isolation across the two).
+
+**Closure:** adversary-owned. Re-test the (c) double-!testme live (both GREEN, visible block line,
+zero leakage) + the new unit case before this clears. Only I close it.
+
+**CLOSED @2026-06-10T09:0xZ** — fix b6e12ef (run-keyed state files via `_run_state_path`) merged
+139e319. Verified by me: (a) code cold-verified + mutation-proven (reverting to domain-keying fails
+all 3 test_run_state cases); (b) suites green cold (unit 138, concurrency 23); (c) LIVE re-run
+builds 290+291 (same immich domain immi-ad3e33) BOTH SUCCESS — 291 logged the block line
+(`in flight — waiting` → `acquired`), both read `deploy-count = 1` (290 no longer false-2; 291 no
+longer FileNotFoundError), zero leakage after (0 procs / 0 apps / 0 services / 0 volumes / 0 secrets
+/ no held locks). Full evidence in REVIEW-conc M2(c) PASS.
--- a/BACKLOG-lvl5.md
+++ b/BACKLOG-lvl5.md
@ -0,0 +1,18 @@
+# BACKLOG — Phase lvl5
+
+## Build backlog
+
+- [ ] B1 (P1) `level.py`: append rung `lint` (L5); new status vocabulary {pass, fail, skip, unver}; `compute_level()` → new formula (level = max i: rung_i pass ∧ ∀j<i status ∈ {pass,skip}); DELETE cap_reason/capped concepts.
+- [ ] B2 (P1) lint executor (`harness/lint.py`): `abra recipe lint <recipe>` against the exact tested ref; hard ~60s timeout; rc+full output → `lint.txt` artifact; pass/fail/unver classification (missing abra / timeout / exception → unver, never pass, never skip); mirror-context handling per phase-plan §2.3 (probe abra behavior first; any filtering = named + unit-tested + DECISIONS.md).
+- [ ] B3 (P1) `results.py`: wire lint into `derive_rungs` + explicit intentional-vs-unintentional classification of EVERY N/A source; drop level_cap_reason/level_cap_rung from schema; `skips()` reflects new statuses; orchestrator (`run_recipe_ci.py`) runs lint executor at the tested-ref point + passes result through; verdict-neutral (R7 wrap).
+- [ ] B4 (P1) unit tests: rewrite test_level.py/test_results.py to new semantics incl. mission worked examples (fail-blocks → L1; intentional-skip climbs → L5; unver-blocks → L2; lint unver → L4; unclassifiable N/A → unver default); lint executor tests; old-artifact rendering compat tests.
+- [ ] B5 (P2) `card.py`: 0–5 color ramp; cap line removed ("level N of 5" neutral); rung table renders ✔/✘/intentional-skip/unverified; level_badge_svg loses cap_skip third segment (badge = number+color only); tolerate old artifacts.
+- [ ] B6 (P2) `dashboard.py`: _LEVEL_COLOR 5-scale; _level_pill/badge SVG number-only; legend text; old results.json (cap_reason present, lint absent) render without KeyError.
+- [ ] B7 (P2) docs: results-ux.md, testing.md, recipe-customization.md §EXPECTED_NA wording — L5 ladder, de-cap semantics.
+- [ ] B8 (P1) DECISIONS.md: semantics change record (replaces Phase-3 "N/A caps"); N/A classification table (every derive_rungs N/A source → intentional|unintentional); mirror-filter decision for lint (if any filtering).
+- [ ] B9 — gate M1: claim (branch w/ P1+P2; clean tree; cold-verifiable).
+- [ ] B10 (P3) lint sweep over ALL enrolled recipes (scratch clones — never touch ~/.abra/recipes during builds); matrix here (pass/fail + rule hits); mechanical fixes → mirror PRs (never push main/never merge); rest → DEFERRED.md.
+- [ ] B11 (P4) real-CI proofs: ≥1 genuine L5; ≥1 lint-blocked L4 (synth branch ok); ≥1 N/A-skip climb; 2× drone !testme; canary suite at re-derived designed levels; 1 synthesized unver-blocks run; before/after level table for ALL enrolled recipes; card/dashboard PNG/SVG visually verified.
+- [ ] B12 — gate M2: claim; then ## DONE after fresh PASS.
+
+## Adversary findings
--- a/BACKLOG-rcust.md
+++ b/BACKLOG-rcust.md
@ -0,0 +1,23 @@
+# BACKLOG — sub-phase rcust
+
+## Build backlog
+
+- [ ] P1.1 `runner/harness/meta.py`: KEYS registry (14 keys + 3 deprecated) + `load(recipe) -> RecipeMeta`
+- [ ] P1.2 migrate readers L1–L6 to `meta.load()` (orchestrator loads once, passes down)
+- [ ] P1.3 mumble private constants → underscore-prefixed (`_WELCOME_TEXT_MARKER`, `_MAX_USERS`) + fix importers
+- [ ] P1.4 `tests/unit/test_meta.py` (all-recipes-load-clean, MetaError cases, defaults, R2 proof)
+- [ ] P1.5 `scripts/gen-meta-docs.py` + doc-sync unit test
+- [ ] P2a compose.ccci.yml first-class (auto-copy + auto-chaos); strip ghost/discourse boilerplate
+- [ ] P2b install-time deps only; migrate lasuite-docs; delete setup_custom_tests.sh machinery
+- [ ] P2c SKIP_GENERIC meta key deleted; env form documented dev-only + loud warning in CI runs
+- [ ] P2d conftest cleanup: delete deployed/deployed_app (+app_domain if unused); consolidate deps fixture; migrate 6 lasuite test files
+- [ ] P3 HookCtx + convert all hook call sites + migrate in-repo users + unit tests
+- [ ] P4 discovery placement rule + op_state/deps fixtures + migrate hand-parsers
+- [ ] P5 customization manifest (print block + results.json key) + unit tests
+- [ ] P6 docs rewrite (recipe-customization.md §8, testing.md, enroll-recipe.md)
+- [ ] M1 pre-claim: run `pytest tests/concurrency -q` once to prove untouched
+- [ ] M2 prep: build baseline matrix (21 recipe dirs, expected outcomes) BEFORE merging — commit to STATUS-rcust.md
+
+## Adversary findings
+
+(Adversary-owned section)
--- a/BACKLOG-shot.md
+++ b/BACKLOG-shot.md
@ -0,0 +1,128 @@
+# BACKLOG-shot.md — phase `shot` (recipe screenshot audit & repair)
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md. Gates: M1 (audit+diagnosis), M2 (all OK / agreed N/A).
+
+## Build backlog
+
+### P1 — Audit matrix (status: complete, all 19 PNGs visually inspected 2026-06-11)
+
+Enrolled set (19) = `tests/<r>/recipe_meta.py` minus fixtures (`_generic`, `regression`, `concurrency`,
+`custom-html-bkp-bad`, `custom-html-rst-bad`). Evidence: `/var/lib/cc-ci-runs/<run>/` on cc-ci;
+PNGs pulled to /tmp/shot-audit/ on the builder host and each one Read (visually).
+
+| recipe | latest run w/ artifacts | screenshot field | PNG bytes | visual content (I looked) | class |
+|---|---|---|---|---|---|
+| bluesky-pds | ab-bluesky-pds-oldmain | null | — | no PNG; install=fail level=0 (upstream image breakage, rcust DEFERRED) → capture correctly skipped (`if deploy_ok`) | N-A-candidate (blocked upstream) |
+| cryptpad | m2r-cryptpad | screenshot.png | 4802 | solid light-grey frame, nothing else | BLANK |
+| custom-html | m2r-custom-html | screenshot.png | 35707 | "Welcome to nginx!" default page | OK? (diagnose: is this the recipe's true fresh-install content?) |
+| custom-html-tiny | m2r-custom-html-tiny | screenshot.png | 12950 | seeded CI content ("cc-ci custom-html-tiny … DG5") | OK |
+| discourse | m2p-discourse | screenshot.png | 66121 | real forum UI, welcome topic, Sign Up/Log In | OK |
+| ghost | m2r-ghost | screenshot.png | 444183 | real blog landing ("Thoughts, stories and ideas") | OK |
+| hedgedoc | m2r-hedgedoc | screenshot.png | 131967 | real landing (logo, Sign In, feature intro) | OK |
+| immich | 356 | screenshot.png | 4801 | pure white frame | BLANK |
+| keycloak | m2r-keycloak | screenshot.png | 8764 | spinner + "Loading the Administration Console" | LOADING |
+| lasuite-docs | m2r-lasuite-docs | screenshot.png | 6022 | lone spinner on white | LOADING |
+| lasuite-drive | m2p2-lasuite-drive | screenshot.png | 5895 | lone spinner on white | LOADING |
+| lasuite-meet | m2r-lasuite-meet | screenshot.png | 4801 | pure white frame | BLANK |
+| mailu | m2r-mailu | screenshot.png | 33800 | real sign-in page (empty fields) | OK |
+| matrix-synapse | m2r-matrix-synapse | screenshot.png | 33296 | "It works! Synapse is running" landing | OK |
+| mattermost-lts | m2b-mattermost-lts | screenshot.png | 242139 | brand splash/loading screen (logo on blue), NOT the login form | LOADING (borderline — brand-recognizable but a loading state) |
+| mumble | m2r-mumble | screenshot.png | 7913 | spinner on grey — a web page IS served on the domain | LOADING (diagnose what serves it; N/A may NOT be justified) |
+| n8n | m2r-n8n | screenshot.png | 4801 | off-white blank frame. Flaky: run 197 (30256 B) shows the real "Set up owner account" form (empty fields, credential-free) | BLANK (flaky) |
+| plausible | 357 | null | — | no PNG on ANY run (122→357) | NULL |
+| uptime-kuma | m2r-uptime-kuma | screenshot.png | 30858 | real "Create your admin account" setup form (empty fields) | OK |
+
+PNG-size note: 4801/4802 B at 1280×800 is a byte-stable blank-frame fingerprint (3 different apps, same size).
+
+### P2 — Root-cause diagnoses
+
+- [x] **NULL — plausible** (evidence: Drone build 357 ci-step log, t=73s):
+  `screenshot: capture failed (non-fatal, verdict unaffected): page.goto(https://plau-b51425.ci.commoninternet.net/) never returned a status in (200, 301, 302, 303, 401, 403) after 15 attempts (45s); last status=500`.
+  Plausible's `/` 500s **by design** under `DISABLE_AUTH=true` (auth_controller; documented in
+  `tests/plausible/functional/test_health_check.py` docstring and recipe_meta — that's why HEALTH_PATH
+  is `/api/health`). Default landing-page capture can NEVER succeed → needs a per-recipe SCREENSHOT
+  hook to a path that actually renders (probe live: e.g. /login or /sites).
+- [x] **NULL — bluesky-pds**: install fails (level=0) before the app is up → `if deploy_ok:` gate in
+  runner/run_recipe_ci.py:1024 correctly skips capture. Not a screenshot defect; upstream image
+  breakage already filed in machine-docs/DEFERRED.md (rcust). → documented N/A while upstream is broken.
+- [x] **BLANK class — immich, lasuite-meet, n8n(flaky), cryptpad**: SPA paint race. capture() navigates
+  with `wait_until="domcontentloaded"` (runner/harness/screenshot.py:91) and screenshots immediately;
+  SPA shell HTML has loaded but JS hasn't painted → solid 4801-2 B frame. n8n flakiness = same race,
+  sometimes JS wins (run 197 captured the real form).
+- [x] **LOADING class — keycloak, lasuite-docs, lasuite-drive, mumble, mattermost-lts(borderline)**:
+  same race, caught mid-paint (spinner/splash rendered, app JS still loading/connecting).
+- [x] **mumble** web stack identified: recipe deploys a `web` service (mumble-web client) on the domain —
+  spinner is its connecting state; landing renders a connect dialog once JS settles. NOT an N/A.
+- [x] **custom-html** nginx-welcome question: the recipe's fresh install genuinely serves the nginx
+  default page at `/` (no content seeded for this recipe's install; only custom-html-tiny seeds via
+  install_steps.sh). Screenshot is an honest representative view of a fresh install. → OK as-is.
+
+### P3 — Fixes (all merged to main)
+
+- [x] Harness default improvement (ce50f64 + A1 hardening 7ad7d1f): bounded networkidle settle
+  (10s) + 0.5s render grace after domcontentloaded; blank/spinner-frame detect (<10000 B) → ONE
+  retry with 4s settle, larger frame kept (A1). Wait budget 45+10+0.5+4+0.5 = 60s, unit-tested.
+  8 new unit tests; 207 pass; lint PASS.
+- [x] plausible — NOT a hook in the end: the real root cause was EXTRA_ENV SECRET_KEY_BASE being
+  62 chars (<64-byte Phoenix cookie-store minimum) → every HTML render 500'd. Fixed to 68 chars
+  (b98a471); default capture then lands the genuine registration page. Stale auth_controller
+  comments corrected (no assertion touched).
+- [x] mattermost-lts SCREENSHOT hook (80e5713 + 3c33129): interstitial appears on ANY first-visit
+  route incl /login (proven byte-identical PNG) → hook navigates /login, clicks "View in Browser"
+  best-effort, settles; lands the real login form. First real hook; public screenshot.settle().
+- [x] keycloak / lasuite-docs / lasuite-drive / lasuite-meet / immich / cryptpad / n8n: fixed by
+  the harness default alone (no hooks needed — proof PNGs below).
+- [x] mumble: NOT fixable harness-side — pinned mumble-web:0.5 client never paints UI for an
+  anonymous browser (≥90s DOM/console/network observation: no errors, no failed requests,
+  connect-dialog elements absent, no autoconnect overrides). Loader frame = the genuine anonymous
+  web view; voice (the recipe's function) fully covered by protocol tests. DEFERRED.md entry filed
+  (upstream question for the operator).
+- [x] bluesky-pds: documented N/A while upstream image broken (rcust DEFERRED; Adversary-agreed at
+  M1, contingent re-check at M2 — latest failing evidence ab-bluesky-pds-oldmain, 2026-06-11).
+
+### P4 — Proof runs (fresh, post-fix; every PNG visually Read by Builder)
+
+| recipe | proof run (dir on cc-ci) | level (baseline) | PNG B | visual |
+|---|---|---|---|---|
+| immich | 370 (drone !testme immich#2) | 4 (=356:4) | 234351 | real "Welcome to Immich" onboarding |
+| plausible | 371 (drone !testme plausible#3) | 4 (=357:4) | 64132 | real registration form, empty fields |
+| keycloak | shot-proof-keycloak | 4 | 215587 | real "Sign in to your account" form |
+| cryptpad | shot-proof-cryptpad | 4 | 57310 | real landing + document-type picker |
+| lasuite-meet | shot-proof-lasuite-meet | 4 | 225686 | real video-conferencing landing |
+| lasuite-docs | shot-proof-lasuite-docs | 4 | 284769 | real Docs landing |
+| lasuite-drive | shot-proof2-lasuite-drive | 4 | 132037 | real Drive landing |
+| n8n | shot-proof-n8n | 4 | 26433 | real "Set up owner account", empty fields (now deterministic) |
+| mattermost-lts | shot-proof3-mattermost-lts | 2 (=m2r:2) | 178367 | real "Log in to your account" form (hook v2) |
+| mumble | shot-proof-mumble | 4 | 7980 | loader frame — best-available (see P3/DEFERRED) |
+
+Drone durations pre/post (same recipe+PR): immich 199s→198s; plausible 209s→166s (faster — capture
+no longer burns 45s failing). Healthy class (ghost, hedgedoc, discourse, custom-html,
+custom-html-tiny, mailu, matrix-synapse, uptime-kuma): existing artifacts cited in P1 matrix, each
+visually verified real + credential-free; no new runs needed per plan §3 P4.
+Dashboard/card: grid thumbnails for runs 370/371 served 200, summary.html embeds screenshot.png,
+/badge/immich.svg 200.
+
+## Adversary findings
+
+### [adversary] A1 — blank-retry can REGRESS a larger frame to a worse one (LOW, non-blocking) — CLOSED @2026-06-11T06:32Z
+**CLOSED:** fixed in 7ad7d1f (retry snapped to a temp path; `os.replace` only if `retry >= first`,
+else discard + cleanup in `finally`). Re-verified COLD with my own probe (not the Builder's test):
+the exact filed case `[9999,4801]` now keeps **9999** (retry discarded, no temp leak); originals
+intact (`[4801,30256]`→30256, `[4801,4802]`→4802, `[35707]`→1 shot, `[5000,5000]`→replace). 5/5 pass.
+R7 contract preserved (retry-raise still propagates to capture's swallow → None; first frame on disk).
+--- original finding (for the record) ---
+**Where:** `runner/harness/screenshot.py` `_snap_with_blank_retry` (ce50f64).
+**What:** the retry overwrites `out_path` *unconditionally* with the second screenshot. The code/comment
+claim "the retry only ever replaces a tiny frame with a later one" — but *later ≠ better*. If the first
+frame is e.g. 9999 B (a partial render, just under `BLANK_SIZE_BYTES=10000`) and the page regresses in the
+extra 4 s settle (redirect, session-timeout splash, error overlay), the retry can yield a 4801 B blank that
+**overwrites the better 9999 B frame**. The Builder's unit test only covers blank→blank (4801→4802); the
+bigger→smaller regression is untested.
+**Repro (cold, my independent probe, not the Builder's test file):** fake page returning sizes
+`[9999, 4801]` → `_snap_with_blank_retry` keeps **4801** (the worse frame).
+**Severity:** LOW. R7 holds (cosmetic only, never affects verdict); my M2 per-PNG visual check is the
+backstop — any actually-blank final PNG will FAIL that recipe regardless. Filed for hardening, not a veto.
+**Suggested guard (trivial, strictly safer):** keep the larger frame — only overwrite if
+`getsize(retry) >= getsize(first)` (or snap retry to a temp path and pick `max`). Then extend the unit
+test with a bigger→smaller case asserting the larger frame survives.
+**Closes:** only I close this, after re-test. Non-blocking for an M2 claim, but I will re-check at M2.
--- a/JOURNAL-conc.md
+++ b/JOURNAL-conc.md
@ -0,0 +1,165 @@
+# JOURNAL — sub-phase conc (Builder, append-only)
+
+## 2026-06-10 — bootstrap
+
+Read concurrency-restructure-full-plan.md (SSOT) + plan.md §6.1/§7/§9. Oriented on the code:
+
+- `runner/harness/lifecycle.py` — recipe flock (l.46), registry (l.65–97), deploy_app
+  registration (l.283), teardown unregister (l.723), three-way janitor (l.726).
+- `runner/run_recipe_ci.py` — `acquire_recipe_lock` call site (l.843), `fetch_recipe` (l.140,
+  rm-rf + reclone of the shared tree), janitor call sites (l.600 quick, l.932 cold).
+- `.drone.yml` — recipe-ci step runs `cc-ci-run runner/run_recipe_ci.py` bare (P1 wraps it),
+  `concurrency.limit: 2` (P4 removes).
+- Greps for P3 fallout: `~/.abra/recipes` referenced in abra.py (recipe_checkout,
+  has_lightweight_version_tags, recipe_head_commit, recipe_versions), generic.py:28,
+  lifecycle.prepull_images, run_recipe_ci (fetch_recipe, snapshot_recipe_tests, comment),
+  warm_reconcile.py:202 (runs OUTSIDE per-run context — keeps default), and
+  tests/ghost+discourse install_steps.sh (`${HOME}/.abra/recipes/...` — these run INSIDE a
+  run and copy compose.ccci.yml into the deploy tree, so they must resolve the per-run dir).
+- `~/.abra/servers/...` paths are unaffected by design (servers/ is symlinked to the canonical
+  /root/.abra/servers, so both resolutions land on the same file).
+
+Working setup: state files on main in this clone; code on branch `restructure/concurrency`
+via a git worktree at ../cc-ci-conc; test runs on the cc-ci host via /root/builder-clone
+(`cc-ci-run -m pytest ...`, `nix develop .#lint`).
+
+## 2026-06-10 — P1–P4 landed on restructure/concurrency
+
+- P1 b492f99: harness/lifetime.py (PDEATHSIG+ppid recheck, SIGTERM/SIGALRM→SystemExit funnel
+  with re-entrancy guard, alarm(3600)); main() installs first; both finally blocks mark
+  begin_teardown(); .drone.yml setsid+trap wrap. Live smoke on cc-ci (cc-ci-run /tmp/p1-smoke.py):
+  TERM→rc=143+finally; ALRM→rc=142+finally+deadline log; parent-kill→child TERM'd, teardown ran.
+- P2 b302f3a: acquire_app_lock + _probe_and_reap + janitor rewrite; registry deleted. Live smoke
+  (/tmp/p2-smoke*.py): held lock → "live concurrent run, leaving it", reaped=[]; killed holder →
+  reap exactly once + lockfile unlinked; waiter blocked during probe-held reap, then re-acquired
+  on the FRESH inode (probe confirmed held by waiter). Note: a select()-on-fd readline artifact
+  in my smoke script initially looked like a failure — kernel state was verified directly.
+  Unlink/recreate race guarded on BOTH sides via fstat/stat st_ino identity checks.
+- P3 17ebdf3: per-run ABRA_DIR. Verified abra CLI honors $ABRA_DIR on-host (skeleton probe:
+  FATAs only on empty servers/; with servers+catalogue symlinks + recipes/ it works and even
+  auto-clones recipes for `app ls` resolution into the per-run dir). p3-smoke: setup + fetch of
+  custom-html-tiny landed in /tmp/p3runs/9999/abra/recipes, head commit + versions readable via
+  abra.recipe_dir(). install_steps.sh path fix justified in DECISIONS.md (conc P3 entry).
+  Pre-existing observation (NOT mine, unchanged): `abra app ls -S -m -n` currently FATAs
+  "unable to resolve '0cc57a5a'" under the DEFAULT abra dir too → janitor's abra discovery
+  yields [] and the docker-service sweep carries discovery. Out of this phase's scope.
+- P4 91d3cc7: concurrency.limit removed; maxTests comment states single-knob + new model.
+  One stale comment line (.drone.yml l.39 "concurrency.limit=2 below") folds into P5.
+
+All four commits: tests/unit 138 passed + lint PASS before each. Next: tests/concurrency suite.
+
+## 2026-06-10 — tests/concurrency (84d90fb) + P5 (d3fe9e2) + M1 claim (e8e52cf)
+
+- Suite: 20 tests / 19 plan cases, all real-kernel (helpers.py subprocesses hold real flocks,
+  install real prctl/alarm guards; CCCI_APP_LOCK_DIR sandboxes /run/lock; HelperPool reaps every
+  helper + recorded grandchildren). First full run on cc-ci: 20 passed in 9.96s, zero flakes in
+  3 repeat runs during the P5 verification re-runs.
+- Design notes for the Adversary's blind-spot hunt (my own known limits):
+  - case 8 (two janitors) uses threads in one process — valid because flock conflicts are
+    per-open-file-description, and overlap is forced via a Barrier + 2s slow teardown stub.
+  - case 14 relies on reparent-to-pid-1 (true on the cc-ci host; would need adjustment in a
+    subreaper environment — marked NEVER_REPARENTED visibly if so).
+  - cases 5-12 stub teardown_app (recording) — janitor probe/reap ordering is what's under
+    test, not teardown internals (covered by Phase-1 e2e + M2 live checks).
+- M1 claimed at e8e52cf; full verification recipe in STATUS-conc.md (WHAT/WHERE/HOW/EXPECTED).
+
+## 2026-06-10 — M2: merge + live verification (a)
+
+- Merge: bb5eb3d (--no-ff) pushed; push build 266 (self-test lint+hello) SUCCESS.
+- (a) cancel-mid-run: !testme on immich#2 → build 267 (custom) running on the NEW harness —
+  log shows the setsid/trap wrap + "== per-run ABRA_DIR: /var/lib/cc-ci-runs/267/abra ==";
+  lock /run/lock/cc-ci-app-immi-ad3e33...lock held by pid 636902; 4 immich services up.
+  Canceled via drone API 04:42:07Z (HTTP 200, build status "killed"). Result: harness pid
+  GONE (no leaked python — the old §8.1 gap is closed), immich services 0, volumes 0,
+  secrets 0, .env 0 — the SIGTERM funnel ran the run's own teardown (better than the plan's
+  minimum, which allowed the janitor to do the reaping). Lock RELEASED (lockfile present but
+  unheld — tidy-swept by the next janitor, to be observed during (b)).
+- (b) triggered 04:46:53Z: !testme immich#2 (comment 14287) + plausible#3 (14288) in parallel.
+
+## 2026-06-10 — M2(b) round 1: green runs, poisoned exit code → wrapper fix
+
+- Builds 268 (immich#2) + 269 (plausible#3) ran in PARALLEL on the new harness: both logs end
+  with all-tiers-pass RUN SUMMARY (level=4, deploy-count 1/1) and the host shows ZERO leakage
+  after (no harness processes, no immi/plau services/volumes/secrets, only unheld lockfiles).
+  Both steps nevertheless exited 1: the P1 EXIT trap's kill of the already-gone process group
+  returns ESRCH under the runner's `set -e` shell — a GREEN run reported failure.
+- Reproduced minimally on-host (`sh -e` and `bash -e`: rc=1 on a clean exit with the old trap).
+  Fix e1c4198 (capture rc; `trap - TERM EXIT`; `|| true` on the trap kill) verified on-host:
+  green rc=0, red rc=7 propagated, TERM→wrapper forwards to child, exits 143. Merged to main
+  b7a009c; push builds 272-274 green. Adversary notified via inbox.
+- (b) re-triggered on the fixed wrapper 04:56:10Z (immich#2 + plausible#3).
+
+## 2026-06-10 — M2(b) PASS + (c) triggered
+
+- (b) round 2 on fixed wrapper: builds 275 (immich#2) + 276 (plausible#3) ran in PARALLEL,
+  BOTH status=success (drone API). Host after: 0 python harness processes, 0 immi/plau
+  services/volumes/secrets/.envs — zero leakage. (d) satisfied by 275 (full green immich e2e).
+  Leftover unheld lockfiles present by design (tidy-swept at next janitor).
+- (c) double-!testme on immich#2: two comments at 05:03:58Z → two custom builds, same run
+  domain immi-ad3e33 → exactly one must block on the app lock with the visible log line.
+
+## 2026-06-10 — CONC-A1: (c) failure root-caused + fixed (run-keyed state files)
+
+- (c) round 1 = builds 279+281, both RED. Root cause (independently also found+filed by the
+  Adversary as CONC-A1 while I was mid-diagnosis — same conclusion from both loops): the four
+  run-scoped state files (deploys/opstate/deps/depskip) were DOMAIN-keyed in shared /tmp;
+  281's main()-preamble + pre-lock _record_deploy fired before it blocked on the app lock →
+  279 read deploy-count 2 (false DG4.1 RED); 279's end-of-run os.remove deleted the shared
+  countfile → 281 crashed FileNotFoundError at its own read. Lock serialization itself worked
+  (281: waiting @+2s, acquired @+194s = 279's exit). Masked pre-restructure by the
+  end-to-end recipe flock.
+- Fix b6e12ef on branch, merged to main 139e319: _run_state_path() keys all four by
+  run id + harness pid; consumers were always env-fed (CCCI_*_FILE), so domain keying was
+  never load-bearing. Both cleanup sites already remove all four on normal exit.
+- New tests/concurrency/test_run_state.py (suite now 23): path invariants + real-process
+  CONC-A1 interleaving via helpers.py `deploy-count-run` (countfile init → pre-lock
+  _record_deploy → acquire → gated read). Teeth verified: under simulated shared keying the
+  regression test FAILS (host run: 3 failed); with the fix: 23 passed + 138 unit + lint PASS.
+- Next: push build green → re-run (b)+(d), then (c), then (a) per the VETO's conditions.
+
+## 2026-06-10 — M2 re-verification on CONC-A1-fixed main (139e319)
+
+- Push builds 283/284/285 (branch fix, merge, inbox) all green.
+- (b)+(d) round 3 (comments 14299/14300, 08:17:35Z): builds 287 (immich#2) + 288 (plausible#3)
+  BOTH success, started simultaneously 08:17:40Z (parallel), finished 08:21:06/08:21:13.
+  Both logs: deploy-count = 1 (expect 1), level=4. Host after: pgrep -f 'run_recipe_c[i]' → no
+  match (earlier "2" was pgrep self-match of the ssh cmdline); immi/plau services/volumes/
+  secrets/server-envs all 0. Zero leakage. (d) satisfied by 287 (full green immich e2e on the
+  final harness code).
+- (c) round 2 triggered 08:22:13Z: comments 14303+14304 on immich#2 (same domain immi-ad3e33).
+
+## 2026-06-10 — M2(c) PASS round 2 (builds 290+291) + (a) re-run triggered
+
+- (c) round 2: builds 290 (08:22:30→08:46:05) + 291 (08:22:33→08:49:23) BOTH success.
+  291 log: "== app lock: another run of immi-ad3e33... in flight — waiting ==" at +1s,
+  "acquired" at +1411s = exactly 290's exit. Both: deploy-count = 1 (expect 1), level=4.
+  Slowness was an immich-ML healthcheck flake (Adversary cross-confirmed live via lslocks:
+  one holder pid 739163, one waiter pid 739341 on the same lock inode — serialization observed
+  in the kernel lock table); ML converged inside the 1500s window, both runs green anyway —
+  no clean re-run needed.
+- After both: no harness procs (pgrep run_recipe_c[i] empty), 0 immi/plau services/volumes/
+  secrets/server-envs. Unheld lockfile remains by design (tidy-swept at next janitor probe).
+- (a) re-run on fixed harness: !testme immich#2 comment 14307 @08:50:02Z; will cancel mid-run
+  via drone API once the deploy is in flight, then check pid/lock/leakage + janitor reap.
+
+## 2026-06-10 — M2(a) re-run PASS (build 295) + M2 claim
+
+- (a) on fixed harness: build 295 (comment 14307 @08:50:02Z) canceled @08:51:05Z (HTTP 200)
+  while mid-deploy (lock held by pid 763099, 4 immich services converging). Harness pid GONE
+  @08:51:15Z — the SIGTERM funnel ran the run's own teardown inside 10s; build status=killed;
+  lock released (lslocks empty); services/volumes/secrets/envs all 0. Zero leakage, no janitor
+  required.
+- Adversary lifted the CONC-A1 VETO @09:05Z with its own M2(c) PASS (290/291 cold-verified,
+  kernel-lock-table serialization observation). Remaining for DONE: formal M2 claim (this
+  commit) + Adversary cold re-check of (a)/push-builds.
+- M2 claimed in STATUS-conc.md with consolidated (a)-(d) evidence + cold re-check recipe.
+
+## 2026-06-10 — M2 PASS → ## DONE
+
+- Adversary M2 PASS @08:55Z (review 9987fba): all 7 claim items cold-confirmed, both M2-found
+  fixes verified, guardrails honored, no open veto. Parent-sha typo in my claim noted by the
+  Adversary (139e319^1 = 2173894, not 4ad55ed) — corrected in STATUS.
+- ## DONE written to STATUS-conc.md. Phase conc complete: one mechanism (per-app-domain flock),
+  per-run ABRA_DIR isolation, flock-probe janitor, lifetime guards + 60-min deadline, single
+  concurrency knob, spec rewritten, 23-test real-kernel suite. Two live-found fixes along the
+  way: wrapper exit-code under set -e, CONC-A1 run-keyed state files.
--- a/JOURNAL-lvl5.md
+++ b/JOURNAL-lvl5.md
@ -0,0 +1,19 @@
+# JOURNAL — Phase lvl5
+
+## 2026-06-11 bootstrap
+- Read plan-phase-lvl5-lint-rung.md in full + plan.md §6/§6.1/§7/§9. Phase files created.
+- Orientation reads: level.py (RUNGS 4, compute_level gap-caps, backup_restore_status, tier_to_rung), results.py derive_rungs/build_results (cap fields at :215-229), card.py (LEVEL_COLOR 0-6!, cap line :246, level_badge_svg cap_skip third segment), dashboard.py (_LEVEL_COLOR :68, _level_pill :245, cap div :277, render_level_badge :363), run_recipe_ci.py build_results call :1248 + badge wiring :1296-1320, bridge.py :224 (badge embed — number-only already, no cap text → likely untouched), docs (results-ux.md has cap language; recipe-customization.md EXPECTED_NA row).
+- Notable: card.py LEVEL_COLOR already has keys 0-6 (5=green, 6=bright green) — only 0-4 reachable today; dashboard._LEVEL_COLOR needs checking for the same.
+- Lint context: abra.py:105-127 documents the R014/lightweight-tag + origin-repoint/go-git history. Per-run recipe tree = $ABRA_DIR/recipes/<recipe>, origin = private mirror (SRC) on PR runs, upstream tags fetched in by fetch_recipe. OPEN QUESTION for B2: what does `abra recipe lint` actually touch (origin fetch? auth? R014 against which tags?) — probe on cc-ci host next, in a scratch clone, both origin-shapes (mirror-origin vs canonical-origin).
+- Next: probe abra lint behavior on cc-ci (scratch clones, no shared-checkout touch), then B1.
+
+## 2026-06-11 abra lint probe (B2 design input) — all on cc-ci, scratch ABRA_DIR=/tmp/lvl5-lint-probe/abra
+- `abra recipe lint hedgedoc` (fresh canonical clone): FATA "inappropriate ioctl for device" rc=1 — needs a PTY even with `-n`. Under `script -qec "abra recipe lint -n hedgedoc" /dev/null`: rc=0, 21-line unicode table R001–R016 (cols: ref|rule|severity|satisfied ✅/❌|skipped|how-to-fix), maxlen 146 no wrapping, wall time 0.7s.
+- rc SEMANTICS: rc≠0 ONLY on FATA (cannot lint). Probes:
+  - rm .env.sample + commit → rc=1 FATA "unable to validate recipe: .env.sample ... no such file" (content-attributable FATA).
+  - lightweight tag added → table renders R014 error ❌, final line `WARN critical errors present in <recipe> config`, **rc=0**. So pass/fail MUST be parsed from the table (error-severity ❌ rows), sentinel line as cross-check. Baseline warn-only ❌ (R015) → NO sentinel, rc=0 → pass.
+  - untracked compose.ccci.yml (CI overlay) in tree → FATA "version mismatched between two composefiles" rc=1 — abra lint globs compose*.yml INCLUDING untracked harness overlays ⇒ lint MUST run on a pristine clone of the exact ref, not the deploy tree.
+  - origin repointed to auth-required mirror URL → rc=1 FATA "unable to fetch tags in ...: repository not found" — lint force-fetches tags from origin ⇒ scratch clone's origin must be fetchable without auth. Cloning FROM the per-run tree (local path origin) satisfies this offline and preserves the run's true tag set (fetch_recipe pulls upstream tags into the per-run tree).
+- run_quick emits no results.json/card (build_results only at run_recipe_ci.py:1248, cold path) → lint rung wiring is full-path only.
+- Executor design settled (DECISIONS.md entry to come with B2): scratch ABRA_DIR (recipes/<r> = `git clone <per-run-tree>` + `checkout -f <exact tested sha>`; catalogue/servers symlinks to canonical), `script -qec "abra recipe lint -n <r>"`, hard 60s timeout, full output → lint.txt artifact, parse table rows; status = fail iff any error-severity row ❌(not skipped) or content-attributable FATA ("unable to validate recipe"); pass iff table rendered & no error-row ❌; anything else (timeout, abra missing, fetch FATA, unparseable) → unver + loud log. No rule filtering needed (mirror pollution solved by context, not by ignoring rules).
+- Tier-skip sources mapped for derive_rungs classification (run_recipe_ci.py:1040-1131): upgrade skip ⟺ `prev` falsy ("only one published version", structural-intentional) given install passed; backup/restore skip ⟺ not backup_cap (structural-intentional); install-fail → downstream tiers skip (unintentional); custom skip ⟺ no custom tests (unintentional unless EXPECTED_NA declares functional); tier absent from `stages` (CCCI_STAGES dev escape) → missing key (unintentional).
--- a/JOURNAL-rcust.md
+++ b/JOURNAL-rcust.md
@ -0,0 +1,307 @@
+# JOURNAL — sub-phase rcust (Builder)
+
+## 2026-06-10 bootstrap
+
+Read phase plan (recipe-custom-restructure-full-plan.md), plan.md §6.1/§7/§9, and the reference
+spec docs/recipe-customization.md @ 76a4b6b in full. Created phase state files. Work branch will
+be `restructure/recipe-custom` off main @ 76a4b6b. Starting P1: reading the six current loaders
+(run_recipe_ci.py::_load_meta, conftest.py::_recipe_meta, lifecycle.py::_recipe_extra_env,
+lifecycle.py::_recipe_meta_flag, deps.py::declared_deps, canonical.py::is_canonical_enrolled)
+before writing harness/meta.py.
+
+## 2026-06-10 P1 — single loader + registry (branch 472a68b)
+
+Wrote runner/harness/meta.py: KEYS registry (14 keys + CHAOS_BASE_DEPLOY/OIDC_AT_INSTALL/
+SKIP_GENERIC kept registered as deprecated=True so P1 lands green before P2 deletes them),
+RecipeMeta generated from KEYS via dataclasses.make_dataclass (frozen; field set cannot drift from
+the registry), load() = the only exec() of recipe_meta.py, MetaError on unknown ALL-CAPS/type
+mismatch/callable-on-data-key, difflib suggestion in the unknown-key message. BACKUP_CAPABLE keeps
+its tri-state via default None (None = auto-detect — preserves the old `"BACKUP_CAPABLE" in meta`
+semantics in generic.backup_capable).
+
+Migrations: orchestrator loads once + passes meta down (deploy_app/perform_upgrade/_perform_op/
+run_lifecycle_tier all take the object); conftest meta fixture returns full RecipeMeta (R3 closed);
+lifecycle._recipe_extra_env/_recipe_meta_flag and deps.declared_deps deleted; canonical.is_enrolled
+ enrolled_recipes go through meta.load (tests monkeypatch meta.TESTS_DIR now instead of
+canonical.__file__); screenshot._load_screenshot_hook reads the attribute (R2 fixed — unit test
+proves SCREENSHOT survives the real orchestrator load path). deploy_app keeps an optional
+meta=None fallback (loads via the single loader) for fixture/manual callers — exec still happens
+in exactly one function.
+
+Effective-value safety check before committing: dumped non_default() for all 21 recipe dirs through
+the new loader — every recipe's customized key set matches its recipe_meta.py source (e.g. mumble:
+DEPLOY_TIMEOUT/EXTRA_ENV/HEALTH_OK/READY_PROBE/UPGRADE_EXTRA_ENV). One intentional delta class:
+deps.deploy_deps' fallback timeouts for a MISSING dep meta change from literal 900/600 to loading
+the dep's real meta (orchestrator path always supplied metas, so CI behavior is identical).
+
+Verified on cc-ci (rsynced working tree before committing):
+  cc-ci-run -m pytest tests/unit -q  -> 175 passed
+  nix develop .#lint --command scripts/lint.sh -> lint: PASS
+Three pre-existing f212 unit tests passed dicts to wait_ready_probes — updated mechanically to
+construct RecipeMeta via dataclasses.replace (assertions untouched).
+
+Next: P2a compose.ccci.yml first-class + auto-chaos.
+
+## 2026-06-10 P2 — legacy keys & paths deleted (branch 8cd72fd)
+
+P2a: lifecycle.provide_ccci_overlay copies tests/<recipe>/compose.ccci.yml into the per-run
+checkout (after install_steps hook, before prepull/deploy); pinned base deploys auto-chaos on
+overlay presence (has_ccci_overlay replaces the meta.CHAOS_BASE_DEPLOY elif). ghost/discourse
+install_steps.sh were copy-only -> deleted whole; their metas keep COMPOSE_FILE in EXTRA_ENV
+(unchanged wiring, the harness now owns the copy).
+
+P2b: oidc_at_install condition removed — `if declared:` provisions before the single deploy,
+legacy post-deploy block + _run_setup_custom_tests_hook deleted. lasuite-docs install_steps.sh is
+the meet/drive hook with docs' exact env names (diffed against the deleted setup_custom_tests.sh:
+same keys incl. OIDC_OP_DISCOVERY_ENDPOINT + scopes 'openid email profile'; secret-insert bump
+identical; only the abra-redeploy step is gone — the single deploy reads the env instead).
+lasuite-drive's MinIO bucket one-shot -> ops.py pre_install (runs at install-tier start, post-
+deploy; bucket lives in the minio volume so it survives upgrade/restore; same scale --detach +
+30x3s poll as the shell version). run_quick: deps still provision (realm/creds), hook call gone —
+no quick-enrolled recipe declares DEPS today; noted inline.
+
+P2c: SKIP_GENERIC out of the registry; _skip_generic(op) env-only; skip_generic_env_overrides()
+prints a `!!` warning when active under DRONE (P5 will embed in the manifest).
+
+P2d: conftest deps fixture = dict of _DepEntry (dict subclass w/ attribute sugar) — the 6 lasuite
+files only ever used deps_creds, renamed param to deps, zero assertion changes. NOTE for Adversary:
+some assert MESSAGE strings ('setup_custom_tests should have populated this.' -> 'dep
+provisioning...') and docstrings updated — message text only, no assert logic/expected values.
+
+Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 175 passed;
+nix develop .#lint --command scripts/lint.sh -> PASS. Doc table regenerated to the 14-key registry
+(doc-sync unit test pins it).
+
+Next: P3 — HookCtx + ctx-hook signatures everywhere.
+
+## 2026-06-10 P3 — uniform ctx hook convention (branch fd02d9f)
+
+HookCtx frozen dataclass + hook_ctx() constructor in harness/meta.py; ctx.deps read straight from
+$CCCI_DEPS_FILE (json, both shapes) — meta.py stays import-cycle-free (deps.py imports lifecycle
+which imports meta). Registry keys carry hook_params; meta.load() enforces the expected positional
+names per hook key (READY_PROBE/BACKUP_VERIFY/EXTRA_ENV/UPGRADE_EXTRA_ENV=(ctx,),
+SCREENSHOT=(page, ctx)); _run_pre_hook applies meta.check_hook_signature(fn, ("ctx",)) to ops.py
+hooks before calling. Conversion of 17 ops.py + 8 recipe_meta hooks was scripted (def-line regex +
+bare `domain` -> `ctx.domain` inside the pre_*/hook function bodies only) and diff-reviewed; the
+only manual fixes: keycloak pre_restore passed `meta` -> `ctx.meta`, and two comment lines in
+lasuite-drive/-meet metas that the regex over-replaced were restored. wait_ready_probes gained
+op= (install/upgrade call sites pass it) so probes can know the phase.
+
+Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 180 passed; lint PASS.
+
+Next: P4 — discovery placement rule + op_state/deps fixtures + migrate hand-parsers.
+
+## 2026-06-10 P4 — custom-test ergonomics (branch 29a28e2)
+
+Pre-change sweeps confirmed the plan's zero-users claims: no top-level non-lifecycle test_*.py in
+any recipe dir; no recipe test file reads os.environ / CCCI_OP_STATE_FILE directly (the only
+op-state consumers are the generic assertions via harness.generic.op_state — harness-side, fine).
+So P4 = discovery glob removal + new op_state fixture + pinning tests; no test migrations needed.
+test_discovery.py's HC2 gate test moved its repo-local custom fixture under functional/ (the rule);
+test_discovery_phase2.py now asserts top-level custom is NOT discovered. op_state fixture skips
+(clear reason) when env unset / file missing / unparseable; tested via request.getfixturevalue.
+
+Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 184 passed; lint PASS.
+
+Next: P5 — customization manifest (print block + results.json key).
+
+## 2026-06-10 P5 — customization manifest (branch 68954be)
+
+(Resumed after a usage-limit pause mid-P5; working tree carried the in-flight manifest.py.)
+New runner/harness/manifest.py: build() collects {meta_non_default, hooks, overlays, custom_tests,
+env_overrides} via the SAME discovery/meta functions the run uses (so the manifest can never
+disagree with what actually executes — incl. the HC2 _gated() repo-local gate), render() prints
+the block. Orchestrator builds+prints right after meta load / repo-local snapshot, BEFORE the
+quick-lane branch (both lanes get the block); the dict rides into build_results(customization=...)
+verbatim. run_quick writes no results.json, so the single build_results call site covers all.
+Hooks render as "<hook>", tuples as lists (JSON-clean); ops.py pre-ops listed by cheap source
+scan (same approach as discovery._module_defines — no import at manifest time).
+
+Lint flagged: C408 dict() literal, import-block order (manifest after deps), ruff-format on the
+new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest
+tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.
+
+Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
+
+## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5)
+
+Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical
+(doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now
+the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in
+test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a
+first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base =
+mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now
+ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests
+discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected).
+
+Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a
+field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the
+redaction option: _jsonable masks values whose key NAME matches
+SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case
+is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched
+(word-segment KEY). Unit test pins redacted+passthrough both.
+
+Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed;
+nix develop .#lint --command scripts/lint.sh -> lint: PASS.
+
+Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix.
+
+## 2026-06-10 M1 prep + claim
+
+Concurrency proof run on branch head 858e0f5 (rsynced tree on cc-ci): cc-ci-run -m pytest
+tests/concurrency -q -> 23 passed in 11.46s (suite untouched by the restructure, as planned).
+
+Baseline matrix: pulled every /var/lib/cc-ci-runs/*/results.json (141 files) and took the most
+recent per recipe. 19/21 dirs covered by results.json; mumble's last full run predates the
+results system (log ~/ccci-mumble-f214c.log, 5 tiers pass 05-31); bluesky-pds likewise
+(Adversary Phase-2 cold verify e45e0ee). plausible's weekly-report RED was its PR branch
+(pg13->14, build 200); its default-branch baseline is run 308 (06-10) L4 — runs 307/308 are
+today's, from the conc-phase M2 sweep. Bad canaries recorded at their designed-fail tier.
+
+Claimed M1. While waiting: nothing else unblocked in this phase (M2 is gated on M1) — will hold
+with short fallback polls per §7 case 2.
+
+## 2026-06-11 M2 reconciliation — discourse upgrade-HC1 root-cause hunt + bluesky re-characterization
+
+Resumed after a loop stall (~21:18Z–23:50Z): the m2b/ab sweeps had finished but nothing processed
+them. Adversary's 23:53Z inbox asked for (1) a same-ref A/B for the m2b-discourse upgrade-HC1 L1
+and (2) a fresh post-fix lasuite-drive L5 at baseline ref — both now queued/running.
+
+Discourse dig (why I don't yet have a mechanism): first hypothesis was my own invocation error —
+m2b ran PR=0 where baseline 184 ran PR=2, and I guessed the PR-head sha was unreachable without
+the PR fetch. WRONG: fetch_recipe clones all mirror branches and `git checkout <sha>` is check=True
+— and the preserved per-run clone sits at HEAD=7ae7b0f, so the re-checkout ran AND persisted.
+Second hypothesis (prepull resets the checkout): also wrong — prepull_images is pure
+`docker compose config --images` in cwd, never touches git. The scary
+`service "sidekiq" depends on undefined service "discourse"` line turned out benign: it appears in
+the PASSING m2r/m2rr upgrade sections verbatim (the published compose ships a dangling depends_on;
+swarm ignores it — documented in the overlay NOTE). What's left: abra stamped the PREV-TAG commit
+(eb96de94 = 0.7.0+3.3.1) on the chaos redeploy while the tree was at 7ae7b0f. One live hypothesis:
+the cc-ci overlay clamps app+sidekiq images to bitnamilegacy/discourse:3.3.1; at this PR head
+(0.9.0+3.5.0 bump) the redeploy spec may end up close enough to the base spec that the label
+update path degenerates — but that requires abra-internals knowledge I can't verify analytically,
+and m2r at 7d53d4ec (which also post-dates the 3.5.0 bump?) stamped correctly with the same
+overlay, so content-difference-between-refs is doing SOMETHING. Decision: stop theorizing, let the
+2x2 complete — m2p-discourse (new main, PR=2, @7ae7b0f) distinguishes PR=0-artifact/race from
+deterministic; ab-discourse-7ae7b0f-oldmain (old main, PR=2, @7ae7b0f) distinguishes regression
+from pre-existing. Run 184 left no orchestrator log (drone-side), so its chaos stamp is unknowable
+— the old-main re-run stands in for it.
+
+lifecycle.py diff c2508c7..main re-read for the upgrade path: overlay copy moved from per-recipe
+install_steps.sh to first-class auto-chaos (P2a) but the copied FILE and its untracked-persistence
+semantics are byte-identical; run_upgrade order (checkout → upgrade_env → prepull → chaos
+redeploy -c → own wait_healthy) unchanged from old main. Nothing jumps out as the delta.
+
+bluesky-pds: pulled the swarm service logs from all three failed runs — identical
+`Cannot find module '/app/index.js'` crash-loop (Node v24.15.0) on new main @ mirror head, new
+main serial re-run, AND old main @ old default head. The earlier "deploy timed out during
+concurrent image pulls" guess in STATUS was wrong (the 600s timeout was the SYMPTOM; the ~2min
+A/B failure exposed the crash-loop). Upstream re-published the pinned tag with a different image
+layout — no harness can deploy it. Filed in STATUS as restructure-neutral with grep-able evidence.
+
+## 2026-06-11 lasuite-drive root cause #2 — completed one-shot poisons convergence (caught live)
+
+Watching the m2p proof run instead of just waiting paid off: the fix-forward's best-effort line
+printed (so #1 is fixed), but the install assert then sat in pytest for 25+ minutes. Live state:
+app serving 200, every service 1/1 EXCEPT minio-createbuckets 0/1 with its task **Complete 28
+minutes ago**. services_converged demands cur==want for every service; a completed
+restart_policy-none one-shot never returns to 1/1, so the bounded converge poll (DEPLOY_TIMEOUT
+1800s for this recipe) was always going to burn to the deadline and fail install.
+
+Why nobody ever saw this before P2b: the old setup_custom_tests.sh ran AFTER the install asserts
+(post-deploy hook path), so converge never observed desired=1 on the one-shot, and the upgrade
+tier's chaos redeploy reapplied the compose spec (replicas: 0) before its own converge checks.
+P2b folded the trigger into ops.py pre_install — which the orchestrator runs BEFORE the generic
+install assert. Also explains m2rr's odd "install fail but upgrade/backup/restore/custom all pass"
+shape exactly (redeploy resets the spec).
+
+Fix options weighed: (a) hook scales the one-shot back to 0 after the poll — rejected: on the
+timeout path the task is typically still Preparing (image pull) and scale-to-0 CANCELS it, so the
+observed "bucket lands just after the window" runs would become custom-tier RED, i.e. strictly
+worse than baseline; (b) move the trigger to a post-assert hook point — no such hook exists in the
+new convention and inventing one mid-M2 is scope creep; (c) teach services_converged that a
+replica deficit consisting entirely of Complete tasks IS converged — chosen: semantically correct
+(the one-shot did its job), restores baseline behavior for any triggered one-shot, and the
+converge window doubles as the late-landing grace. Disclosed delta: a genuinely FAILING one-shot
+now reds at install (converge timeout) instead of at the custom bucket test — both red, no false
+green. Guard: Failed/mixed/spinning-up/no-tasks-yet still block (unit-pinned, 7 cases).
+
+Branch fix/converged-oneshot @ be2026a, proposal in ADVERSARY-INBOX, awaiting approval per the M2
+fix-forward protocol. Unit suite 199 passed + lint PASS from the cc-ci working-tree rsync.
+
+## 2026-06-11 ~01:00Z — merge landed, queue shortened
+
+be2026a approved (REVIEW a531746, cold-verified independently) and merged as 6cabbe7; drone build
+350 green on the push head 914c166. Merged diff verified == branch diff (empty git diff be2026a..
+main for the two files). Post-fix proof m2p2-lasuite-drive queued from a FRESH clone
+/root/m2-postfix @6cabbe7 rather than git-updating /root/m2-sweep, because the serial queue's
+discourse runs exec from m2-sweep and swapping code under an active/imminent run is how you get
+unexplainable results. The discourse A/B therefore runs at 5c0676b (pre-converge-fix) — irrelevant
+to discourse (no one-shots), and the Adversary's approval explicitly noted that.
+
+Shortened the doomed m2p run: the generic install assert had already burned its 1800s converge
+deadline and failed; the overlay install test then started an IDENTICAL second 1800s burn (same
+assert_serving). SIGINT'd the overlay pytest child only — KeyboardInterrupt surfaced at
+generic.py:97, the exact diagnosed converge-poll line (a nice live confirmation), and the
+orchestrator advanced to the upgrade tier on its normal path. Teardown semantics untouched.
+Disclosed in STATUS so the log's KeyboardInterrupt is pre-explained.
+
+Drone API note for future me: no token on disk; fastest read-only check is docker cp the drone
+sqlite out and query builds (documented in STATUS). The Gitea statuses API returned empty for
+these shas (drone evidently doesn't post commit statuses here).
+
+## 2026-06-11 ~00:55Z — discourse A/B closed (harness-neutral), mechanism still unattributed
+
+m2p-discourse (new main, PR=2, @7ae7b0f) and ab-discourse-7ae7b0f-oldmain (old main, PR=2, same
+ref) failed the upgrade IDENTICALLY: HC1, chaos-version=eb96de94+U, all other tiers pass, L2.
+Same invocation as baseline 184 which was L4 five days ago. So: deterministic, harness-neutral,
+and something outside both harnesses drifted since 06-05. Eliminated: branch-tip existence (7ae7b0f
+still tips upgrade-0.8.0+3.5.0 + pr/2), upstream tag set (0.7.0+3.3.1 still latest), abra pin
+(flake.lock untouched by the restructure). Not eliminated: abra-internal interaction with repo/app
+state (the chaos stamp lands on the prev-base TAG commit despite the tree being at the PR head —
+my best guess remains something in how abra resolves the version/commit for the chaos label when
+COMPOSE_FILE includes the overlay and the project normalizes invalid, but m2r at 7d53d4ec stamping
+correctly with the same dangling depends_on kills the simple version of that theory). The
+`service "sidekiq" depends on...` line appears in passing AND failing upgrades, position-identical,
+so it discriminates nothing. M2-wise the question is settled — the restructure is exonerated by
+byte-identical old==new failure; chasing abra's stamp resolution further is post-phase work, filed
+as a DEFERRED note rather than burning more M2 wall-clock on a non-rcust mechanism.
+
+m2p2-lasuite-drive (the binding post-fix proof) auto-started at 00:48:58Z from /root/m2-postfix
+@6cabbe7. Watching for: no 1800s converge burn after the one-shot completes, then L5.
+
+## 2026-06-11 ~01:10Z — m2p2 green; "L5" turned out to be a moved goalpost (mainline, not ours)
+
+m2p2-lasuite-drive: rc=0, 3m19s, all stages pass, OIDC + MinIO custom tests green, and the
+fix-forward pair demonstrably exercised (one-shot overshot 90s again → best-effort line → late
+Complete → converge fix admitted it). But results.json said level=4 where the binding condition
+said L5 — heart-stopper until the git archaeology: run 189's level-5 + "L6 recipe-local N/A" cap
+didn't match ANY derive_rungs I could find in either world, because the 6-rung ladder was removed
+on MAIN by 46e2cdb+c51cd84 (PR #6) on 06-09, between the baseline runs and the merge — by the
+mirror/report phase, not rcust. The merge didn't touch level.py (checked 01e6d49^1..01e6d49), and
+run 204 on 06-09 (hours pre-deploy of the refactor) still shows 6 rungs — clean timeline. So the
+baseline matrix's "L5" rows need a schema-equivalence reading, declared in STATUS BEFORE the claim
+rather than negotiated after the Adversary trips on it. Lesson re-learned: a baseline matrix
+should pin the SCHEMA VERSION of its evidence, not just the level number.
+
+## 2026-06-11 ~01:30Z — M2 claim assembled
+
+Drone-path runs landed green (356 immich#2 L4, 357 plausible#3 L4, both with embedded
+customization manifests + clean flags, triggered by real !testme comments). Zero-leak verified
+after everything. Plausible's missing screenshot.png checked against its other runs — it never
+produces one (no screenshot surface), so not a capture regression. Claimed M2 with the full
+21-recipe reconciliation table against the corrected baseline; the three lasuite rows ride the
+Adversary-accepted L5≡L4+OIDC equivalence, bluesky-pds is the one justified exclusion, discourse
+is reconciled as env-drift with byte-identical old==new evidence. Nothing else unblocked in this
+phase while the verdict is out — holding per §7 case 2.
+
+## 2026-06-11 ~01:20Z — M2 PASS → ## DONE
+
+Adversary cold-verified the whole claim independently (re-ran the canaries themselves, jq'd all 21
+run dirs, re-checked the drone DB and the zero-leak state) and passed M2 with no findings and no
+VETO. M1 + M2 both stand; ## DONE written. Phase summary: 6 plan phases landed on one branch,
+merged after M1; the real-CI sweep then caught exactly TWO genuine regressions (both in the same
+lasuite-drive P2b hook port: raise-on-timeout, and one-shot-vs-converge ordering), both root-caused
+live, fixed forward under approval, and proven end-to-end — plus it surfaced two pre-existing
+environment drifts (discourse upgrade-HC1, bluesky-pds upstream image) that the A/B discipline
+kept from being misattributed to the restructure. The sweep-as-safety-net worked as designed.
--- a/JOURNAL-shot.md
+++ b/JOURNAL-shot.md
@ -0,0 +1,105 @@
+# JOURNAL-shot.md — Builder journal, phase `shot`
+
+## 2026-06-11 ~01:17–01:35Z — phase open, P1+P2 in one sweep
+
+Read the phase plan + plan.md §6.1/§7/§9. Enumerated enrolled recipes (19). Pulled per-recipe
+latest-run data off cc-ci (`results.json` screenshot field + PNG size for all ~190 run dirs),
+scp'd 18 PNGs to /tmp/shot-audit/ and Read every one of them.
+
+Findings vs the orchestrator pre-audit: all four 4801-2B suspects are indeed blank frames
+(immich pure white, lasuite-meet white, n8n off-white, cryptpad grey). keycloak 8.7KB is a
+"Loading the Administration Console" spinner — NOT a sparse login page as §2 guessed.
+lasuite-docs/drive ~5.9KB are lone spinners. Two surprises: (1) mattermost-lts 242KB, classed
+healthy by size, is actually the brand splash/loading screen, not the login form — size
+heuristics lie in both directions; (2) mumble serves a real web page (mumble-web client per
+compose.mumbleweb.yml, deployed since Phase 2 for HTTP health) showing its connecting spinner —
+so mumble is fixable, not an N/A.
+
+plausible root cause: traced via Drone sqlite (no python3 on host; ran alpine+sqlite3 against
+the drone data volume). Build 357 log t=73s: capture failed, last status=500 after 45s. Cross-ref
+tests/plausible/functional/test_health_check.py: `/` 500s via auth_controller under
+DISABLE_AUTH=true — permanent, not an init race. So the default landing capture can never work;
+plausible needs a SCREENSHOT hook to a path that renders (will probe /login, /sites on a live
+deploy during P3).
+
+bluesky-pds: null because install fails at level 0 (upstream image breakage, already in
+DEFERRED.md from rcust) — capture gated on deploy_ok, correctly skipped. N/A while upstream broken.
+
+custom-html nginx-welcome: verified no install-time seeding exists for this recipe (custom-html-tiny
+has install_steps.sh; custom-html only seeds in pre_backup/pre_upgrade ops, after capture). The
+nginx default page IS the honest fresh-install view. Leaving OK; flagged in matrix for Adversary.
+
+Adversary opened REVIEW-shot.md with its own cold pre-audit (4f3a747) before my first push —
+good: my visual reads agree with theirs on every overlapping row.
+
+Design thinking for P3 (next iteration): default-path improvement = after goto(domcontentloaded),
+try a bounded `wait_for_load_state("networkidle")` (~10-15s cap) and/or wait for a non-trivial
+painted body, then screenshot; then a blank-detect (PNG < ~6KB or near-uniform) → one retry with
+a longer settle. Keep total ≤ ~60s worst case, all inside the existing capture() try/except so R7
+(cosmetics never block) is preserved. Unit tests: blank-detector pure function + retry logic with
+a fake page. Per-recipe hooks only for plausible (500 root) + whatever the re-audit still shows.
+
+## 2026-06-11 ~05:45-06:00Z — plausible root cause was a 62-char SECRET_KEY_BASE; M1 PASSed meanwhile
+
+M1 PASS (ae10b55) with a watch-list. P3 done in two commits: ce50f64 (harness settle+blank-retry,
+6 unit tests, 205 pass, lint PASS) and b98a471 (plausible fix). The plausible story changed under
+probing: three live probes (shot-probe{,2,3}-plausible) showed / and every HTML route 302→/register
+which 500s; app logs gave the smoking gun: `(ArgumentError) cookie store expects conn.secret_key_base
+to be at least 64 bytes`. Our EXTRA_ENV value — comment claimed "64-char" — measures 62. So every
+page render 500'd while /api/* (no cookie store) passed all tiers. NOT auth_controller/DISABLE_AUTH
+as the old comments claimed; corrected both stale comments. Fix = 68-char value; verified
+shot-fix-plausible run: install pass, screenshot.png 64132B = real registration page (empty fields,
+placeholders only — same safe shape the Adversary blessed for n8n/uptime-kuma). No hook needed.
+
+P4 started: !testme posted 05:56:32Z on immich#2 + plausible#3 (drone builds 370+371 running,
+concurrent). Manual full proof run keycloak launched (shot-proof-keycloak). Remaining queue:
+mattermost-lts, cryptpad, lasuite-meet, lasuite-docs, lasuite-drive, n8n, mumble.
+
+## 2026-06-11 ~06:05-06:30Z — proof sweep underway; A1 fixed; mumble is the holdout
+
+Proofs verified visually so far (each level matches its baseline): drone 370 immich L4 234KB real
+onboarding card (was 4801B); drone 371 plausible L4 64KB registration page (was null); keycloak L4
+real sign-in form (was loading spinner); cryptpad L4 real landing w/ document picker (was grey blank);
+lasuite-meet L4 real product landing (was white blank); mattermost-lts L2(=m2r baseline L2) — real
+page but it's the desktop-or-browser interstitial, so per the watch-list I added the first
+SCREENSHOT hook (80e5713, → /login + public settle()); re-run pending.
+
+A1 (blank-retry could regress a larger frame): fixed in 7ad7d1f — retry goes to a temp path and
+only replaces via os.replace when >= first; regression test [9999,4801]→9999. 207 unit, lint PASS.
+
+mumble: proof run still spinner after settle+retry (7980B). Probing live what mumble-web does over
+90s (it printed real mumble-web HTML while up; suspect autoconnect overlay that never resolves
+because the websocket voice path may not be browser-reachable). Orchestrated probe2 running.
+Also in flight: n8n + lasuite-docs proofs from the A1-fixed tree. Queue: lasuite-drive, mattermost
+re-run; then ghost/hedgedoc/etc. healthy-class citations + dashboard/card check + runtime compare.
+
+## 2026-06-11 ~06:40-07:15Z — mattermost solved via click-through; mumble settled as best-available; M2 assembled
+
+mattermost: hook v1 (/login) produced a byte-identical interstitial PNG — mattermost shows the
+desktop-or-browser chooser on ANY first-visit route. Hook v2 clicks "View in Browser" (best-effort,
+suppress) → shot-proof3 PNG is the genuine "Log in to your account" form at L2=baseline. That's
+watch-list item 3 satisfied the hard way.
+
+mumble: three live probes. probe4 (90s DOM+console watch): localization loads, NO errors, NO failed
+requests, connect-dialog selectors match nothing, page stays at loading-container forever. orch5:
+websockify serves everything (its own 404s on /ws,/websocket; config.local.js = untouched sample, no
+autoconnect). Conclusion: the pinned mumble-web:0.5 client never paints for an anonymous visitor —
+not a capture bug, not fixable harness-side without changing the deploy (guardrail says upstream).
+Filed DEFERRED (6104a99); claiming the loader frame as documented best-available. Voice = the
+recipe's function and is protocol-tested; the Adversary may still want a different disposition —
+their call at the gate.
+
+Ops lessons this stretch: 3 simultaneous run launches race on abra catalogue fetch (lasuite-drive
+died "unable to update catalogue"; reran solo green) — stagger launches. Backgrounded one-shot ssh
+launchers with `cd X && nohup A & nohup B &` only cd for the first — give each its own cd.
+
+M2 evidence: 10 fixed-class proof runs (table in BACKLOG-shot P4, every PNG Read by me), 2 of them
+real !testme drone builds (370/371, durations 198s/166s vs 199s/209s baselines — plausible FASTER
+since capture stops burning its 45s fail window), healthy-class cited from P1, dashboard grid/card/
+badge all 200. Claiming M2.
+
+## 2026-06-11 ~07:20Z — phase complete
+
+M2 PASS (2b54adb): 18/18 PNGs independently Read, both !testme proofs confirmed genuine via bridge
+logs, durations/levels/R7 all verified, mumble N/A-variant agreed (Adversary reversed its M1 stance
+on the new DOM evidence), bluesky-pds N/A re-confirmed. Wrote ## DONE. Loop ends.
--- a/REVIEW-conc.md
+++ b/REVIEW-conc.md
@ -0,0 +1,442 @@
+# REVIEW-conc.md — Adversary ledger, concurrency-restructure phase
+
+Append-only. Verdicts: `<gate>: PASS @<ts>` + evidence, or `FAIL` + [adversary] finding in
+BACKLOG-conc.md. SSOT for what is verified: /srv/cc-ci/cc-ci-plan/concurrency-restructure-full-plan.md.
+
+## 2026-06-10T04:00Z — Adversary online; baseline pre-read (no gate pending)
+
+Pulled main @5b65c6c. No STATUS-conc.md, no `restructure/concurrency` branch — nothing claimed yet.
+Pre-read the CURRENT system (docs/concurrency.md @5b65c6c + lifecycle.py/run_recipe_ci.py) to
+anchor my later diff review in the as-is code, not the Builder's narrative.
+
+Current-system facts I will hold the restructure against:
+- Registry symbols slated for deletion (will grep for dangling refs at M1):
+  `register_run_app` (lifecycle.py:69, call site :283), `unregister_run_app` (:78, call sites :723, :766),
+  `_run_owner_state` (:83), `ACTIVE_RUN_DIR` (:43), `CCCI_JANITOR_MAX_AGE` (janitor :738),
+  `acquire_recipe_lock` (:46, call site run_recipe_ci.py:843), `RECIPE_LOCK_DIR` (:42).
+- Must survive untouched: `RUN_APP_RE` (lifecycle.py:26) allowlist semantics (warm/canonical apps
+  never probed), `services_converged()` paused-is-settled logic, docker-service sweep discovery,
+  `teardown_app(verify=False)` idempotence.
+- M1 verification plan (cold, my clone): checkout branch; `pytest tests/unit -q`,
+  `pytest tests/concurrency -q`, `scripts/lint.sh`; full diff review hunting: probe-vs-acquire
+  ordering races, signal-handler reentrancy (SIGTERM during teardown / SIGALRM during SIGTERM),
+  teardown-during-teardown, lock-fd lifetime (object dropped → GC closes fd → lock silently
+  released), symlinked servers/ write conflicts, janitor unlink-vs-reacquire race (unlink while a
+  waiter blocks on the old inode → two "held" locks on different inodes for one domain),
+  PDEATHSIG-after-fork ordering (prctl before ppid check), alarm(0) vs teardown duration,
+  setsid wrapper trap semantics under drone cancel, test-suite blind spots vs the 19 planned cases.
+- Tests/concurrency must NOT be wired into the default `pytest tests/unit` gate (plan decision).
+- M2 (post-merge, live): cancel-mid-run leak check, parallel immich#2+plausible#3, double-!testme
+  same PR blocks visibly, one full green run. NEVER merge/push recipe mirror repos.
+
+No verdict yet — waiting for Builder bootstrap/claim.
+
+## 2026-06-10T04:05Z — cold-verify environment established (prep, no gate)
+
+Builder seeded STATUS/BACKLOG/JOURNAL-conc; STATUS says P1 in flight, no gate claimed. Mapped the
+test-execution environment I'll use for the M1 cold run so a time-sensitive gate isn't spent
+debugging tooling:
+- Local VM devshell (`nix develop`) has only lintTools (no pytest). So pytest does NOT run here.
+- pytest 8.3.3 + playwright live in the host `pyEnv` (nix/modules/harness.nix) exposed as
+  `cc-ci-run` on cc-ci. `cc-ci-run -m pytest <path> -q` works as the real harness interpreter
+  (verified: `cc-ci-run -c "import pytest" -> 8.3.3`).
+- `.drone.yml` lint stage runs `nix develop .#lint --command bash scripts/lint.sh`.
+- COLD M1 PLAN: fresh `git clone`/checkout of `restructure/concurrency` into a throwaway dir ON
+  cc-ci → `cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` +
+  `nix develop .#lint --command bash scripts/lint.sh`, all from that clean checkout (not the
+  Builder's working tree). Then adversarial diff review per my baseline hit-list.
+- Baseline `.drone.yml` on main is still the pre-restructure version (concurrency.limit=2,
+  acquire_recipe_lock / /run/cc-ci-active registry referenced) — confirms P1/P4 edits are
+  branch-only so far. Good.
+
+## 2026-06-10T04:23Z — early pre-review of P1+P2 (branch @b302f3a, NO gate claimed — NOT a verdict)
+
+Builder has pushed P1 (b492f99) + P2 (b302f3a) to restructure/concurrency; P3/P4/P5/tests still
+pending, so M1 is not claimable and this is NOT a PASS — it's pre-review to front-load the M1 diff
+audit and avoid re-doing it under gate time pressure. Read code/diff + git only; did NOT read
+JOURNAL (anti-anchoring intact). I actively tried to break the following and each concern was
+REFUTED:
+
+1. **Green-on-red via the .drone.yml EXIT trap** (my lead hypothesis). The wrapper is
+   `setsid cc-ci-run … & PID=$!; trap 'kill -TERM -- -$PID' TERM EXIT; wait $PID`. I worried the
+   EXIT trap's final `kill` status would override the harness exit code and mask a failing run.
+   EMPIRICALLY TESTED (4 bash repros incl. failing harness with a lingering group member that
+   makes kill succeed=0): bash PRESERVES the pre-trap exit status when the EXIT trap doesn't call
+   `exit`. Exit code propagates correctly in all cases (RED stays RED, GREEN stays GREEN). Refuted.
+2. **P2 unlink/reacquire inode race** (janitor unlinks a reaped orphan's lockfile while a new run
+   blocks on the old inode). Handled: both acquire_app_lock and _probe_and_reap recheck
+   `fstat(fd).st_ino == stat(path).st_ino` after acquiring and retry/bail on mismatch — a lock on
+   an unlinked (anonymous) inode is never treated as authoritative, and the path's lockfile is
+   never unlinked out from under a newer run. Refuted.
+3. **Half-reaped/new-app coexistence.** Reap runs WHILE HOLDING the probe lock; a new same-domain
+   run blocks in acquire_app_lock until reap completes. The pre-deploy window (lock held, app not
+   yet created) is covered: the stale-lockfile sweep sees the held lock (BlockingIOError) and
+   leaves it. Refuted.
+4. **Signal mid-normal-teardown aborting cleanup.** begin_teardown() is the FIRST line of BOTH
+   finally blocks (run_recipe_ci.py:663 run_quick, :1134 main); the _funnel_handler swallows
+   (logs+returns) any SIGTERM/SIGALRM once tearing_down is set, so a second signal can't abort the
+   cleanup the first asked for. install_lifetime_guards() is the FIRST statement of main() (:829),
+   before any abra/lock call, with prctl→ppid==1 recheck in the correct order. Refuted.
+
+Open items to confirm AT M1 (cold, full suite) — NOT defects, just unverified-until-then:
+- `datetime` import removed from lifecycle.py along with _stack_age_seconds — grep for any
+  remaining datetime use (ruff would catch an undefined name; confirm import truly orphaned).
+- `_stack_name` / age-fallback deadcode after the janitor rewrite — confirm no dangling refs.
+- Registry-symbol deletion is only PARTIAL on this commit: acquire_recipe_lock still present
+  (P3 deletes it); register/unregister/_run_owner_state/ACTIVE_RUN_DIR/CCCI_JANITOR_MAX_AGE are
+  gone — full dangling-ref grep belongs at M1 once P3 lands.
+- setsid-fork edge: if `setsid` ever forks (only when it's a pgrp leader; not the case for a
+  backgrounded job in a non-job-control drone shell), $PID would be the intermediate and the
+  harness would reparent to ppid==1 and self-abort. Live-verify the trap+cancel path at M2(a).
+- begin_teardown is process-global module state (lifetime._state) — fine for one harness process;
+  the tests/concurrency suite must not import-share it across in-process cases (verify at M1).
+
+## 2026-06-10T04:32Z — pre-review P3+P4 (branch @91d3cc7, NO gate claimed — NOT a verdict)
+
+Builder pushed P3 (17ebdf3 per-run ABRA_DIR) + P4 (91d3cc7 config cleanup). tests/concurrency +
+P5 docs still pending, so M1 still not claimable. Continued the front-loaded diff audit (code/git
+only; JOURNAL still unread). Findings — all CLEAN:
+
+- **Dangling-ref grep across runner/bridge/dashboard/nix = ZERO hits** for all 9 deleted symbols:
+  acquire_recipe_lock, register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
+  CCCI_JANITOR_MAX_AGE, RECIPE_LOCK_DIR, _stack_age_seconds, _registry_path. The orphaned
+  `datetime` import is also gone from lifecycle.py. Clean deletion.
+- **Path centralization**: all `~/.abra/recipes/<recipe>` literals replaced by `abra.recipe_dir()`
+  (resolves `$ABRA_DIR else ~/.abra`) across abra.py (recipe_checkout, has_lightweight_version_tags,
+  recipe_head_commit, recipe_versions), generic._recipe_dir, lifecycle.prepull_images,
+  snapshot_recipe_tests, fetch_recipe. prepull's env_path stays canonical `~/.abra/servers/...`
+  which is correct (servers/ is the shared symlink target).
+- **Ordering verified** (main(), the only structural risk): install_lifetime_guards() is the FIRST
+  stmt (873); between it and setup_run_abra_dir() (891) there are ONLY env reads + a print — no
+  abra call; ABRA_DIR is exported at 891 BEFORE fetch_recipe (892) and before the first path-helper
+  recipe_head_commit (895). The `--quick` dispatch (run_quick, ~908) is AFTER 891, so the quick lane
+  inherits the per-run ABRA_DIR too. No tree is touched before ABRA_DIR is set.
+- **Manual-run isolation**: rid=="manual" → "manual-<pid>" so two hand-runs don't share a tree.
+
+Open items to confirm AT M1 (cold) — not defects:
+- setup_run_abra_dir symlink idempotency: `if not os.path.islink(link): os.symlink(...)` — if a
+  NON-symlink file pre-exists at servers/catalogue (reused run dir from a crashed partial), symlink
+  raises FileExistsError. Low risk (fresh run-id per Drone build) but worth a glance.
+- CCCI_SKIP_FETCH=1 now `rm -rf dest` + copytree(canonical, dest, symlinks=True) — confirm the
+  --quick rollback-proof staging tests still pass (they set CCCI_SKIP_FETCH).
+- tests/{ghost,discourse}/install_steps.sh RECIPE_DIR=${ABRA_DIR:-$HOME/.abra} mechanical path fix
+  — confirm it changed NO assertion/gate (guardrail: never weaken recipe-test gates). Diff-check.
+
+Net: the entire P1–P4 diff has been pre-audited and is clean against my break-it hit-list. M1 cold
+run, once claimed (after tests/concurrency + P5 land), reduces to: fresh checkout on cc-ci →
+`cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` + lint, plus a
+focused review of only the tests/concurrency suite (vs the 19 planned cases) and the P5 doc delta.
+
+## M1: PASS @2026-06-10T04:38Z — implementation verified (branch restructure/concurrency @d3fe9e2)
+
+Verdict formed from the plan (SSOT), the code/git, the STATUS claim's verify recipe, and my own
+COLD acceptance run — WITHOUT reading JOURNAL first (anti-anchoring honored; noting here that I had
+NOT consulted JOURNAL-conc at verdict time).
+
+COLD ENVIRONMENT: fresh `git clone --branch restructure/concurrency` into /tmp/adv-m1 on cc-ci
+(NOT the Builder's tree); `git rev-parse HEAD == d3fe9e26bb0fbaedb37383539ba3973bc1c80aff` (matches
+claim), `git status` clean. Ran via the host `cc-ci-run` pyEnv (pytest 8.3.3 + playwright) and the
+pinned `.#lint` devshell.
+
+ACCEPTANCE RESULTS (expected → observed):
+- `cc-ci-run -m pytest tests/unit -q`         → 138 passed in 4.72s   ✓ (claim: 138 passed)
+- `cc-ci-run -m pytest tests/concurrency -q`  → 20 passed in 9.91s    ✓ (claim: 20 passed)
+- `nix develop .#lint --command bash scripts/lint.sh` → `lint: PASS`  ✓
+- `pytest tests/unit --collect-only` concurrency items → 0            ✓ (suite NOT in default gate)
+- dangling-ref grep (register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
+  CCCI_JANITOR_MAX_AGE, acquire_recipe_lock, RECIPE_LOCK_DIR, _stack_age_seconds) over
+  *.py/*.nix/*.yml/*.sh → ZERO hits outside docs/                     ✓
+
+GATE-INTEGRITY (guardrails honored):
+- `RUN_APP_RE` regex unchanged (lifecycle.py:26, identical pattern); warm/canonical apps still
+  never become probe candidates (test_11 asserts no lockfiles even created for warm names).
+- `services_converged()` / paused-is-settled / `backup_app()` waits: NOT in the code diff — all
+  RUN_APP_RE/services_converged/paused diff hits are docs/concurrency.md prose (P5 rewrite).
+- `teardown_app` ordering untouched; only its trailing unregister call removed (registry gone).
+- Only `tests/<recipe>/` change is the mechanical `RECIPE_DIR=${ABRA_DIR:-$HOME/.abra}/...` line
+  in ghost+discourse install_steps.sh — NO assertion/gate touched (diff-confirmed). Guardrail
+  "never weaken recipe-test gates / touch tests/<recipe>/ content" honored.
+- P4: `concurrency.limit` block removed from .drone.yml; drone-runner.nix comment makes
+  DRONE_RUNNER_CAPACITY the single knob.
+
+ADVERSARIAL DIFF REVIEW (P1–P4 pre-audited in the two notes above; refuted: green-on-red exit-code
+masking [empirically tested], unlink/reacquire inode race [fstat==stat identity recheck],
+half-reaped coexistence [reap-under-probe-lock], signal-mid-teardown reentrancy [begin_teardown
+first line of both finally blocks], guard/ABRA_DIR/fetch ordering [no abra call pre-export]).
+
+TEST-SUITE AUDIT vs the 19 plan cases: real kernel flocks, NEVER mocked (only teardown_app +
+abra-discovery stubbed, both disclosed). Coverage complete: cases 1–4 test_locks, 5–12
+test_janitor, 13–16 test_lifetime, 17–19 test_abra_dir, +test_18b (manual-pid isolation) = 20.
+Assertions are substantive, not tautological: exact funnel exit codes 142/143 (test_15/16),
+reap-vs-new-run timestamp ordering + fresh-inode `lock_state=="held"` (test_7), two-janitor
+arbitration via separate open()s (test_8 — valid: flock binds the open file description, so
+threads-with-distinct-fds model processes), long-held mtime-backdate flag-not-steal (test_10),
+PEP 446 fd non-inheritance with a surviving child (test_3), divergent per-run trees + canonical
+untouched (test_18).
+
+INDEPENDENT PROBE (my own driver, NOT the Builder's helpers.py): drove the real
+`lifecycle.acquire_app_lock` from a standalone script with a sandbox CCCI_APP_LOCK_DIR on cc-ci →
+state `held` after acquire; a second acquirer BLOCKED while the first held (no ack2 after 1.5s);
+after `SIGKILL` of the holder the second acquired within 10s (kernel auto-release). Core invariant
+confirmed against the real code, not just the Builder's tests.
+
+NON-BLOCKING NOTES (carry to M2 live-verify; none gate M1):
+- setsid-fork edge in the .drone.yml trap wrapper: if `setsid` ever forks (only when it's a pgrp
+  leader — not the case for a backgrounded job in a non-job-control drone shell), $PID would be the
+  intermediate and the harness could reparent (ppid==1) and self-abort. MUST be live-verified by
+  the actual drone-cancel path at M2(a) — the plan already flags this ("verify drone exec runner
+  signal delivery; the trap must fire on drone cancel"). Not unit-testable here.
+- End-of-janitor stale-lockfile tidy sweep (appless leftover lockfile unlink) is not directly
+  covered by a named test (not one of the 19); low risk (tidiness only). Noted, not a defect.
+- test_14 (ppid race) depends on the helper reparenting to pid 1; under a subreaper it marks
+  NEVER_REPARENTED and FAILS VISIBLY (never false-passes). Passed in this env.
+
+CONCLUSION: M1 — implementation verified — PASS. M2 (merge to main + live verification a–d) is
+unblocked. Reminder for both loops: recipe-mirror PRs are !testme targets only — never merge/push
+them. (After this verdict I may consult JOURNAL-conc to contextualize, per §6.1.)
+
+## 2026-06-10T04:49Z — M2 merge integrity pre-check (M2 NOT yet claimed — not a verdict)
+
+Builder merged the branch to main (merge commit `bb5eb3d`, 2 parents 83a6c6e∘d3fe9e2, no force)
+after my M1 PASS, and is mid-M2 live verification (journal: M2(a) cancel-mid-run evidence, (b)
+parallel runs triggered). No `claim(conc): M2` commit yet; STATUS-conc still shows the stale M1
+line (Builder's file — will update at the M2 claim). Independent merge check:
+- `git diff bb5eb3d d3fe9e2 -- runner/ .drone.yml docs/concurrency.md tests/ nix/` = EMPTY → the
+  merge preserved EXACTLY the code I cold-verified at M1. No conflict-resolution drift introduced.
+- `git merge-base --is-ancestor d3fe9e2 bb5eb3d` = true.
+So deployed main == M1-verified tree. At the M2 claim I therefore re-verify only LIVE behavior +
+the push build, not the code again:
+  push build green; (a) cancel mid-run → no leaked python/lock, next janitor reaps the app, zero
+  leakage; (b) two parallel !testme (immich#2 + plausible#3) → both green, zero leakage; (c)
+  double-!testme same PR → 2nd blocks on the app lock (visible in its drone log) then runs; (d) one
+  full green end-to-end run. Evidence to come from Drone build logs + cc-ci state (abra app ls /
+  lslocks / docker), cold from my own access path.
+
+## 2026-06-10T05:00Z — wrapper exit-code fix verified + CORRECTION to my P1 pre-review (inbox consumed)
+
+Consumed ADVERSARY-INBOX.md (deleted) — Builder reported an M2 live-verify finding + fix. Folded in:
+
+**The defect (real, Builder-found, build 269 plausible#3):** the drone exec step shell is `set -e`.
+On a NORMAL (green) harness exit the P1 EXIT trap still fired and its `kill -TERM -- -$PID` of the
+already-exited process group returned ESRCH (exit 1), which under `set -e` poisoned the step's exit
+status to 1 — a fully GREEN run (all tiers pass, level=4) reported RED.
+
+**CORRECTION — my P1 pre-review was wrong on this point.** In my 04:23Z pre-review I claimed to have
+"empirically tested" green-on-red exit-code masking and REFUTED it. That test was run with plain
+`bash -c` WITHOUT `set -e` — the wrong shell mode. The real drone step runs `set -e`, where the bug
+manifests. I re-ran the matrix correctly now (bash -e), reproducing the bug (old wrapper + green +
+set -e → exit 1) and confirming I had the shell mode wrong. Lesson: model the EXACT runtime
+(set -e) for shell-trap behavior. The Builder caught this live; I did not. Owning it.
+NB the failure direction was false-RED (green reported red) — fail-safe-ish, not a green-on-red
+(no failing run was ever reported green); still a real defect.
+
+**The fix (e1c4198 on branch, merged to main b7a009c) — independently verified by me, cold under
+`set -e` (the correct mode this time):**
+```
+setsid cc-ci-run runner/run_recipe_ci.py & PID=$!
+trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
+rc=0; wait "$PID" || rc=$?
+trap - TERM EXIT
+exit "$rc"
+```
+My 4-path matrix (all under `bash -e`, exact-shape repros):
+- A green harness → step exit 0 ✓ (poisoning gone: `|| true` on the trap kill + `trap - EXIT` before exit)
+- B **red harness (exit 7) → step exit 7 ✓ — NOT masked to green.** Critical false-GREEN check
+  PASSES: `wait || rc=$?` captures the real rc and `exit "$rc"` propagates it. The
+  "failing PR must report RED" gate is preserved by the fix.
+- C old wrapper + green + set -e → exit 1 ✓ (bug reproduced — root-cause confirmed)
+- D cancel (TERM to wrapper mid-wait) → wrapper exits 143 AND the child received TERM
+  (CHILD_GOT_TERM logged) ✓ — cancel-forwarding semantics unchanged; the `trap - TERM EXIT` runs
+  only AFTER `wait` returns (post-forward), so it can't disarm the forward during a real cancel.
+
+Verdict on the fix: CORRECT and SAFE — resolves the false-RED poisoning without introducing
+false-GREEN, and preserves cancel forwarding. Folds cleanly into the pending M2 review.
+
+**M1 status unaffected:** M1 PASS was for the code/suites/lint/diff of d3fe9e2; this wrapper
+exit-code-under-set-e is a LIVE behavior M1's checks could not exercise (the trap only runs in the
+real drone exec shell). main now = d3fe9e2 + this .drone.yml wrapper fix; the fix is verified above.
+Open for the formal M2 verdict: re-confirm lint green on the new .drone.yml (yamllint), the push
+build green, and live (a) cancel-no-leak / (b) parallel both-green / (c) double-!testme blocks /
+(d) one full green run — cold, once the Builder posts the M2 claim with evidence.
+
+## M2(c): FAIL @2026-06-10T08:10Z — double-!testme same domain corrupts shared deploy-count → both runs RED + VETO
+
+Proactive cold break-it probe of the live M2 evidence (M2 not yet formally `claim(conc)`'d — the
+Builder's JOURNAL shows (c) "triggered" but NOT evidenced as PASS; I went straight to the Drone API
+to verify the in-flight (c) runs independently, not to the JOURNAL narrative). I found a REAL defect
+that breaks M2(c). Filed as BACKLOG-conc CONC-A1.
+
+EVIDENCE (Drone API, recipe-maintainers/cc-ci, cold via /run/secrets/bridge_drone_token — my own
+access path, not the Builder's word):
+- (c) = builds **279 + 281**, both `event=custom PR=2 RECIPE=immich REF=a92b28d…` → SAME domain
+  `immi-ad3e33.ci.commoninternet.net`. Both `status=failure` (step `ci` exit_code=1).
+- 281 (the blocked run): log `== app lock: ... in flight — waiting ==` @2s → `== acquired ==` @194s,
+  which is exactly when 279's process exited (279 finished 05:07:35Z). **Lock serialisation + the
+  visible block line WORK** — that half of (c) is fine.
+- 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`.
+- 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33….ci.commoninternet.net` at
+  run_recipe_ci.py:1213.
+- Control build 275 (isolated immich, same fixed wrapper) → `deploy-count = 1`, GREEN. Confirms the
+  failure is concurrency-specific, NOT a pre-existing immich/wrapper regression.
+
+ROOT CAUSE (code, confirmed):
+- DG4.1 counter file is DOMAIN-keyed in shared /tmp, not per-run: `run_recipe_ci.py:930
+  /tmp/ccci-deploys-<domain>`. P3 isolated ABRA_DIR per run but this per-run state file was missed
+  (predates the restructure, ef44d46; the old recipe-flock serialised same-recipe runs end-to-end,
+  masking it).
+- `deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE `acquire_app_lock()` (:254,
+  introduced by P2 b302f3a) → the increment races OUTSIDE the lock. 281's single pre-lock
+  `_record_deploy` (@2s) bumps the shared counter 279 is using (→2, false violation), and 279's
+  end-of-run `os.remove(countfile)` (:1215) deletes the file under 281 → FileNotFoundError.
+- Interleaving is fully reconstructed and self-consistent with the build timestamps (see CONC-A1).
+
+This is squarely in M2(c) scope: the plan's DoD (c) requires the second run to "block … then RUN"
+(implicitly green), and the phase's whole premise is "two concurrent !testme don't collide on
+domain/volume/secrets." This is a domain-keyed-state collision — the restructure's narrower domain
+lock no longer covers the deploy-count file. M1 (code/suites/lint/diff of d3fe9e2) is unaffected —
+this is a live concurrency behavior M1's checks could not exercise; the tests/concurrency suite has
+the matching blind spot (case 4 serialises acquire but never asserts deploy-count isolation across
+two same-domain runs).
+
+## VETO — M2 may NOT be marked DONE until CONC-A1 is fixed and I log a fresh (c) PASS
+Forbidding `## DONE` in STATUS-conc until: (1) deploy-counter keyed per-run; (2) a tests/concurrency
+case asserts same-domain deploy-count isolation; (3) live (c) re-run shows BOTH builds GREEN with
+the visible block line and zero leakage; (4) (a),(b),(d) re-confirmed unaffected. Only I clear this.
+(After this verdict I may consult JOURNAL-conc to contextualise — noting I had NOT read the (c)
+journal reasoning before forming this FAIL; I verified from the Drone API + code directly.)
+
+## 2026-06-10T08:20Z — CONC-A1 fix CODE-verified (veto conditions 1+2 met; 3+4 still pending — NOT cleared)
+
+Builder fixed CONC-A1 (b6e12ef, merged main 139e319) and is re-running M2 live (a)–(d). I
+cold-verified the FIX CODE from my own clone + a fresh checkout on cc-ci (not the Builder's word):
+
+- **Condition (1) per-run keying — MET.** `run_recipe_ci._run_state_path(name)` keys all four
+  run-scoped state files (`deploys`, `opstate`, `deps`, `depskip`) by `run_id()` + `os.getpid()`,
+  never domain. Grep: ZERO residual `ccci-<state>-{domain}` literals in prod code (only the
+  app-LOCK path stays domain-keyed, which is correct). All consumers env-read `CCCI_*_FILE`
+  (lifecycle:148, deps:72/155, generic:134) — no path re-derivation. Uniqueness holds even in the
+  manual fallback (`run_id()`→domain) because the `+pid` suffix separates two processes.
+- **Condition (2) same-domain isolation test — MET, and proven non-tautological.**
+  tests/concurrency/test_run_state.py adds test_20/20b/20c. test_20c drives REAL processes + the
+  REAL lock + real `_run_state_path`/`_record_deploy`, reproducing the 279/281 interleaving: run A
+  reads `COUNT 1` (NOT polluted to 2 by B's pre-lock increment) and B's file survives A's remove
+  (no FileNotFoundError). **Mutation check (my own):** reverting `_run_state_path` to domain-keying
+  in a throwaway cc-ci clone → all 3 test_run_state cases FAIL (incl. test_20c). So the test
+  genuinely guards the fix.
+- **Suites cold (fresh clone @4f6c955 on cc-ci):** unit 138 passed, concurrency 23 passed (was 20),
+  concurrency still NOT collected by the default `pytest tests/unit` run (0). lint not re-run here
+  (no .drone.yml/nix change in the fix; will confirm at the M2 claim).
+
+**VETO NOT cleared.** Conditions (3) live (c) re-run BOTH builds GREEN + visible block line + zero
+leakage, and (4) (a)/(b)/(d) re-confirmed on the fixed harness, still require the Builder's live
+evidence (in flight). The code fix strongly predicts a (c) pass but M2 is a LIVE gate — I will
+re-verify the (c) double-!testme cold from the Drone API once the Builder posts the M2 claim, and
+only then clear the veto.
+
+## 2026-06-10T08:43Z — live (c) round-2 (builds 290+291): serialization CONFIRMED via lslocks; delay is an immich-ML flake, NOT the restructure (not a verdict)
+
+(b)+(d) re-passed on the fixed harness (builds 287 immich#2 + 288 plausible#3, parallel, both
+success — I'll re-confirm at the M2 claim). (c) round 2 = builds 290+291 (both custom PR=2 immich,
+same domain immi-ad3e33), started 08:22:30Z. I inspected the LIVE host state cold (my own ssh):
+
+- **CORE INVARIANT DIRECTLY OBSERVED in the kernel lock table** — strongest possible proof of the
+  double-!testme serialization:
+  `lslocks`: pid 739163 (build 290) holds `WRITE` on cc-ci-app-immi-ad3e33….lock; pid 739341
+  (build 291) is blocked `WRITE*` on the SAME lock. Exactly one holder, one waiter, one inode.
+- 290 (holder) is sleeping in `services_converged()` poll (hrtimer_nanosleep, no abra child) because
+  `immich-machine-learning` is stuck 0/1: its container repeatedly fails the healthcheck
+  (`non-zero exit (143): dockerexec: unhealthy container`, swarm restarting every 1–6 min). Current
+  attempt (08:43) has gunicorn up, health `starting` — slow/flaky ML readiness, not a deploy break.
+- NOT caused by the restructure / teardown: 290's immich volumes (model-cache/postgres/uploads) +
+  .env are all from 290's OWN fresh deploy (08:23), not inherited from the earlier same-domain run
+  287. ML image present (1.36GB, no pull), host healthy (5.2Gi mem free, 65G disk). So this is an
+  immich-ML healthcheck flake, orthogonal to concurrency.
+
+Bearing on M2(c): the SERIALIZATION mechanism under test is verified working live. The "both GREEN"
+half of condition (3) is not yet demonstrated only because 290 is flake-blocked on immich-ML; if 290
+REDs on deploy-timeout, (c) needs a clean re-run (flake, not a code fault). VETO unchanged — I still
+require one clean (c) where both same-domain builds go GREEN with the block line + zero leakage.
+Continuing to watch 290/291 to terminal.
+
+## M2(c): PASS @2026-06-10T09:05Z — double-!testme same domain, CONC-A1 fixed; VETO LIFTED
+
+(c) round-2 builds 290+291 (both `custom PR=2 immich`, same domain immi-ad3e33, on CONC-A1-fixed
+main) both reached terminal **status=success**. Cold-verified from the Drone API + live host (my own
+access path), not the Builder's word:
+
+- **Both GREEN:** 290 success, 291 success (Drone API).
+- **Visible block line (the (c) requirement):** 291 log —
+  `== app lock: another run of immi-ad3e33….ci.commoninternet.net is in flight — waiting ==`
+  then `== app lock: acquired … ==`. I ALSO observed the serialization directly in the kernel lock
+  table mid-run (lslocks: 290 held WRITE, 291 blocked WRITE* on the same inode; after 290 exited,
+  291 held it). Strongest possible proof of the double-!testme serialization invariant.
+- **CONC-A1 regression GONE — the two exact round-1 failure points are now clean:**
+  - 290 (round-1 build 279 got false `deploy-count 2 != 1`) → now `deploy-count = 1 (expect 1)`,
+    all 5 tiers pass, level=4. Its run-keyed counter was NOT polluted by 291's concurrent pre-lock
+    `_record_deploy`.
+  - 291 (round-1 build 281 crashed `FileNotFoundError` at run_recipe_ci.py:1213) → now
+    `deploy-count = 1 (expect 1)`, all tiers pass, level=4, no traceback. Its own run-keyed countfile
+    survived 290's end-of-run remove.
+- **Zero leakage after both:** 0 harness procs, 0 immich apps / services / volumes / secrets, no held
+  cc-ci locks. One unheld 0-byte leftover lockfile (mtime 08:46, 291's acquisition touch) — reaped
+  on sight by the next janitor probe, harmless by design.
+- The ~20-min runtime each was an immich-machine-learning healthcheck slowness/flake (ML eventually
+  converged), NOT the restructure — already diagnosed in the 08:43Z note; serialization + isolation
+  both verified correct regardless.
+
+**VETO LIFTED.** The CONC-A1 veto ("no DONE until CONC-A1 fixed + a fresh (c) PASS") is cleared:
+conditions (1) per-run keying [code + mutation-proven], (2) same-domain isolation test
+[non-tautological], and (3) live (c) both-GREEN + block line + zero leakage are ALL met. CONC-A1
+closed in BACKLOG-conc.
+
+**Still required before DONE (full M2 gate, not the CONC-A1 veto):** the Builder must post the formal
+M2 claim in STATUS-conc with consolidated evidence, and I re-confirm condition (4) — specifically
+**M2(a) cancel-mid-run re-run on the CONC-A1-fixed harness** (b+d already re-confirmed: builds
+287+288 parallel both success on fixed main; a's only prior evidence (build 267) was on the
+pre-CONC-A1, pre-wrapper-fix harness) — plus the push build green on current main. (a) re-run had
+not yet appeared in Drone as of this verdict (Builder sequenced it after (c)). I will verify it cold
+when it lands.
+
+## M2: PASS @2026-06-10T08:55Z — merged + live-verified (a)–(d) on final main 139e319/74ed240
+
+Formal M2 gate verdict against the Builder's M2 claim (STATUS-conc, commit 74ed240). Formed from
+the plan (SSOT), the code/git, the claim's verify recipe, and my OWN cold re-runs from my own clone
+ fresh checkouts/Drone-API on cc-ci — not the Builder's narrative. All seven claim items confirmed:
+
+1. **Merge integrity** — `git diff 139e319 b6e12ef -- runner/ tests/ docs/ .drone.yml nix/` = 0 lines;
+   `b6e12ef ⊆ 139e319`; merge parents `2173894 ∘ b6e12ef`. So deployed main code == the CONC-A1 tree
+   I code-verified + mutation-proofed. No force-push (history linear). NB the claim mis-states the
+   first parent as `4ad55ed` (actual `2173894`, my M2(c)-FAIL commit) — immaterial: that's a state-
+   file commit, and the code-diff-empty check is authoritative.
+2. **Push build green** — Drone push builds 283–298 on main all `status=success`; no red push since
+   the merge.
+3. **Suites + lint (cold, fresh clone on cc-ci)** — unit 138 passed, concurrency 23 passed
+   (concurrency NOT in the default unit gate), `lint: PASS` on final main 74ed240. test_run_state
+   mutation-proofed (reverting to domain-keying fails all 3 cases).
+4. **(a) cancel-mid-run on fixed harness** — build 295 (custom immich#2): lockfile mtime 08:50:17
+   proves it acquired the app lock 7s in → canceled @08:51:05 MID-DEPLOY. After cancel (verified cold
+   ~1 min later): 0 harness procs (no leaked python — old §8.1 gap stays closed), no held locks (lock
+   released), no immich app/.env/containers(even stopped)/services/volumes/secrets → ZERO leakage,
+   full teardown. Killed-step logs not API-retrievable (Drone truncates), but the end-state is the
+   actual test and it is clean.
+5. **(b) parallel runs** — builds 287 (immich#2) + 288 (plausible#3), parallel, both
+   `status=success`, both `deploy-count = 1 (expect 1)`, level=4; host after = zero leakage.
+6. **(c) double-!testme same PR** — builds 290 + 291 (same immich domain): both success, 291 logged
+   the block line then `acquired`, both `deploy-count = 1`, zero leakage. Serialization also observed
+   directly in the kernel lock table mid-run (lslocks). Covered in detail by my M2(c) PASS @09:05Z.
+7. **(d) full green e2e** — build 287 (and 290): complete immich run, all 5 tiers pass, level=4.
+
+Both M2-found fixes are folded in and independently verified: wrapper exit-code-under-set-e
+(e1c4198/b7a009c, my 05:00Z note — red still propagates) and CONC-A1 run-keyed state files
+(b6e12ef/139e319, my 09:05Z M2(c) PASS + mutation proof). The ~20-min (c) runtimes were an
+immich-ML healthcheck flake (converged within DEPLOY_TIMEOUT=1500s), orthogonal to the restructure
+(diagnosed 08:43Z). Unheld 0-byte leftover lockfiles are by-design (next-janitor tidy-sweep).
+
+GUARDRAILS honored end-to-end: recipe-mirror PRs (immich#2, plausible#3) used as !testme targets
+only, never merged/pushed; cc-ci main touched only by the gated merges (no force-push); no secrets in
+any commit. RUN_APP_RE / services_converged / warm-canonical flows untouched (M1 diff review).
+
+CONCLUSION: **M2 — merged + live-verified — PASS.** M1 PASS (04:38Z) + M2 PASS (here) are both fresh
+in REVIEW-conc; no open VETO (CONC-A1 lifted). Per the phase DoD the Builder may now write `## DONE`
+to STATUS-conc. (Post-verdict I may consult JOURNAL-conc to contextualize; I had NOT read its M2
+reasoning before forming this verdict — verified from plan + code/git + Drone API + my own cold runs.)
--- a/REVIEW-rcust.md
+++ b/REVIEW-rcust.md
@ -0,0 +1,541 @@
+# REVIEW-rcust.md — Adversary ledger for the recipe-customization restructure phase
+
+SSOT for this phase: `/srv/cc-ci/cc-ci-plan/recipe-custom-restructure-full-plan.md`.
+Gates: **M1** (implementation verified — branch `restructure/recipe-custom`, unit+concurrency+lint
+green on cold clone, resolved-customization diff clean for all 21 recipes, adversarial diff review)
+and **M2** (merged + real-CI regression sweep matching baseline matrix). DONE requires fresh PASS
+for both with no open VETO.
+
+I own this file and the `## Adversary findings` section of BACKLOG-rcust.md only.
+
+---
+
+## Standing watch items (what I will hunt at M1/M2)
+
+- **Coverage loss** (cardinal risk): for every migrated recipe, old loaders' effective customization
+  values must equal new `meta.load()` values. Throwaway diff script over all 21 recipe dirs; any
+  delta = finding.
+- **Assertion weakening** in `tests/<recipe>/` diffs — migrations must be mechanical only (signatures,
+  fixture/key renames, underscore prefixes). Any changed assert/expected value = VETO.
+- **Deleted-code fallout** — dangling refs to `_recipe_meta`, `_load_meta`, `_recipe_extra_env`,
+  `_recipe_meta_flag`, `declared_deps`, `is_canonical_enrolled`, `OIDC_AT_INSTALL`,
+  `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`, `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`.
+- **Validation gaps** — typo'd key / wrong type / callable-on-data-key must raise MetaError, not pass.
+- **R2 fixed end-to-end** — orchestrator load path delivers SCREENSHOT to screenshot.py.
+- **HC2 / F2-11 integrity** — repo-local default-deny, requires_deps skip-report, generic floor
+  semantics all unchanged.
+
+---
+
+## Verdicts
+
+_(no GATE verdict yet — M1 is not claimed. M1 only claims after P1–P6 are all on the branch;
+Builder has landed P1 (472a68b) + P2 (8cd72fd) and is mid-P3. The interim pre-review below is
+front-loaded break-it work on the FROZEN P1/P2 commits — NOT an M1 PASS.)_
+
+### Interim pre-review of frozen P1+P2 (branch @ 8cd72fd) — @2026-06-10, cold from upstream clone
+
+Done as idle-time break-it work while no gate is pending. P1/P2 phase commits won't be rewritten
+(Builder adds P3+ on top), so reviewing them now is non-wasted and front-loads M1. Cold clone of
+`origin/restructure/recipe-custom` into `/tmp/rcust-verify` from the true upstream remote.
+
+**No defects found so far.** Results:
+
+1. **Deleted-code fallout — CLEAN.** Grepped `runner/ tests/ scripts/` for live refs to every deleted
+   symbol (`_recipe_meta`, `_load_meta`, `_recipe_extra_env`, `_recipe_meta_flag`, `declared_deps`,
+   `is_canonical_enrolled`, `OIDC_AT_INSTALL`, `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`,
+   `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`). All hits are comments/docstrings
+   explaining the deletion, test names, or the intentionally-RETAINED `CCCI_SKIP_GENERIC*` env form
+   (kept per P2c). Zero live call-sites. `setup_custom_tests.sh` files gone.
+2. **All-recipes-load-clean (typo gate) — PASS, independently.** Ran `meta.load()` (pure stdlib) over
+   all 21 recipe dirs cold via plain python3 (did NOT trust the Builder's test_meta.py). All 21 load;
+   non-default key sets sane. Every ALL-CAPS key used in any recipe_meta.py is in the 14-key registry.
+3. **Coverage-loss diff (CARDINAL check) — ZERO deltas on data keys + hook presence.** Throwaway
+   harness (`/tmp/diff_meta.py`) reproduces main's six-loader effective resolution (`_load_meta`,
+   `declared_deps`, `is_enrolled`, `_recipe_extra_env`) from MAIN's recipe_meta files and diffs vs the
+   BRANCH's `meta.load()` for all 21 recipes. After correcting one harness artifact (EXTRA_ENV default
+   is `{}` not None), **0/21 recipes show any delta** for HEALTH_PATH/HEALTH_OK/DEPLOY_TIMEOUT/
+   HTTP_TIMEOUT/BACKUP_CAPABLE/EXPECTED_NA/UPGRADE_BASE_VERSION/DEPS/WARM_CANONICAL + presence of
+   READY_PROBE/BACKUP_VERIFY/UPGRADE_EXTRA_ENV/EXTRA_ENV/SCREENSHOT.
+4. **Validation gaps — CLOSED.** Crafted tmp recipe_metas: typo'd key → MetaError (with "did you mean
+   DEPLOY_TIMEOUT?"); wrong type (`DEPLOY_TIMEOUT="str"`) → MetaError; callable on data key
+   (`DEPLOY_TIMEOUT=lambda ctx:...`) → MetaError; `_PRIVATE`/lowercase-helper → loads clean (exemption
+   works). All four behave per the locked decision.
+5. **meta.py read** — single `exec()`, frozen `RecipeMeta` generated from `KEYS`, `_coerce` rejects
+   bool-as-int and callable-on-data-key; `non_default` compares vs registry default. No issues.
+
+**Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** full `pytest tests/unit -q` +
+`pytest tests/concurrency -q` + `scripts/lint.sh` cold on the cc-ci host; R2 end-to-end through the
+real orchestrator screenshot path; P3 ctx-hook signature migration (assert byte-identical, legacy
+`lambda domain:` raises clear MetaError); P4/P5/P6; re-run the coverage diff on the FINAL branch
+(P3 changes hook signatures); recipe-test diffs are mechanical-only (no assertion weakening);
+HC2/F2-11/generic-floor integrity. These wait for the `claim(rcust): M1`.
+
+### Interim pre-review of frozen P3 (branch @ fd02d9f) — @2026-06-10, cold from upstream clone
+
+Builder landed P3 (uniform ctx hook convention) and moved to P4, so P3 is frozen. Pre-reviewed it.
+**No defects found.**
+
+1. **Mechanical-migration discipline — HELD (no VETO trigger).** `git diff 8cd72fd..fd02d9f` over
+   `tests/*/` shows ZERO changed assert/expected literals. Every hook change is purely
+   `def HOOK(domain[, meta])` → `def HOOK(ctx)` + `domain` → `ctx.domain` in the body. Spot-checked
+   cryptpad/mumble/ghost/lasuite-drive recipe_meta.py + lasuite-drive ops.py: seeded values, return
+   dicts, paths, status codes, and the `pre_restore` `assert _psql(...) in (...)` are byte-identical
+   apart from the `ctx.` deref.
+2. **HookCtx — present + complete.** `meta.HookCtx` frozen dataclass has all 5 documented fields
+   (`.domain`, `.base_url`, `.meta`, `.deps`, `.op`); `meta.hook_ctx(domain, meta, op=…)` factory
+   builds it and pulls `deps` from `$CCCI_DEPS_FILE`. All call sites migrated: run_recipe_ci
+   `pre_<op>`, BACKUP_VERIFY; lifecycle `extra_env` + READY_PROBE; screenshot `SCREENSHOT(page, ctx)`.
+   (NB my first pass falsely flagged "no HookCtx" — that was a STALE WORKTREE at P2; corrected by
+   checking out fd02d9f. Logged here for honesty.)
+3. **Legacy-signature guard (P3.4) — PRESENT + works, live-probed.** `meta.check_hook_signature`
+   exact-matches positional params and raises a CLEAR MetaError naming the P3 migration + HookCtx
+   fields. Wired into both `load()` (recipe_meta hooks; SCREENSHOT expects `(page, ctx)`, rest
+   `(ctx)`) and the orchestrator (ops.py `pre_<op>`). Crafted tmp metas: legacy `READY_PROBE(domain)`,
+   `SCREENSHOT(page, domain, meta)`, `EXTRA_ENV(domain)` all → MetaError at load; `READY_PROBE(ctx)`
+   loads clean. No silent mid-run TypeError path.
+4. **Coverage diff re-run at P3 head — still 0/21 deltas** (hook presence + all data keys unchanged).
+
+Net: P1+P2+P3 all clean under cold adversarial probing. M1 still gated on full unit+concurrency+lint
+on the cc-ci host, P4–P6, R2 end-to-end via the real screenshot orchestrator path, and a final
+coverage re-diff. No findings filed; no VETO.
+
+### Interim pre-review of frozen P4 (branch @ 29a28e2) — @2026-06-10T18:55Z, cold from fresh host clone
+
+Builder landed P4 (custom-test ergonomics) and moved to P5, so P4 is frozen. Pre-reviewed it cold.
+**No defects found.** NOT an M1 verdict — M1 stays gated (see "Still UNVERIFIED" below).
+
+Cold acceptance (fresh `git clone` on cc-ci host at 29a28e2, my own checkout — not the Builder's):
+- `cc-ci-run -m pytest tests/unit -q` → **184 passed** (exact match to claim; full suite, no
+  cross-fixture pollution from the session-scoped `deps` fixture).
+- `cc-ci-run -m pytest tests/unit/test_discovery.py test_discovery_phase2.py
+  test_conftest_fixtures.py -q` → 14 passed.
+- `nix develop .#lint --command scripts/lint.sh` → **lint: PASS** (ruff format/check, deadnix,
+  shfmt, shellcheck, yamllint all clean).
+
+Correctness probes:
+1. **Placement-rule claim ("zero in-repo users of top-level custom tests") — HOLDS.** Filesystem
+   sweep of every `tests/<recipe>/test_*.py`: ALL are lifecycle names (test_{install,upgrade,
+   backup,restore}.py). No top-level non-lifecycle custom exists in-repo, so dropping the top-level
+   glob in `discovery.custom_tests` loses ZERO coverage. The lifecycle-name exclusion is retained
+   inside functional/playwright as the double-run safety net.
+2. **Discovery diff — clean.** Top-level `glob(test_*.py)` branch removed; functional/ + playwright/
+   subdir globs retained with `basename not in lifecycle_names` guard. Docstring + module header
+   updated to state the placement RULE.
+3. **Test changes are adaptation + strengthening, NOT weakening (no VETO trigger).**
+   - `test_discovery_phase2`: renamed to `..._placement_rule_...`; now ASSERTS the top-level
+     `test_sso_smoke.py` is `not in names` (new negative assertion proving the behavior change),
+     while functional/playwright customs are still `in names` and lifecycle name excluded.
+   - `test_discovery::test_custom_tests_repo_local_gated`: repo-local custom moved from top-level
+     into `functional/`; HC2 default-deny (`== []` when unapproved) and approved-case
+     (`functional/test_sso.py in names`, `test_install.py` excluded) both INTACT. HC2 integrity
+     preserved.
+4. **op_state fixture — correct.** Skips with clear reason on unset env / missing file / non-JSON
+   (`except ValueError` catches JSONDecodeError); reads & returns parsed dict otherwise. Tests
+   cover 3 of 4 paths (the non-JSON skip path is untested — minor coverage gap, not a defect; the
+   branch is trivially correct by inspection).
+
+Net: P1+P2+P3+P4 all clean under cold adversarial probing; both halves of every phase claim
+(unit count + lint) reproduced cold on a fresh clone. No findings filed; no VETO.
+
+**Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** P5 (manifest) + P6 (docs);
+`pytest tests/concurrency -q` cold; R2 end-to-end through the real orchestrator screenshot path;
+final coverage re-diff on the COMPLETE branch (P1–P6, all 21 recipes, effective customization set
+unchanged); recipe-test diffs mechanical-only across the whole branch; HC2/F2-11/generic-floor
+integrity at the final head. These wait for `claim(rcust): M1`.
+
+### Interim pre-review of frozen P5 (branch @ 68954be) — @2026-06-10T19:06Z, cold from fresh host clone
+
+Builder landed P5 (customization manifest) and moved to P6, so P5 is frozen. Pre-reviewed it cold.
+**No blocking defect; one secret-SURFACE observation raised (heads-up to Builder, NOT a VETO, NOT
+an M1 secret-leak failure).** NOT an M1 verdict.
+
+Cold acceptance (fresh `git clone` on cc-ci host at 68954be, my own checkout):
+- `cc-ci-run -m pytest tests/unit -q` → **191 passed** (exact match to claim).
+- `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
+
+Primary adversarial target — SECRET LEAKAGE via the new manifest surface (D-gate: published logs +
+dashboard contain NO secrets, incl. generated app passwords):
+1. **Generated/runtime secrets — NOT exposed (gate holds).** `manifest.build` collects only:
+   `meta_non_default` (static recipe_meta), hook NAMES (pre-ops/install_steps.sh/compose.ccci.yml),
+   overlay FILENAMES, custom-test COUNTS, and env-override KEY names (printed `KEY=1`, value never
+   rendered). It never touches `deps` (client_secret), `op_state`, abra-generated app passwords, or
+   any env VALUE. The cardinal concern — generated app passwords on the dashboard — is structurally
+   absent from this surface.
+2. **Cold all-recipes sweep.** Built+rendered the manifest for all 21 recipes on the host; grepped
+   the rendered blocks AND the results.json `customization` payload for secret/password/token/key/
+   credential and for any 32+ char high-entropy string. The ONLY hit, across every recipe, is
+   plausible's `EXTRA_ENV.SECRET_KEY_BASE` =
+   `"ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123"`.
+3. **OBSERVATION (not a leak):** that value is a HARDCODED, committed, PUBLIC dummy CI constant
+   (tests/plausible/recipe_meta.py, in the open-source repo) — not a generated or real secret.
+   `meta_non_default` dumps EXTRA_ENV literal dicts verbatim into the log AND results.json (→
+   dashboard), so a field literally named `SECRET_KEY_BASE` with a value now appears on the
+   dashboard. No real secret is exposed (it's public), so this is NOT a D-gate failure and does NOT
+   block P5. BUT it's a standing surface: (a) a dashboard secret-scan gets a true-positive-shaped
+   hit on a public dummy (noise that could mask a real leak), and (b) if any recipe ever set a real
+   secret-ish literal in a meta dict, the manifest would surface it unredacted. Flagged to Builder
+   via BUILDER-INBOX as a heads-up to consider redacting values of sensitive-named meta keys before
+   M1. Will re-examine on the real dashboard at the M1 cold-verify.
+4. **HC2-honoring — confirmed.** Manifest routes ALL repo-local reads through `discovery._gated`
+   (ops.py loop direct; `install_steps`/`resolve_overlay_op`/`custom_tests` each call `_gated`
+   internally). An unapproved repo-local recipe contributes nothing to the manifest.
+5. **Pure presentation — holds.** `build()` only reads files/env and returns a dict; `render()`
+   formats a string. Called at run_recipe_ci.py:889-890 (print) + embedded at :1261 into results;
+   no state mutation, no verdict influence. `_jsonable` renders callables as `'<hook>'` (so a
+   callable EXTRA_ENV/READY_PROBE never leaks closure internals) and tuples→lists for JSON.
+
+Net: P1–P5 all clean under cold adversarial probing; every phase claim (unit count + lint)
+reproduced cold. No findings filed; no VETO. One non-blocking secret-surface heads-up sent.
+
+**Still UNVERIFIED for M1:** P6 (docs); `pytest tests/concurrency -q` cold; R2 end-to-end via the
+real orchestrator screenshot path; final coverage re-diff on the COMPLETE branch (all 21 recipes,
+effective customization unchanged); recipe-test diffs mechanical-only across the whole branch;
+HC2/F2-11/generic-floor integrity at final head; AND — at the M1 dashboard check — confirm the
+SECRET_KEY_BASE-named field on the real dashboard is the accepted public dummy (or redacted).
+These wait for `claim(rcust): M1`.
+
+## M1 — implementation verified: **PASS** @2026-06-10T19:27Z (branch `restructure/recipe-custom` @ 858e0f5)
+
+Cold-verified from TWO fresh clones on the cc-ci host (NEW=858e0f5, OLD=main pre-restructure;
+merge-base 49fb818 confirmed → `main..858e0f5` is exactly P1–P6). Verdict formed from the phase plan
+(SSOT), the code/git history, the STATUS verification facts, and my own cold re-runs — NOT from
+JOURNAL rationale (isolation discipline; I did not need to consult JOURNAL).
+
+**All M1 Definition-of-Done items PASS:**
+
+1. **Cold test suites — match claim exactly.** Fresh clone @858e0f5:
+   `cc-ci-run -m pytest tests/unit -q` → **192 passed**; `tests/concurrency -q` → **23 passed**
+   (untouched by this plan, proven); `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
+
+2. **Coverage diff (cardinal risk) — 0 REAL deltas / 21 recipes.** Wrote throwaway extractors that
+   resolve EVERY recipe's effective customization in BOTH worlds — OLD via the legacy loaders
+   (`_load_meta` + `lifecycle._recipe_extra_env` + `deps.declared_deps` + `_recipe_meta_flag`),
+   NEW via `meta.load()` + `meta.extra_env/upgrade_extra_env` — for the common keys (HEALTH_*,
+   timeouts, DEPS, EXTRA_ENV resolved at a fixed domain, UPGRADE_EXTRA_ENV, BACKUP_CAPABLE,
+   EXPECTED_NA, UPGRADE_BASE_VERSION, READY_PROBE/BACKUP_VERIFY presence). Diff = **0 behavioral
+   deltas**; the only raw diffs were 20× `UPGRADE_EXTRA_ENV: None→{}` (unset default representation,
+   behaviorally identical) and mumble (most-customized: callable EXTRA_ENV→dict, UPGRADE_EXTRA_ENV,
+   READY_PROBE) is **byte-identical** old↔new.
+   Deleted keys accounted for (no silent loss): `SKIP_GENERIC` (0 recipe users); `CHAOS_BASE_DEPLOY`
+   → overlay-presence (discourse+ghost, exactly the two shipping compose.ccci.yml — perfect 1:1, no
+   change either direction); `OIDC_AT_INSTALL` → install-time made universal (drive+meet were
+   already install-time). **lasuite-docs** declared DEPS but NOT OIDC_AT_INSTALL → OLD post-install,
+   NEW install-time: an INTENTIONAL P2b consolidation, not a drop — flagged below for M2 validation.
+
+3. **Assertion weakening (VETO-class) — NONE.** Full branch diff over all recipe test files
+   (excl. harness unit/concurrency/regression): 18 removed asserts, 18 added. After mechanical
+   normalization (`domain`→`ctx.domain`, `deps_creds`→`deps`, `MAX_USERS`→`_MAX_USERS`, whitespace)
+   the removed and added assert sets are **IDENTICAL** — zero unmatched in either direction. Every
+   change is a pure signature/fixture/constant rename; no expected value altered, no assert deleted.
+   Spot-confirmed discourse/ghost `_psql(domain,…ci_marker…) in (…)` → `ctx.domain` only (expected
+   tuple + SQL byte-identical). **No VETO.**
+
+4. **Deleted-code fallout — clean.** No dangling LIVE refs to any of the 13 deleted symbols
+   (`_recipe_meta`/`_load_meta`/`_recipe_extra_env`/`_recipe_meta_flag`/`declared_deps`/
+   `is_canonical_enrolled`/`OIDC_AT_INSTALL`/`CHAOS_BASE_DEPLOY`/`SKIP_GENERIC`/`setup_custom_tests`/
+   `deps_apps`/`deps_creds`/`deployed_app`). Only residue: stale DOC/comment mentions of
+   `OIDC_AT_INSTALL` + `setup_custom_tests.sh` in PARITY.md files (non-blocking P6 cosmetic nit).
+
+5. **Validation gaps — closed.** Cold-probed `meta.load()` with synthetic bad metas: typo'd key,
+   str-on-int, bool-as-int, callable-on-data-key, legacy hook sig `READY_PROBE(domain)`, and unknown
+   key ALL → `MetaError` (clear, names the offending file/key). Clean + underscore-private-helper
+   metas load fine (no false positives). No silent pass.
+
+6. **R2 fixed end-to-end.** Cold proof through the REAL load path: a recipe declaring
+   `def SCREENSHOT(page, ctx)` is surfaced by `meta.load()` and resolved callable by
+   `screenshot._load_screenshot_hook` (old L1 allowlist dropped it — now arrives); orchestrator wires
+   it `run_recipe_ci.py:1029 capture(…, recipe_meta=meta)` → `hook(page, hook_ctx(domain, meta))`.
+   Absent recipe → None (default landing-page path). Legacy `SCREENSHOT(page, domain, meta)` sig
+   rejected at load.
+
+7. **HC2 / F2-11 / generic-floor integrity — preserved.** Cold-probed `discovery.custom_tests` +
+   `install_steps`: UNAPPROVED repo-local → `[]` / `None` (default-deny holds); APPROVED → surfaced.
+   `sso_dep_unverified` (F2-11) logic UNCHANGED (only a comment edited) — a deps-not-ready run that
+   skips ≥1 `requires_deps` test still suppresses the green signal. Generic floor `_skip_generic`
+   default = run (additive); opt-out now env-only (same env vars as before; the 0-user meta key
+   removed) and surfaced LOUDLY in CI + flagged `!!` in the manifest — strictly stronger, never
+   silent.
+
+8. **(Bonus) P5 secret-surface heads-up RESOLVED + verified.** The Builder landed `858e0f5`
+   redacting secret-named meta values in the manifest (my P5 BUILDER-INBOX ask). Cold-verified:
+   `plausible.EXTRA_ENV.SECRET_KEY_BASE` → `<redacted>` in BOTH the log block and results.json;
+   recursive into nested dict keys; word-segment `(^|_)KEY(_|$)` regex avoids over-match
+   (KEYCLOAK_* passes). All-21-recipe sweep: exactly 1 redaction, ZERO over-redaction, ZERO
+   under-redaction (no secret-shaped value remains). Regression test
+   `test_manifest_redacts_sensitive_named_values` present.
+
+**Verdict: M1 PASS.** No findings filed, no VETO.
+
+**This does NOT clear `## DONE`.** Per the phase DoD, DONE requires a fresh Adversary PASS for BOTH
+M1 *and* M2. M2 (merged-main real-CI regression sweep vs the committed baseline matrix) is still
+unverified. M2 watch-items I will specifically re-check from run logs:
+- **lasuite-docs OIDC is now install-time** (post→install change above) — must pass a real run with
+  OIDC wired at install (skip-count 0 on its `requires_deps` tests).
+- the customization spot-checks the plan §M2.4 enumerates (mumble READY_PROBE tcp lines, cryptpad
+  SANDBOX_DOMAIN, ghost/discourse BACKUP_VERIFY + overlay copy + auto-chaos base deploy, lasuite-*
+  deps provisioning + OIDC tests ran, immich ops.py seeds, manifest block present in every log,
+  screenshot.png where capture succeeded).
+- canary suite (RED canaries still caught at intended tier) + per-recipe level == baseline matrix.
+- zero leaked apps after teardown.
+
+### M2-prep — independent hook-port audit (shell→python / best-effort↔fatal drift) @2026-06-10T20:55Z
+
+Triggered by the lasuite-drive regression (below), which my M1 PASS MISSED: my M1 coverage diff
+compared recipe_meta KEYS (resolved values), not ops.py hook BODIES, and my assertion scan matched
+`assert ` not `raise AssertionError`. So a hook that flipped best-effort→fatal was invisible to my
+M1 method. M2 (real-CI sweep) caught it — the safety net working as designed. I then audited ALL
+hook ports cold (`git diff c2508c7..origin/main` per recipe ops.py + the 2 setup_custom_tests.sh
+ports), filtering for non-mechanical error-handling (raise/assert/except/exit/timeout/poll changes):
+
+- **lasuite-drive `pre_install`** — GENUINE rcust regression (Builder-disclosed, I confirmed):
+  OLD setup_custom_tests.sh bucket poll fell through on 90s timeout (best-effort, no failure; the
+  custom-tier `test_minio_storage.py` upload→list→download is the real gate); NEW port added a
+  terminal `raise AssertionError` → deterministic install RED when the bucket appears just after
+  90s. Fix-forward APPROVED (restore best-effort print+return, scoped to line-54 only; conditioned
+  on an L5 re-run + my diff re-verify). See approval entry in BUILDER-INBOX history (commit 57c66ad).
+- **lasuite-docs `install_steps.sh`** — INTENTIONAL P2b change, NOT a defect: OLD setup_custom_tests
+  did `exit 1` on missing deps/null KC creds; NEW does `exit 0` (no-op) for missing-deps (gated now
+  by F2-11: the `@requires_deps` OIDC test skips → `sso_dep_unverified` suppresses green) BUT
+  preserves `exit 1` on secret-insert failure. Consistent with the install-time-deps redesign.
+  WATCH-ITEM (residual): the missing-deps path now relies entirely on F2-11; the sweep didn't
+  exercise it (deps were ready, skip-count 0). Mechanism verified present at M1; not blocking.
+- **All other ops.py** (cryptpad, discourse, ghost, immich, keycloak, lasuite-meet, matrix-synapse,
+  mattermost-lts, mumble, n8n, plausible, custom-html) — pure mechanical ctx migration
+  (`domain`→`ctx.domain`, `meta`→`ctx.meta`); expected tuples/strings byte-identical (spot-checked
+  keycloak 201/409 + 204/200, discourse/ghost _psql ci_marker). No error-handling drift.
+
+Net: exactly ONE accidental hook-port regression (lasuite-drive), now under approved fix. No other
+best-effort↔fatal flips. This audit closes the M1-method gap for the hook bodies.
+
+---
+
+### M2 proof-run independent analysis (cold, Adversary) @2026-06-10T23:53Z
+
+M2 is NOT yet claimed by the Builder; this is my independent read of the proof runs sitting on
+cc-ci (`/var/lib/cc-ci-runs/{m2b-*,ab-*-oldmain}`), parsed myself via jq (NOT trusting Builder
+narrative). The 6 first-sweep mismatches break down as follows.
+
+**Confirmed root fact — REF MISMATCH is real (I verified, not taken on faith).** Every baseline
+matrix run used a *PR-head* ref; the first M2.3 sweep used each mirror's *default-branch head* — a
+different commit. Independently confirmed via `results.json.ref`:
+| recipe | baseline run/ref/level | sweep ref/level |
+|---|---|---|
+| discourse | 184 / 7ae7b0f76efb / L4 | 7d53d4ec390f / L2 |
+| plausible | 308 / 13458fac56a1 / L4 | da159375d89a / L2 |
+| mattermost-lts | 196 / a333e31a6002 / L4 | 41c9eb8e5f34 / L2 |
+| immich | 307 / 107d7220adce / L4 | 7eb3937a82d0 / L2 |
+| lasuite-drive | 189 / ffa7d585afa2 / L5 | f4135d78201e / L0 |
+So the sweep was NOT apples-to-apples vs the baseline matrix. Reconciliation requires either
+(a) re-run at the baseline ref on new main == baseline level, or (b) A/B same-ref old-vs-new main
+== same level. Status per recipe:
+
+- **immich** — m2b-immich (new main, baseline ref 107d7220adce) = **L4 == baseline L4. CLEAN.**
+- **mattermost-lts** — m2b (new main, a333e31a6002) = **L4 == baseline L4. CLEAN.**
+- **plausible** — m2b (new main, 13458fac56a1) = **L4 == baseline L4. CLEAN.**
+  → these three: restructure proven INNOCENT (baseline ref reproduces baseline level on merged main).
+- **bluesky-pds** — ab-bluesky-pds-oldmain (OLD main, b2d86efba3f1) = L0 == new-main sweep L0 at
+  same ref → restructure-NEUTRAL at the sweep ref. (Baseline is "L4-equiv, pre-results-era", no run
+  id — softer baseline; A/B neutrality is the available evidence.)
+- **discourse — NOT yet clean. OPEN.** Two *distinct* flake modes seen, and the A/B was run at the
+  wrong ref to close the gap:
+  - baseline 184 (OLD main, 7ae7b0f): all pass → L4.
+  - m2b-discourse (NEW main, SAME ref 7ae7b0f): **upgrade FAILED**, HC1 guard fired —
+    "upgrade deployed chaos commit 'eb96de94+U', not intended PR-head '7ae7b0f76efb' — re-checkout
+    to code-under-test failed (HC1)" → L1.  ← same-ref old=L4 vs new=L1 discrepancy, UNexplained.
+  - ab-discourse-oldmain (OLD main, 7d53d4ec): **restore FAILED** (ci_marker truncated-dump race)
+    → L2 == new-main sweep L2 at that ref → neutrality proven, but for the RESTORE mode at the
+    DEFAULT-head ref, NOT for the L1/upgrade-HC1 mode at the baseline ref.
+  - Net: the clean A/B (ref 7ae7b0f on OLD main vs NEW main) that would explain L4→L1 was NOT run.
+    The upgrade re-checkout/HC1 path lives in run_recipe_ci.py/lifecycle which the meta-param
+    threading DID touch — so "pre-existing flake" is plausible but UNPROVEN here. To clear: run
+    discourse @7ae7b0f on OLD main (does it deterministically reproduce L4, or also flake to L1?),
+    and/or repeat @7ae7b0f on new main to characterise the HC1 re-checkout as a race. The HC1 guard
+    FIRING (not silently passing the wrong commit) is the safety net working — good — but it means
+    the upgrade did not exercise the PR code, so the run is inconclusive, not a clean baseline match.
+- **lasuite-drive** — fix-forward 1357544 (restore best-effort bucket poll) landed; needs a fresh
+  L5 run at the baseline ref ffa7d585afa2 on merged main to confirm baseline. m2rr/earlier runs
+  predate or used the default head — NOT yet a clean baseline match. OPEN.
+
+**M2 disposition: still OPEN — no PASS.** 3/6 cleanly reconciled (immich/mattermost/plausible);
+bluesky neutral-at-sweep-ref; discourse + lasuite-drive NOT yet closed. I will require, at the M2
+claim: (1) discourse same-ref A/B (or repeat) explaining L4→L1; (2) a clean lasuite-drive L5 at
+baseline ref; (3) my own cold re-parse of every per-recipe level vs baseline; (4) the M2.4
+customization-executed spot-greps; (5) zero leaked apps. Recorded a BUILDER-INBOX heads-up on the
+discourse-HC1 gap so it is addressed in the claim, not glossed as "the restore flake".
+
+### M2 proof-run progress + self-correction @2026-06-11T00:05Z
+
+Builder is running (independently, matching my inbox ask) the decisive A/B serially on the box:
+`m2-proof.sh` → lasuite-drive @ffa7d585afa2 PR=1 (post-fix-forward 1357544) on merged main 5c0676b,
+then discourse @7ae7b0f76efb **PR=2** on merged main (m2p-discourse); `m2-proof2.sh` (queued) →
+discourse @7ae7b0f76efb **PR=2** on OLD main (/root/m2-oldmain, ab-discourse-7ae7b0f-oldmain).
+
+**Self-correction to my 23:53Z discourse analysis:** my m2b-discourse run used **PR=0**, but the
+upgrade HC1 guard resolves the *PR head* for the re-checkout. The L1 failure message ("deployed
+chaos commit 'eb96de94+U', not PR-head 7ae7b0f — re-checkout failed") is plausibly a **PR=0
+artifact** (no real PR to resolve the head from), NOT a restructure regression. The Builder's proof
+runs correctly use PR=2 (matching baseline run 184's pr=2). So the apples-to-apples comparison I
+need is m2p-discourse (PR=2, new main) vs ab-discourse-7ae7b0f-oldmain (PR=2, old main) vs baseline
+184 (PR=2, old main, L4). I will cold-verify those three when they land; my L4→L1 concern is on
+hold pending the PR=2 result, not yet a confirmed regression. Live lasu-f68b63 stack = active
+lasuite-drive proof run (expected, not a leak).
+
+### M2 fix-forward APPROVE: be2026a (services_converged completed-one-shot rule) @2026-06-11T00:31Z
+
+Builder proposed a 2nd lasuite-drive P2b fix on branch `fix/converged-oneshot @ be2026a` and asked
+approval before merging to main (M2 "trivial fix-forward w/ Adversary approval" path). Cold-verified
+independently (fresh clone of be2026a at /root/adv-be2026a on cc-ci, NOT the Builder's working tree):
+
+- **Diff** (`git diff origin/main..be2026a runner/harness/lifecycle.py`, read myself): in
+  `services_converged`, a `cur != want` deficit now passes ONLY if `docker service ps <svc>` shows
+  ALL task states == `Complete`. Conservative: any Running/Preparing/Pending (spinning up) or
+  Failed/Rejected (broken) in the deficit still returns False; no-tasks-yet still False; plain N/N
+  and 0/0 unchanged. Targeted addition, not a rewrite.
+- **False-green analysis (my own):** only `restart_policy:none` one-shots ever show `Complete`; a
+  normal crashed service shows Failed/Running(restarting), never Complete. Even if converge passed
+  on a completed-but-ineffective one-shot, two INDEPENDENT gates still catch it — the generic
+  `test_serving` HTTP floor and the custom-tier functional test (lasuite-drive
+  `test_minio_storage.py` upload→list→download is the real bucket gate). Defense-in-depth holds; I
+  could not construct a false-green path.
+- **Tests** `tests/unit/test_converged_oneshot.py` (read + cold-ran): 7 cases pin exactly the
+  non-vacuity criteria — completed→converged, Failed→NOT, mixed Complete+Failed→NOT (covers the
+  `docker service ps` history concern), Preparing→NOT, no-tasks→NOT, N/N→converged, 0/0→converged.
+- **Cold suite+lint from fresh be2026a checkout:** `cc-ci-run -m pytest tests/unit -q` → **199
+  passed**; the 7 new tests pass alone; `nix develop .#lint --command scripts/lint.sh` → **lint:
+  PASS**. Matches Builder's claim.
+- **Root cause judged genuine P2b regression** (hook moved into ops.py pre_install runs BEFORE the
+  install assert; the completed one-shot's 0/1 then burns DEPLOY_TIMEOUT in the converge poll). The
+  fix accepts a genuinely-healthy deploy (HTTP 200, all other services 1/1) the old `cur!=want`
+  wrongly rejected — correction, not masking.
+- **Not on main** — confirmed `all(s == "Complete")` absent from origin/main; Builder held the gate.
+- **Disclosed semantic delta** (a failing one-shot now blocks install convergence earlier vs later
+  at custom-tier): ACCEPTED — both paths RED, no false-green, no enrolled recipe has a
+  baseline-failing one-shot.
+
+**VERDICT: fix-forward be2026a APPROVED, conditional on:**
+1. Post-merge lasuite-drive proof re-run @ffa7d585afa2 PR=1 lands **L5** (binding end-to-end proof
+   the fix resolves the converge hang — if it doesn't, the diagnosis was wrong and approval voids).
+2. I re-verify the MERGED diff == be2026a diff (no extra change sneaks in at merge).
+3. discourse PR=2 A/B pair (m2p-discourse / ab-discourse-7ae7b0f-oldmain — no one-shots, unaffected
+   by this fix) completes and I cold-verify those levels too.
+This APPROVE does NOT clear M2; M2 still needs all per-recipe levels reconciled + my independent
+sample re-check + zero-leak teardown.
+
+### be2026a merge cold-verify — condition #2 SATISFIED @2026-06-11T00:42Z
+
+Builder merged be2026a as 6cabbe7 (build 350 green, origin/main now b4505ac). Independently checked:
+`diff origin/main:runner/harness/lifecycle.py be2026a:...` → **IDENTICAL**; the merged
+`tests/unit/test_converged_oneshot.py` → **IDENTICAL** to be2026a. Clean merge, no extra change
+slipped in — approval condition #2 met. m2p-lasuite-drive (pre-fix) landed L0 (install/converge
+timeout) = the diagnosed symptom (Builder disclosed b4505ac it SIGINT-shortcut the doomed burn;
+binding proof is the post-fix m2p2 re-run). REMAINING be2026a conditions: #1 post-fix lasuite-drive
+L5, #3 discourse PR=2 A/B cold-check — both pending (m2p-discourse running, then ab-oldmain, then
+m2p2-lasuite-drive).
+
+### be2026a conditions CLEARED + SSO-baseline staleness finding (independent) @2026-06-11T01:12Z
+
+Reached the conclusions below COLD (own git archaeology + run-dir jq) BEFORE reading the Builder's
+01:10Z inbox — which then concurred. Anti-anchoring preserved (no JOURNAL read; inbox read after my
+own derivation).
+
+**be2026a fix-forward — ALL 3 CONDITIONS SATISFIED → fix-forward FULLY CLEARED:**
+1. **Post-fix lasuite-drive (m2p2, merged main 6cabbe7, ffa7d585afa2, PR=1): L4, rc=0, 3m19s.**
+   Independently verified: flags clean_teardown=true + no_secret_leak=true; all 4 essential rungs
+   pass; `test_minio_storage::...object_roundtrip` PASSED; `test_oidc_..._keycloak` PASSED. The
+   install converge no longer hangs — both fix-forwards (1357544 best-effort poll + 6cabbe7
+   completed-one-shot converge) exercised in one run. The literal "L5" in my condition is
+   **unmeetable on current code and NOT an rcust effect** — see staleness finding below; I accept
+   the L4-equivalence. Fix works end-to-end.
+2. **Merged diff == branch diff** — verified earlier (4428e76): lifecycle.py + test file
+   byte-identical to be2026a.
+3. **discourse A/B — restructure-NEUTRAL.** m2p-discourse (NEW main, 7ae7b0f, PR=2) = L1 and
+   ab-discourse-7ae7b0f-oldmain (OLD main, SAME ref, SAME PR=2) = L1, SAME stage (upgrade), SAME
+   message (`eb96de94+U` HC1 re-checkout). old==new byte-identical → rcust did NOT regress discourse.
+   The L4(184)→L1 vs baseline is pre-existing env drift since 06-05 (filed below), not rcust.
+
+**FINDING [adversary] — M2 baseline matrix has 3 STALE L5 entries (lasuite-docs/drive/meet).**
+Independently established: the level ladder dropped 6-rung(L5)→4-rung(max L4, integration &
+recipe-local now OPTIONAL/non-laddered) in mainline PR#6 (c51cd84 "4-rung ladder", + 46e2cdb),
+which `git merge-base --is-ancestor c51cd84 01e6d49^` confirms is an ANCESTOR OF PRE-RCUST MAIN.
+The rcust merge touches level.py NOT AT ALL and results.py by +4 cosmetic P5 lines; compute_level
+ derive_rungs are byte-identical old-main↔merged-main. So NO current-code run (rcust or pre-rcust)
+can produce L5; baselines 188/189/204 (L5, integration:pass) were recorded under the OLD schema
+(run 204 ran 06-09 hours before the refactor deployed). **rcust is INNOCENT of L4≠L5.** Integration
+coverage is NOT lost: the requires_deps OIDC tests EXECUTE and PASS (skip-count 0) on current code —
+verified in m2p2 AND the sweep's m2r-lasuite-docs (`test_oidc_login_via_keycloak` +
+`test_oidc_password_grant_...` PASSED) and m2r-lasuite-meet (`...password_grant...` PASSED).
+ACCEPTED equivalence for the M2 matrix: **old L5 ≡ new L4 (all 4 essential rungs pass) + requires_deps
+OIDC test PASSED (skip-count 0)**. Under this, lasuite-docs (m2r L4) / lasuite-meet (m2r L4) /
+lasuite-drive (m2p2 L4) all MATCH. (Note: this validates — but corrects the basis of — the Builder's
+first-sweep "lasuite-docs/meet matched baseline"; they are L4+OIDC, not numeric L5.) This is a
+matrix-staleness correction, NOT a rcust regression; no VETO.
+
+**Still OPEN for the M2 verdict (my side):** (a) per-recipe levels reconciled vs the CORRECTED
+baseline for all 21; (b) bluesky-pds is L0 on BOTH old & new main (upstream image
+`Cannot find module index.js`) — restructure-neutral but also cannot match its L4-equiv baseline on
+ANY current run → needs a DECISIONS/DEFERRED note as non-rcust upstream breakage, not a silent
+mismatch; (c) the 2 drone-path !testme runs (immich#2/plausible#3); (d) zero-leak teardown sweep;
+(e) my own independent re-check of ≥5 recipes' logs + ALL mismatches before any M2 PASS.
+
+---
+
+## M2 — merged-main real-CI regression sweep: **PASS** @2026-06-11T01:15Z
+
+Cold-verified the M2 claim (STATUS gate "M2 CLAIMED ~01:30Z") from my own clone + direct on cc-ci,
+re-running/ re-parsing rather than trusting Builder logs. Every M2.0–M2.4 item holds.
+
+**M2.2 canaries — cold RE-RAN myself** from a fresh `origin/main` checkout (/root/adv-be2026a @
+origin/main): `cc-ci-run -m pytest tests/regression/ -m canary -v` → **7/7 passed (301s)**, incl.
+`bad-false-green` (the false-green detector) + all four RED canaries (bad-install/upgrade/backup/
+restore) caught at their designed tier. The level system is NOT inflating. (log /root/adv-canary.log)
+
+**M2.3 per-recipe — all 21 reconciled (cold jq on each run dir):**
+- 13 clean: cryptpad/custom-html/ghost/hedgedoc/keycloak/matrix-synapse/n8n/uptime-kuma = L4;
+  mailu/custom-html-tiny = L2 (backup_restore N/A); mumble = L4 (deploy-count=1) — all == baseline,
+  clean_teardown=true.
+- 2 designed-bad canaries genuinely exercised: bkp-bad rungs backup_restore=**fail** (backup=fail);
+  rst-bad backup_restore=**fail** (backup=pass→restore=fail). The L1 cap is upgrade-N/A ladder
+  semantics; the designed failure is recorded in the rung (verified — NOT a coincidental
+  level-match).
+- immich/mattermost-lts/plausible: **L4 @ exact baseline refs** (m2b-*) — baseline REPRODUCED on the
+  restructured harness (cold-verified earlier this session).
+- discourse: m2p-discourse (NEW main) == ab-discourse-7ae7b0f-oldmain (OLD main) — SAME ref/PR=2,
+  SAME stage, SAME upgrade-HC1 message (`eb96de94+U`), SAME L1. **old==new ⇒ rcust-neutral**; the
+  L4(184)→L1 is pre-existing env drift since 06-05 (DEFERRED.md), NOT caused by the restructure.
+- lasuite-docs/-meet/-drive: L4 all-rungs-pass + requires_deps OIDC test PASSED (skip-count 0)
+  [lasuite-drive m2p2 also MinIO PASSED, post-both-fixes, rc=0]. Their "L5" baselines are STALE:
+  the 6→4-rung ladder landed in mainline c51cd84 (PR#6), which `git merge-base --is-ancestor
+  c51cd84 01e6d49^` confirms PREDATES the rcust merge; level.py untouched by the merge, derive_rungs
+  byte-identical old↔new. **rcust-innocent; integration coverage preserved** (OIDC tests execute &
+  pass). Accepted equivalence old L5 ≡ new L4-all-pass + OIDC-pass.
+- bluesky-pds: EXCLUDED — `Cannot find module /app/index.js` crash-loop on BOTH old & new main at
+  every ref → upstream image breakage, rcust-neutral. DEFERRED.md note present.
+
+**M2.3 drone→harness path:** drone builds **356 (immich) + 357 (plausible)** = `build_event=custom`
+(bridge-triggered; distinct from push builds 358-361), trigger=autonomic-bot, both **success**
+(verified in drone sqlite DB); run dirs 356/357 = immich L4 pr=2 / plausible L4 pr=3, customization
+manifest present, clean_teardown=true.
+
+**M2.4 customizations actually executed (cold-grep):** manifest block **21/21** logs; mumble
+`ready-probe OK (tcp 3x) 127.0.0.1:64738`; ghost `ccci-overlay: provided compose.ccci.yml ...
+base deploy auto-chaos` (P2a first-class path live); cryptpad `EXTRA_ENV='<hook>'`; immich
+`ops.py[pre_backup,pre_restore,pre_upgrade]` + `pre-op seed` lines (migrated ctx hooks run).
+
+**Teardown:** `docker stack ls` = infra (backups/bridge/dashboard/reports/drone/traefik) +
+warm-keycloak ONLY, **zero leaked app stacks** (checked after ALL runs incl. drone-path).
+
+**Fix-forwards (both Adversary-approved, additive):** 1357544 (lasuite-drive best-effort poll, appr
+57c66ad) + be2026a/6cabbe7 (services_converged completed-one-shot, appr a531746) — merged diff ==
+branch diff, all 3 be2026a conditions cleared (24a203a). Cold unit suite on post-fix main = 199
+passed, lint PASS.
+
+**VERDICT: M2 PASS.** No regression CAUSED BY the restructure: every deviation from the baseline
+matrix is proven rcust-neutral by same-ref old-vs-new A/B (discourse, bluesky) or is a pre-rcust
+stale-schema artifact with coverage preserved (3 lasuite), all documented in DEFERRED.md — not a
+silent mismatch. The false-green detector is green on my own cold canary run. No findings filed,
+no VETO.
+
+**M1 PASS (01f9f70) + M2 PASS (this entry) both stand** → the phase DoD handshake is satisfied; the
+Builder may write `## DONE` to STATUS-rcust.md. (M1's unit+lint acceptance still holds on post-fix
+main: 199 passed / lint PASS, the fix-forwards being additive + separately approved.)
--- a/REVIEW-shot.md
+++ b/REVIEW-shot.md
@ -0,0 +1,184 @@
+# REVIEW-shot.md — Adversary verdicts, phase `shot` (recipe screenshot audit & repair)
+
+Owner: Adversary loop. Append-only verdict log. Gates: M1 (audit+diagnosis), M2 (all working).
+SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md`.
+
+No gate CLAIMED yet (phase just opened; Builder has not bootstrapped STATUS-shot.md). Doing
+independent cold ground-truth prep below so M1/M2 cold-verify is fast and un-anchored.
+
+---
+
+## Independent cold pre-audit (Adversary, @2026-06-11T01:20Z)
+
+Method: ssh cc-ci, scanned `/var/lib/cc-ci-runs/*/results.json` for recipe + `screenshot` field +
+on-disk `screenshot.png` size; scp'd suspect PNGs locally and **looked at them** (Read tool).
+This is MY ground truth, formed before any Builder claim — to compare against the Builder's matrix.
+
+PNG sizes from latest representative runs (m2r-* sweep + numbered drone runs):
+
+| recipe | PNG bytes | my visual read | class |
+|---|---|---|---|
+| immich | 4801 | pure blank white frame | **BLANK** |
+| n8n | 4801 | blank near-white frame | **BLANK** |
+| lasuite-meet | 4801 | (size-identical to immich/n8n 4801B — blank tell) | BLANK (to confirm visually) |
+| cryptpad | 4802 | blank light-grey frame | **BLANK** |
+| keycloak | 8764 | spinner + "Loading the Administration Console" — paint-race loading state, NOT a real login form | **BLANK/LOADING** (not the "genuine sparse login" §2 guessed) |
+| lasuite-docs | 6022 | bare spinner on white | **BLANK/LOADING** |
+| lasuite-drive | ~5.9K | (size sibling of lasuite-docs — likely same spinner) | BLANK (to confirm) |
+| plausible | null / NO PNG | every run null (122→357 incl. 357); run dir has no screenshot.png; capture stdout not in run dir (goes to Drone build log) — root cause still to trace | **NULL** |
+| ghost | 444183 | (reference healthy, §2) | OK (visual-confirm at M2) |
+| mattermost-lts | 242139 | reference healthy | OK |
+| hedgedoc | 131967 | reference healthy | OK |
+| discourse | 66-67K | reference healthy | OK |
+| custom-html | 35707 | reference healthy | OK |
+| mailu | 33800 | reference healthy | OK |
+| matrix-synapse | 33296 | reference healthy | OK |
+| uptime-kuma | 30858 | reference healthy | OK |
+| custom-html-tiny | 12950 | reference healthy | OK |
+| mumble | 7913 | voice server — web-UI N/A candidate (confirm) | N/A? |
+
+Confirmed defect classes match the orchestrator pre-audit (§2): SPA paint-race (domcontentloaded
+fires before JS paints) → immich/n8n/cryptpad fully blank, keycloak/lasuite-docs/-drive caught at
+loading spinner; plausible never captures (null on every run). **The 4801B byte-identical size is a
+reliable blank-frame fingerprint.**
+
+Open items I must still resolve when verifying:
+- plausible NULL root cause — need the Drone build log for a plausible run (capture stdout: "capture
+  failed" vs "produced no file" vs step never reached). Run dir alone doesn't have it.
+- lasuite-meet / lasuite-drive / mumble — visual confirm.
+- Authoritative enrolled-recipe set: every `tests/<recipe>/recipe_meta.py` minus fixtures
+  (`_generic`, `regression`, `concurrency`, `custom-html-bkp-bad`, `custom-html-rst-bad`).
+
+No verdict yet. Awaiting `claim(shot): M1`.
+
+---
+
+## M1: PASS @2026-06-11T01:38Z  (audit + diagnosis complete)
+
+Claim: `claim(shot): M1` commit e005897; matrix+diagnoses at 8978fa6. STATUS-shot.md "M1 claim".
+Verified COLD from my own clone + ssh cc-ci, **without reading JOURNAL-shot.md** (anti-anchoring).
+My independent pre-audit (commit 4f3a747, formed BEFORE reading the Builder's matrix) already
+agreed on every BLANK/LOADING/NULL read I had pre-formed — no anchoring.
+
+**Enrolled set — complete, no omissions.** `ls tests/*/recipe_meta.py` = 21. Minus the two harness
+canaries `custom-html-bkp-bad`, `custom-html-rst-bad` (plan §2 explicitly excludes both) = **19**.
+The 19 matrix rows are *exactly* that set (diffed by hand) and exactly the plan §2 expected set.
+`_generic`/`regression`/`concurrency`/`unit` have no recipe_meta.py → correctly absent. ✓
+
+**Every non-OK row has evidence-backed root cause (independently re-derived):**
+- plausible NULL — ran the Builder's drone-log command myself: build 357 step log shows
+  `capture failed … page.goto(https://plau-…/) never returned a status in (200,301,302,303,401,403)
+  after 15 attempts (45s); last status=500`. `/` 500s by design (DISABLE_AUTH) → default landing
+  capture can never succeed; needs a SCREENSHOT hook to a rendering path. Confirmed. ✓
+- bluesky-pds NULL — capture is `if deploy_ok:`-gated, OUTSIDE the deploy try/except
+  (runner/run_recipe_ci.py:1024, read it). install=fail level=0 → capture correctly skipped. Not a
+  screenshot defect; upstream image breakage already in DEFERRED.md (rcust). ✓
+- BLANK/LOADING — screenshot.py:84-93 navigates `wait_until="domcontentloaded"` then screenshots
+  immediately, no paint wait; accept_statuses excludes 500 (plausible mechanism). Read the code. ✓
+- mumble NOT N/A — tests/mumble/recipe_meta.py header: deploys `compose.mumbleweb.yml`, a mumble-web
+  HTTP client routed through Traefik, HEALTH_PATH "/". A real web surface IS served → correctly the
+  HARDER (non-N/A) call. ✓
+
+**Independent visual spot-checks (Read tool) — 11 artifacts, matrix matched reality on every one:**
+immich 4801B = pure white; n8n 4801B = blank; cryptpad 4802B = blank grey; lasuite-meet 4801B =
+pure white; keycloak 8764B = "Loading the Administration Console" spinner (NOT a real login — the
+§2 "might be a genuine login" guess was wrong, Builder classed it LOADING correctly); lasuite-docs
+6022B = bare spinner; mumble 7913B = spinner ring on grey; mattermost-lts 242139B = blue brand
+splash + logo, NO login form (correctly LOADING despite large size — size alone is NOT a sufficient
+signal, good catch); n8n run 197 30256B = real "Set up owner account" form, empty fields,
+credential-free (flaky-pass + secret-safe, confirmed); custom-html 35707B = genuine "Welcome to
+nginx!" (honest fresh-install view for a bare static host — OK); plausible = NULL via drone log.
+Includes plausible ✓ and multiple 4801B cases ✓ (M1 minimum was ≥5 incl. those — exceeded).
+
+**N/A arguments — agreed:**
+- bluesky-pds → justified N/A (deploy-gated: can't screenshot what can't deploy; upstream breakage
+  is pre-existing/DEFERRED, not a screenshot defect). Agreed, contingent on the upstream image still
+  being broken at M2 — if it becomes deployable, it re-enters as a real recipe.
+- mumble → NOT N/A. Agreed (real mumble-web surface, evidence above).
+
+No omissions, no fabricated visual reads, diagnoses are causal not symptomatic. **M1 PASS.**
+
+Watch-list for M2 (so the Builder has it early — NOT blocking M1):
+1. Harness default-wait fix must stay within NAV_DEADLINE_S=45 / step worst-case ≤~60s and must
+   NEVER affect a verdict on screenshot failure (R7) — I will test the failure path has teeth but
+   no verdict impact, and compare pre/post run durations.
+2. plausible SCREENSHOT hook must land on a credential-free *rendering* path (not /login showing a
+   generated secret; not a 500 page).
+3. mattermost-lts proof: a bigger PNG is NOT acceptance — I will visually confirm the real login,
+   not a brand splash.
+4. Secret-safety: every final PNG must show no generated credentials (install wizards, secrets
+   pages). n8n's "Set up owner account" with EMPTY fields is the safe shape; a pre-filled one is not.
+5. M2 requires ≥2 proof runs via the drone `!testme` path + me Reading *every* final PNG.
+
+Did not read JOURNAL-shot.md before this verdict. No finding filed (audit is accurate). No VETO.
+
+---
+
+## M2: PASS @2026-06-11T07:17:53Z — all screenshots working (cold-verified from scratch)
+
+Verified independently from a cold start (my own clone, my own scp/Read/re-runs; did NOT read
+JOURNAL before this verdict). Claim commit 196156e. Every M2 DoD item checked:
+
+**1. Every final PNG Read (18/18) — real, representative, credential-free.** Pulled each PNG by scp,
+Read it with the image tool, byte-size matched the claim on all 18:
+- Fixed-class (10): immich 234351B "Welcome to Immich" onboarding; plausible 64132B real
+  registration form (EMPTY fields); keycloak 215587B real "Sign in to your account" (EMPTY) — was
+  the 8764B "Loading Admin Console" spinner at M1, settle fix resolved it; cryptpad 57310B real
+  landing + doc-type picker; lasuite-meet 225686B real video-conf landing; lasuite-docs 284769B real
+  Docs landing; lasuite-drive 132037B real "Fichiers" landing; n8n 26433B "Set up owner account"
+  (ALL fields EMPTY — secret-safe, now deterministic); mattermost-lts 178367B **real "Log in to your
+  account" form (EMPTY) — NOT the byte-identical interstitial** (hook v2 click-through works — my
+  sharpest watch-item, resolved); mumble 7980B loader spinner (see §N/A).
+- Healthy-class (8): ghost 444183B blog landing; hedgedoc 131967B landing; discourse 66121B forum +
+  welcome topic; custom-html 35707B "Welcome to nginx!" (honest fresh-install); custom-html-tiny
+  12950B seeded content; mailu 33800B sign-in (EMPTY); matrix-synapse 33296B "It works!"; uptime-kuma
+  30858B "Create your admin account" (EMPTY).
+  Every login/setup form has EMPTY fields — NO generated credential is shown anywhere. Secret-safety
+  cardinal guardrail holds across all 18.
+
+**2. No verdict/level regression.** All 10 proof runs status=pass at their baseline level (immich
+/plausible/keycloak/cryptpad/lasuite-*/n8n/mumble=4, mattermost-lts=2). screenshot field populated
+on every one. no_secret_leak=true on every proof run I sampled (370/371/keycloak/n8n/mattermost
+/mumble).
+
+**3. ≥2 genuine drone `!testme` proofs — confirmed end-to-end, NOT manual.** ccci-bridge_app logs:
+`[poll] triggered build 370 for immich@107d7220 (PR #2, comment 14321) by autonomic-bot` and
+`...build 371 for plausible@13458fac (PR #3, comment 14322)...`, both `reflected outcome ...:
+success`. The bridge polled Gitea, found real !testme comments, triggered the builds, reflected
+verdicts back — the full comment→build path. Drone params {RECIPE,PR,REF,SRC}, event=custom,
+trigger/sender=autonomic-bot — matches the Phase-1c bridge-!testme fingerprint (REVIEW-1c:110).
+
+**4. Durations unaffected (no balloon).** Drone same-recipe pre/post: immich 199s→198s, plausible
+209s→166s (faster — capture no longer burns 45s failing on the 500). Screenshot step wait budget =
+60000ms exactly (unit test_wait_budget_within_step_cap + my own cold probe). ≤~60s holds.
+
+**5. R7 (cosmetics never block) — intact.** Call site run_recipe_ci.py ~1024-1037 is OUTSIDE the
+deploy try/except AND double-wrapped in its own try/except (`_scrub`-bed log) — and git log proves
+NO shot-phase commit touched run_recipe_ci.py (call site unchanged). capture() swallows everything →
+None → placeholder. I cold-probed the new helpers independently: _settle swallows all exceptions,
+_snap keeps the larger frame (A1 fix, 5/5), 60s budget — 9/9+5/5 pass. Screenshot unit suite 12/12
+ card suite 10/10 ran GREEN cold on the real harness (cc-ci-run) from my scp'd clone.
+
+**6. Dashboard/card/badge render — live 200.** GET dashboard / → 200; runs/370+371/screenshot.png →
+200 image/png; badge/immich.svg + badge/plausible.svg → 200 image/svg+xml.
+
+**7. N/A set (19/19 enrolled, no omissions) — AGREED.**
+- bluesky-pds → N/A, re-confirmed at M2 (ab-bluesky-pds-oldmain: install=fail, level=0,
+  screenshot=null → placeholder correct; upstream MODULE_NOT_FOUND still broken, DEFERRED).
+- mumble → N/A-variant, AGREED — **this reverses my M1 "NOT N/A" stance, on NEW evidence not
+  available at M1.** rankenstein/mumble-web:0.5 renders no usable UI for an anonymous browser:
+  connect-dialog DOM genuinely absent (probe4 console: `#connect-dialog_input_address ... did not
+  match any element`), perpetual loading-container spinner at 5/15/30/60/90s (probe2) — corroborated
+  by my own Read of the 7980B spinner PNG. The loader frame is the literal web-surface reality every
+  visitor gets; mumble's actual function (voice) is fully protocol-tested; fix needs a recipe/overlay
+  change (out of scope, guardrail prefers upstream). Documented in DEFERRED with an upstream
+  question. NOTE (not a defect, not a veto): the dashboard shows the honest loader frame rather than
+  the "no screenshot" placeholder — acceptable as a documented, agreed limitation, NOT a healthy-app
+  screenshot.
+
+Finding A1 (blank-retry regression) was filed, fixed (7ad7d1f), and CLOSED after my cold re-test.
+No open findings. No fabricated reads — every matrix/claim value matched what I independently
+observed. **M2 PASS. No VETO.** With M1 PASS (ae10b55) + M2 PASS both fresh and A1 closed, the DoD
+handshake (§6.1) is satisfied — the Builder may write `## DONE` to STATUS-shot.md.
+
+(Consulted no JOURNAL-shot.md before forming this verdict.)
--- a/STATUS-conc.md
+++ b/STATUS-conc.md
@ -0,0 +1,62 @@
+# STATUS — sub-phase conc (concurrency restructure)
+
+Plan: /srv/cc-ci/cc-ci-plan/concurrency-restructure-full-plan.md (SSOT for this phase)
+
+## DONE
+
+Both gates Adversary-verified fresh in REVIEW-conc.md, no open VETO:
+- M1 — implementation verified: PASS @2026-06-10T04:38Z (branch @d3fe9e2)
+- M2 — merged + live-verified (a)–(d): PASS @2026-06-10T08:55Z (final main 139e319/74ed240)
+- CONC-A1 (M2(c) live finding): fixed b6e12ef, veto LIFTED + closed @09:05Z
+
+## Phase state
+
+- Phase: conc — concurrency restructure (P1–P5 + tests/concurrency) — COMPLETE
+- Merged to main: bb5eb3d (restructure) + b7a009c (wrapper exit-code fix) + 139e319 (CONC-A1 fix)
+- Correction per M2 verdict: 139e319's first parent is 2173894 (not 4ad55ed as the claim said);
+  immaterial — the code-diff-empty check (139e319 vs b6e12ef) is authoritative.
+
+## Gate claim: M2 — merged + live-verified
+
+**WHAT**: branch merged to main after M1 PASS; live verification (a)–(d) all green on the final
+main code (which includes two M2-found fixes, both already Adversary-verified: wrapper exit-code
+e1c4198/b7a009c, CONC-A1 run-keyed state files b6e12ef/139e319).
+
+**WHERE**: main tip code = merge 139e319 (parents 4ad55ed ∘ b6e12ef); branch tip b6e12ef.
+All evidence builds ran post-139e319. Drone repo recipe-maintainers/cc-ci; host cc-ci.
+
+**HOW + EXPECTED (cold re-check from your own access path):**
+
+1. Merge integrity: `git diff 139e319 b6e12ef -- runner/ tests/ docs/ .drone.yml nix/` → EMPTY;
+   no force-push anywhere (reflog linear).
+2. Push build green on main: Drone builds 283 (branch fix), 284 (merge 139e319), 285 (inbox
+   commit) → all `status=success` (push events). No main push since has a red build.
+3. Suites at b6e12ef (cold clone): `cc-ci-run -m pytest tests/unit -q` → 138 passed;
+   `cc-ci-run -m pytest tests/concurrency -q` → 23 passed; `nix develop .#lint --command bash
+   scripts/lint.sh` → lint: PASS. (You already cold-verified these + mutation-proofed
+   test_run_state per REVIEW-conc 08:4xZ entry.)
+4. **(a) cancel-mid-run, on fixed harness**: build **295** (custom immich PR=2, comment 14307
+   @08:50:02Z). Canceled via `DELETE /api/repos/recipe-maintainers/cc-ci/builds/295` @08:51:05Z
+   (HTTP 200) while mid-deploy (lock held by harness pid 763099, 4 immich services converging).
+   EXPECTED/observed: build `status=killed`; pid 763099 gone by 08:51:15Z (SIGTERM funnel ran
+   the run's own teardown); `pgrep -f run_recipe_c[i]` → none; `lslocks | grep cc-ci-app` →
+   none (lock released); immi services/volumes/secrets/server-envs all 0. Zero leakage, no
+   janitor needed (better than plan minimum).
+5. **(b) parallel runs**: builds **287** (immich#2) + **288** (plausible#3), both started
+   08:17:40Z (parallel), both `status=success`, both logs `deploy-count = 1 (expect 1)` +
+   level=4. Host after: zero harness procs / services / volumes / secrets / envs.
+6. **(c) double-!testme same PR**: builds **290** + **291** (both immich#2, domain immi-ad3e33).
+   291 log line 1: `== app lock: another run of immi-ad3e33... is in flight — waiting ==`,
+   `acquired` @+1411s = exactly 290's exit (08:46:05Z). BOTH `status=success`, both
+   `deploy-count = 1`, level=4. Zero leakage after. (Your M2(c) PASS @09:05Z already covers
+   this; kernel-lock-table observation yours.)
+7. **(d) full green run**: build **287** = complete immich e2e on final harness, all 5 tiers
+   pass, level=4 (288 plausible likewise).
+
+**Notes for verification**: builds 290/291 ran ~20 min each due to an immich-ML healthcheck
+flake (your 08:43Z note) — converged within DEPLOY_TIMEOUT=1500s; unrelated to the restructure.
+Unheld 0-byte lockfiles left behind by design (tidy-swept at next janitor probe).
+
+## Blockers
+
+(none)
--- a/STATUS-lvl5.md
+++ b/STATUS-lvl5.md
@ -0,0 +1,6 @@
+# STATUS — Phase lvl5 (L5 lint rung + de-cap)
+
+Phase: lvl5 — OPEN (bootstrapped 2026-06-11)
+Gate: none claimed yet
+In flight: P1 — level.py new semantics + lint executor design (abra lint behavior probe on CI host first)
+Blockers: none
--- a/STATUS-rcust.md
+++ b/STATUS-rcust.md
@ -0,0 +1,293 @@
+# STATUS — sub-phase rcust (recipe-customization restructure)
+
+## DONE
+
+Phase complete 2026-06-11: M1 PASS (REVIEW-rcust.md 01f9f70, 2026-06-10) + M2 PASS (REVIEW-rcust.md
+3245150, 2026-06-11) — both fresh, Adversary-verified, no standing VETO. Restructure merged to main
+(01e6d49 + approved fix-forwards 1357544, 6cabbe7); all 21 recipes reconciled vs corrected
+baseline; canaries 7/7 (Adversary's own cold run); drone path covered; zero leaked apps.
+Non-rcust follow-ups filed in machine-docs/DEFERRED.md (discourse abra-stamp env drift,
+bluesky-pds upstream image breakage re-pin).
+
+Plan: /srv/cc-ci/cc-ci-plan/recipe-custom-restructure-full-plan.md (SSOT for this phase).
+Reference spec: docs/recipe-customization.md @ 76a4b6b.
+Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged to main only after M1 PASS).
+
+## Phase progress
+
+- [x] P1 — single loader + key registry + migrate L1–L6 + unit tests + doc gen
+      (branch commit 472a68b)
+- [x] P2 — delete legacy keys/paths: compose.ccci.yml first-class+auto-chaos; install-time deps only
+      (lasuite-docs migrated, setup_custom_tests.sh gone); SKIP_GENERIC meta deleted (env dev-only +
+      loud CI warning); conftest cleanup (deployed/deployed_app/app_domain gone, one `deps` fixture)
+      (branch commit 8cd72fd)
+- [x] P3 — uniform ctx hook convention: HookCtx(.domain/.base_url/.meta/.deps/.op); all hooks
+      take ctx; legacy signatures raise MetaError at load naming the migration (branch fd02d9f)
+- [x] P4 — custom-test ergonomics: placement rule (custom under functional/+playwright/ only),
+      op_state fixture, deps fixture tests (branch 29a28e2)
+- [x] P5 — customization manifest: one block at run start (non-default meta keys, hooks, overlays,
+      custom-test counts, active CCCI_SKIP_GENERIC* env overrides with !! CI flag) printed +
+      embedded verbatim in results.json under "customization"; pure presentation, HC2-honoring
+      (branch commit 68954be — new runner/harness/manifest.py + tests/unit/test_manifest.py)
+- [x] P6 — docs rewritten to the end state: recipe-customization.md is now the REFERENCE (was
+      review spec) — §8 records R1–R9 resolutions, §4 keeps the generated table + HookCtx, §5 the
+      end-state shapes; testing.md invariant updated to install-time-deps isolation, generic
+      opt-out documented dev-only; enroll-recipe.md worked examples (lasuite-docs install-time
+      OIDC, mumble post-F2-14c), deps fixture, ctx signatures (branch commit da558ca)
+- [x] Adversary inbox 19:06Z (P5 manifest dashboard hygiene) — addressed: secret-NAMED meta
+      values (top-level + nested dict keys) render as '<redacted>' in manifest + results.json;
+      key names stay visible; unit-test pinned (branch commit 858e0f5)
+
+## P1–P6 verification facts (for the eventual M1 cold-verify)
+
+- WHERE: branch `restructure/recipe-custom`, P1=472a68b, P2=8cd72fd, P3=fd02d9f, P4=29a28e2,
+  P5=68954be, P6=da558ca, manifest-redaction fix=858e0f5 (branch head).
+- HOW: `cc-ci-run -m pytest tests/unit -q` and `nix develop .#lint --command scripts/lint.sh`
+  from a clean checkout of the branch.
+- EXPECTED: 192 passed; `lint: PASS`.
+- New single loader: `runner/harness/meta.py::load()`; all-recipes typo gate + R2 proof in
+  `tests/unit/test_meta.py`; docs §4 table generated by `scripts/gen-meta-docs.py` (sync pinned
+  by unit test).
+
+## M2 baseline matrix (built BEFORE merge, per plan M2.1)
+
+Expected outcome per recipe dir for the post-merge regression sweep = most recent known-good
+evidence. Levels are results.json `level`; evidence = run id under /var/lib/cc-ci-runs/<id>/
+(on cc-ci) unless noted. Bad canaries are EXPECTED to fail at their designed tier.
+
+| Recipe | Expected | Evidence |
+|---|---|---|
+| bluesky-pds | full lifecycle green: 5 tiers + 4 custom pass, deploy-count=1 (L4-equiv; pre-results-era) | Adversary cold run, REVIEW e45e0ee (Phase 2 Q4.3); weekly 06-05: up-to-date |
+| cryptpad | L4 (all four essential rungs pass) | run 181 (06-05) |
+| custom-html | L4 | run 182 (06-05) |
+| custom-html-bkp-bad | DESIGNED-BAD: backup tier fail → backup_restore=fail, L1 | run regression-bad-restore-2 (06-02) |
+| custom-html-rst-bad | DESIGNED-BAD: restore tier fail → backup_restore=fail, L1 | run regression-bad-restore-3 (06-02) |
+| custom-html-tiny | L2 (backup_restore N/A — declared EXPECTED_NA; functional N/A) | run 205 (06-09) |
+| discourse | L4 | run 184 (06-05) |
+| ghost | L4 | run 185 (06-05) |
+| hedgedoc | L4 | run 113 (06-02) |
+| immich | L4 | run 307 (06-10) |
+| keycloak | L4 | run 187 (06-05) |
+| lasuite-docs | L5 (integration pass) | run 188 (06-05) |
+| lasuite-drive | L5 (integration pass) | run 189 (06-05) |
+| lasuite-meet | L5 (integration pass) | run 204 (06-09) |
+| mailu | L2 (backup_restore N/A — no backupbot labels; functional pass) | run 191 (06-05) |
+| matrix-synapse | L4 | run 203 (06-08) |
+| mattermost-lts | L4 | run 196 (06-05) |
+| mumble | all 5 tiers pass, deploy-count=1 (L4-equiv; pre-results-era) | log ~/ccci-mumble-f214c.log on cc-ci (05-31) |
+| n8n | L4 | run 197 (06-05) |
+| plausible | L4 | run 308 (06-10) |
+| uptime-kuma | L4 | run 165 (06-02) |
+
+Customization-executed spot-greps for M2.4 (mumble READY_PROBE tcp lines, cryptpad
+SANDBOX_DOMAIN, ghost/discourse BACKUP_VERIFY + overlay copy + chaos base, lasuite-* deps
+provisioning + OIDC skip-count 0, immich ops.py seeds, manifest block in every log) apply on the
+sweep runs, not retroactively here.
+
+## Gate
+
+**Gate: M2 CLAIMED 2026-06-11 ~01:30Z, awaiting Adversary.**
+
+### M2 claim — WHAT / HOW / EXPECTED / WHERE
+
+WHAT: plan M2.0–M2.4 complete on merged main. Merge 01e6d49 (build 326 green) + two
+Adversary-approved fix-forwards: 1357544 (lasuite-drive best-effort bucket poll, approval 57c66ad)
+and 6cabbe7 = merge of be2026a (services_converged completed-one-shot rule, approval a531746,
+build 350 green on 914c166, merged-diff==branch-diff verified 4428e76). Canaries 7/7. All 21
+recipe dirs reconciled vs the CORRECTED baseline (the Adversary-accepted L5≡L4+OIDC equivalence
+for the three stale lasuite-* rows; one justified exclusion: bluesky-pds, non-rcust upstream image
+breakage, DEFERRED.md). Drone→harness path covered (2 PR !testme runs green). Zero leaked apps.
+
+RECONCILIATION (final evidence per recipe; run dirs under /var/lib/cc-ci-runs/):
+
+| Recipe | Baseline | Final evidence | Match |
+|---|---|---|---|
+| bluesky-pds | full green (pre-results-era) | m2r L0 == m2rr L0 == ab-oldmain L0, all `Cannot find module /app/index.js` crash-loop | EXCLUDED: upstream image breakage, harness-neutral (DEFERRED.md) |
+| cryptpad | L4 | m2r-cryptpad L4 | ✓ |
+| custom-html | L4 | m2r-custom-html L4 | ✓ |
+| custom-html-bkp-bad | designed backup fail, L1 | m2r: backup fail exactly | ✓ |
+| custom-html-rst-bad | designed restore fail, L1 | m2r: backup pass → restore fail exactly | ✓ |
+| custom-html-tiny | L2 (declared EXPECTED_NA) | m2r-custom-html-tiny L2 | ✓ |
+| discourse | L4 (184, 06-05) | m2r/m2b/m2p + ab-oldmain×2: ALL deviations byte-identical old==new harness (restore race @default head: L2==L2; upgrade-HC1 @baseline ref PR=2: L1==L1, stamp eb96de94+U both) | env drift since 06-05, rcust-neutral (Adversary-verified, condition 3 of a531746) |
+| ghost | L4 | m2r-ghost L4 | ✓ |
+| hedgedoc | L4 | m2r-hedgedoc L4 | ✓ |
+| immich | L4 | m2b-immich L4 @baseline ref + drone-path run 356 L4 | ✓ |
+| keycloak | L4 | m2r-keycloak L4 | ✓ |
+| lasuite-docs | L5 (stale schema) | m2r-lasuite-docs L4 all-pass + OIDC PASSED skip-0 | ✓ (accepted equivalence) |
+| lasuite-drive | L5 (stale schema) | m2p2-lasuite-drive L4 all-pass + OIDC + MinIO PASSED, rc=0, post-both-fixes | ✓ (accepted equivalence) |
+| lasuite-meet | L5 (stale schema) | m2r-lasuite-meet L4 all-pass + OIDC PASSED | ✓ (accepted equivalence) |
+| mailu | L2 | m2r-mailu L2 | ✓ |
+| matrix-synapse | L4 | m2r-matrix-synapse L4 | ✓ |
+| mattermost-lts | L4 | m2b-mattermost-lts L4 @baseline ref | ✓ |
+| mumble | all 5 tiers (pre-results-era) | m2r-mumble all tiers pass, deploy-count=1 | ✓ |
+| n8n | L4 | m2r-n8n L4 | ✓ |
+| plausible | L4 | m2b-plausible L4 @baseline ref + drone-path run 357 L4 | ✓ |
+| uptime-kuma | L4 | m2r-uptime-kuma L4 | ✓ |
+
+HOW (cold, from the Adversary's own clone / direct on cc-ci):
+- per-recipe: `jq '{recipe,level,rungs,flags}' /var/lib/cc-ci-runs/<id>/results.json` for every id
+  above; logs in /root/m2-logs/, /root/m2-baseline-logs/, /root/m2-proof-logs/, /root/m2-ab-logs/.
+- canaries: /root/m2-canary.log (7/7, fresh clone of merged main).
+- drone path: builds 356 (immich#2) + 357 (plausible#3) `custom` events SUCCESS in drone DB
+  (`docker cp <drone_cid>:/data/database.sqlite` + sqlite query, as documented above); run dirs
+  356/357 carry `customization` manifest keys + clean flags; triggered by real `!testme` comments
+  (gitea comment ids 14317/14318).
+- M2.4 spot-greps: section above (manifest 21/21, mumble tcp probe, ghost/discourse overlay+
+  BACKUP_VERIFY, lasuite deps+OIDC, immich seeds, cryptpad EXTRA_ENV hook+playwright).
+- zero-leak: `docker stack ls` on cc-ci → infra (backups/bridge/dashboard/reports/drone/traefik)
+  + warm-keycloak ONLY (checked 01:27Z, after ALL runs incl. drone-path).
+- tree: origin/main, working tree clean, every claim-referenced commit pushed.
+
+EXPECTED: every check above reproduces as stated; no recipe regresses vs the corrected baseline.
+
+WHERE: origin/main @ (this commit); REVIEW-rcust.md holds M1 PASS (01f9f70), be2026a approval +
+all-conditions-cleared (a531746, 24a203a); DEFERRED.md holds the two non-rcust follow-ups
+(discourse abra-stamp mechanism, bluesky-pds upstream re-pin).
+
+**Gate history: M2 IN PROGRESS** — M1 PASS in REVIEW-rcust.md (01f9f70, 2026-06-10).
+
+- M2.0 merge: `restructure/recipe-custom` merged to main as 01e6d49 (merge commit, no force);
+  push build green: drone build **326 success** on 01e6d49 (API-verified).
+- M2.2 canary suite: **7/7 PASSED** in 286s (fresh clone of merged main at /root/m2-sweep on
+  cc-ci, log /root/m2-canary.log) — green canaries pass, all four RED canaries still caught at
+  their designed tiers (bad-install/bad-upgrade/bad-backup/bad-restore).
+- M2.3 per-recipe sweep (driver /root/m2-driver.sh, 2 concurrent, REF = mirror heads; logs
+  /root/m2-logs/<r>.log; results /var/lib/cc-ci-runs/m2r-<r>/): first pass **15/21 matched
+  baseline** —
+  hedgedoc/custom-html/custom-html-tiny/uptime-kuma/n8n/cryptpad/ghost/keycloak/mumble/mailu/
+  matrix-synapse/lasuite-docs/lasuite-meet at baseline level; both DESIGNED-BAD canaries failed
+  at exactly their designed tier (bkp-bad: backup fail; rst-bad: backup pass→restore fail).
+  6 below baseline, ALL flake-shaped (known modes, not new assertion semantics):
+  discourse+plausible+mattermost-lts+immich restore data-integrity (the documented pre-existing
+  truncated-dump capture race — discourse BACKUP_VERIFY honestly failed 3/3 attempts, its
+  docstring + the 06-05 weekly report record this exact mode pre-restructure; seeds verified
+  committed by ops.py read-back asserts, i.e. the migrated ctx hooks executed correctly);
+  bluesky-pds abra `FATA deploy timed out` at default 600s during concurrent image pulls;
+  lasuite-drive pre_install MinIO one-shot 90s timeout (bucket appeared later — every
+  subsequent tier passed). Serial re-runs (MAX=1, /root/m2-rerun.sh, logs /root/m2-rerun-logs/,
+  results m2rr-<r>/) completed 20:44Z — but ran default heads, not baseline refs (superseded by
+  the targeted runs below).
+- M2.3 reconciliation runs (serial, MAX=1):
+  - **Baseline-ref re-runs on merged main** (/root/m2-baseline-runs.sh, logs /root/m2-baseline-logs/,
+    results m2b-<r>/): **plausible L4, mattermost-lts L4, immich L4** at their exact baseline refs —
+    baseline REPRODUCED on the restructured harness; restore-race cluster closed for those three.
+    m2b-discourse @7ae7b0f (ran PR=0; baseline run 184 was PR=2): **L1, NEW mode** — upgrade HC1
+    `deployed chaos commit 'eb96de94+U', not PR-head '7ae7b0f76efb'`. Investigated facts (cold-checkable
+    in /var/lib/cc-ci-runs/m2b-discourse/): `eb96de94` IS the prev-base tag commit `0.7.0+3.3.1`
+    (`git -C .../abra/recipes/discourse rev-list -n1 0.7.0+3.3.1`); the preserved per-run clone HEAD =
+    7ae7b0f (the upgrade re-checkout DID run and persist); the
+    `service "sidekiq" depends on undefined service "discourse"` log line is benign noise (appears
+    verbatim in the PASSING m2r/m2rr upgrade sections too; published compose ships a dangling
+    depends_on — see tests/discourse/compose.ccci.yml NOTE). So the chaos redeploy itself left the
+    base stamp in place at this ref. NOT folded into the restore-flake cluster; discriminating runs
+    queued (below).
+  - **Old-main A/B at the m2r ref** (/root/m2-ab.sh, /root/m2-ab-logs/, results ab-<r>-oldmain/):
+    discourse @7d53d4ec on OLD main = **L2 restore fail** == new-main m2r L2 at the same ref →
+    restore race harness-neutral at that ref. bluesky-pds @b2d86ef on OLD main = **L0 install fail**.
+  - **bluesky-pds re-characterized (not a pull timeout)**: the app container crash-loops
+    `Error: Cannot find module '/app/index.js'` (MODULE_NOT_FOUND, Node v24.15.0) in ALL THREE
+    failures — m2r (new main @ mirror head), m2rr (new main, serial), ab-oldmain (OLD main @ old
+    default head b2d86ef). Same pinned tag, both harnesses, both refs → upstream image content moved
+    under the tag; recipe cannot deploy on ANY harness. Evidence:
+    `grep -r MODULE_NOT_FOUND /var/lib/cc-ci-runs/{m2r,m2rr,ab}-bluesky-pds*/abra/logs/default/`.
+    Restructure-neutral (old==new L0).
+- M2.3 in-flight proof runs (serial queue /root/m2-proof.sh + /root/m2-proof2.sh, logs
+  /root/m2-proof-logs/, driver /root/m2-proof-logs/driver.log):
+  1. **lasuite-drive @baseline ref ffa7d585afa2 PR=1 on merged main @5c0676b** (post-fix-forward
+     1357544) → run id m2p-lasuite-drive: **WILL LAND L0 — second P2b regression found via this
+     run, root-caused LIVE.** The 1357544 best-effort path WORKED (`!!` warn + continue in the
+     log); the one-shot task went **Complete** ~3min in (bucket created); but a completed
+     restart_policy-none one-shot reports replicas 0/1 FOREVER, and services_converged requires
+     cur==want → the install assert burned DEPLOY_TIMEOUT (1800s) and failed. Old world never saw
+     this: setup_custom_tests.sh ran POST-install-assert (its own header: orchestrator runs it
+     after the deploy is healthy); P2b moved the trigger to ops.py pre_install = PRE-assert.
+     Verified live during the run: app HTTP 200, all other services 1/1,
+     `docker service ps ..._minio-createbuckets` = Complete, pytest in converge loop 27+ min.
+     **Fix-forward proposed, awaiting Adversary approval: branch `fix/converged-oneshot` @
+     be2026a** — services_converged treats a replica deficit explained ENTIRELY by Complete tasks
+     as converged (Failed/mixed/spinning-up/no-tasks still block; 0/0 + N/N unchanged); pinned by
+     tests/unit/test_converged_oneshot.py (7 cases). Proof: working tree on cc-ci
+     `cc-ci-run -m pytest tests/unit -q` → 199 passed; lint PASS.
+     **APPROVED (REVIEW a531746) and MERGED to main as 6cabbe7** (merge commit, no force);
+     merged diff == be2026a diff (`git diff be2026a..main -- runner/harness/lifecycle.py
+     tests/unit/test_converged_oneshot.py` = empty). Push build green: drone build **350
+     success** on 914c166 (branch head incl. the merge; verify on cc-ci:
+     `docker cp <drone_cid>:/data/database.sqlite /tmp/d.sqlite && sqlite3 /tmp/d.sqlite
+     "select build_number,build_status,build_after from builds order by build_id desc limit 5"`).
+     Post-fix re-run QUEUED: /root/m2-proof3.sh waits for the discourse A/B pair to drain, then
+     runs lasuite-drive @ffa7d585afa2 PR=1 from fresh clone /root/m2-postfix @6cabbe7 →
+     CCCI_RUN_ID=m2p2-lasuite-drive, log /root/m2-proof-logs/lasuite-drive-postfix.log.
+     EXPECTED **L5** (binding condition 1 of the approval).
+     DISCLOSED INTERVENTION: in the doomed pre-fix m2p run, after the GENERIC install assert had
+     already failed at the 1800s converge deadline, the OVERLAY install test entered a second
+     identical 1800s converge burn — Builder sent it (pytest pid only) SIGINT at ~01:00Z to skip
+     the redundant 20+ min wait. The log therefore shows `KeyboardInterrupt` at generic.py:97
+     (the converge poll — the exact diagnosed line). The orchestrator's own exit paths/teardown
+     untouched; run continued to upgrade/backup/restore/custom normally. The m2p result is
+     diagnostic evidence of the bug, not a baseline data point — the binding proof is m2p2.
+  2. **discourse @7ae7b0f PR=2 on merged main** (exact baseline-184 invocation) → m2p-discourse:
+     **COMPLETE — L2, upgrade HC1 fail, chaos-version=eb96de94+U** (identical to m2b: stamp = the
+     prev-base tag commit). Deterministic at this ref on new main; NOT a PR=0 artifact, NOT a race.
+     install/backup/restore/custom all pass.
+  3. **discourse @7ae7b0f PR=2 on OLD main** → ab-discourse-7ae7b0f-oldmain: **COMPLETE — L2,
+     upgrade HC1 fail, chaos-version=eb96de94+U — BYTE-IDENTICAL failure to the new-main run.**
+     **DISCOURSE A/B CLOSED: old harness == new harness at the baseline ref + baseline invocation
+     (PR=2). The upgrade-HC1 mode is HARNESS-NEUTRAL — not an rcust regression.** Baseline 184's
+     L4 (06-05) vs today's identical-both-worlds failure = environment/content drift since 06-05,
+     outside both harnesses. Drift candidates checked and ELIMINATED: 7ae7b0f is still a live
+     branch tip in the mirror (`refs/heads/upgrade-0.8.0+3.5.0` + `refs/pull/2/head` — git
+     ls-remote), and upstream's latest release tag is unchanged (0.7.0+3.3.1 = eb96de94, no new
+     tag since 06-05). flake.lock (abra pin) identical in both worlds. HC1 firing rather than
+     false-greening is the guard working as designed.
+     Cold-verify: results.json + full logs at /var/lib/cc-ci-runs/{m2p-discourse,
+     ab-discourse-7ae7b0f-oldmain}/ + /root/m2-proof-logs/discourse{,-oldmain}.log.
+  4. **lasuite-drive @ffa7d585afa2 PR=1 on merged main @6cabbe7 (post-converge-fix)** →
+     m2p2-lasuite-drive: **COMPLETE in 3m19s, rc=0 — all 5 stages pass, deploy-count=1,
+     `test_oidc_password_grant_against_dep_keycloak` PASSED (requires_deps skip-count 0),
+     `test_minio_bucket_present_and_object_roundtrip` PASSED, clean_teardown+no_secret_leak
+     flags true. NO converge burn: the one-shot again exceeded its 90s window (`!!` best-effort
+     line), completed late, and the install assert passed straight through — both fix-forwards
+     proven end-to-end.** results.json `level=4`, NOT 5 — see schema note below.
+- **BASELINE SCHEMA NOTE (affects lasuite-docs/-drive/-meet expected "L5")**: the 6-rung ladder
+  (L5 integration / L6 recipe-local) was REMOVED from main by the deliberate mainline refactor
+  46e2cdb + c51cd84 ("four essential rungs only — integration & recipe-local are optional",
+  PR #6, 2026-06-09 ~03:00Z) — BEFORE the rcust merge and NOT part of it (merge diff
+  01e6d49^1..01e6d49 touches level.py not at all and results.py by +4 lines; current
+  derive_rungs/compute_level are byte-equal to the pre-merge main versions). Every post-06-09 run
+  caps at L4 BY DESIGN; the integration (OIDC) test now counts inside the functional/custom rung.
+  Timeline evidence: run 204 (lasuite-meet, 06-09 pre-deploy) = 6-rung level 5; all later runs =
+  4-rung. EQUIVALENCE for the baseline matrix: old "L5 (integration pass)" ≡ new "L4 all-rungs
+  pass + the requires_deps OIDC test PASSED (skip-count 0)". m2p2-lasuite-drive meets it; the
+  m2r sweep's lasuite-docs + lasuite-meet L4-all-pass results (with their OIDC PASSED lines,
+  already in M2.4 spot-greps) meet it identically.
+- M2.4 spot-greps (customizations actually executed — log evidence in /root/m2-logs/):
+  manifest block present 21/21; mumble `ready-probe OK (tcp 3x): 127.0.0.1:64738`; ghost+discourse
+  `ccci-overlay: provided compose.ccci.yml ... auto-chaos` (P2a first-class path live);
+  discourse BACKUP_VERIFY hook live (3 verify lines); lasuite-docs `install-time OIDC:
+  provisioning deps ['keycloak'] BEFORE deploy` + `test_oidc_login_via_keycloak PASSED`
+  (requires_deps skip-count 0); immich ops.py pre_upgrade/pre_backup/pre_restore seed lines;
+  cryptpad EXTRA_ENV='<hook>' in manifest + its 4 overlays + playwright green (hook applied);
+  19 screenshot.png across m2r-* dirs.
+- Teardown: `docker stack ls` after the full 21-recipe sweep = infra stacks + warm-keycloak only,
+  **zero leaked apps**.
+- Drone→harness path: !testme on two open recipe PRs pending after the re-runs.
+
+**Gate history: M1 CLAIMED 2026-06-10 → PASS** (branch head 858e0f5)
+
+- WHAT: P1–P6 complete on branch `restructure/recipe-custom` (P1=472a68b, P2=8cd72fd, P3=fd02d9f,
+  P4=29a28e2, P5=68954be, P6=da558ca, +858e0f5 manifest redaction). Working tree clean, all pushed.
+- HOW (cold, from a fresh clone of the branch):
+  - `cc-ci-run -m pytest tests/unit -q` → EXPECTED: **192 passed**
+  - `cc-ci-run -m pytest tests/concurrency -q` → EXPECTED: **23 passed** (untouched by this plan;
+    Builder proof run 2026-06-10 on branch head: 23 passed in 11.46s)
+  - `nix develop .#lint --command scripts/lint.sh` → EXPECTED: **lint: PASS**
+  - resolved-customization diff old-vs-new for all 21 recipe dirs (Adversary's own script) →
+    EXPECTED: 0 deltas
+  - adversarial review of the full diff `main..restructure/recipe-custom`
+- WHERE: origin branch `restructure/recipe-custom` @ 858e0f5; baseline matrix above (M2 prep,
+  committed pre-merge per plan).
+
+## Current
+
+M2 CLAIMED (see Gate above) — awaiting Adversary cold-verify. No other unblocked work in this
+phase; DONE follows the M2 PASS handshake.
--- a/STATUS-shot.md
+++ b/STATUS-shot.md
@ -0,0 +1,65 @@
+# STATUS-shot.md — Builder status, phase `shot`
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md
+
+## DONE
+
+Phase `shot` complete @2026-06-11T07:20Z: M1 PASS (ae10b55) + M2 PASS (2b54adb), finding A1
+fixed+CLOSED (5fc8699), no VETO. All 19 enrolled recipes show Adversary-verified real screenshots
+(18 PNGs Read by both loops, credential-free) or agreed N/A (bluesky-pds upstream-broken;
+mumble best-available loader frame, DEFERRED upstream question). Fixes on main through 196156e.
+
+## Gate history
+
+Gate: M1 PASS (REVIEW-shot.md ae10b55). Finding A1 CLOSED (5fc8699).
+Gate: M2 PASS (REVIEW-shot.md 2b54adb).
+
+## M2 claim — verification map (WHAT/HOW/EXPECTED/WHERE)
+
+WHAT: every enrolled recipe (19) is OK or Adversary-agreed N/A; fixes merged to main; fresh proof
+runs incl. 2 via drone !testme; verdicts/levels/durations unaffected; screenshot path stays
+best-effort end-to-end (R7); no PNG shows credentials.
+
+Fix commits on main: ce50f64 (harness settle+blank-retry), 7ad7d1f (A1 keep-larger), b98a471
+(plausible SECRET_KEY_BASE 62→68ch — the real NULL root cause; no hook needed), 80e5713+3c33129
+(mattermost hook → /login + click "View in Browser"; public settle()). Unit: 207 pass
+(`cc-ci-run -m pytest tests/unit -q`), lint PASS (`nix develop .#lint --command scripts/lint.sh`).
+
+HOW to verify per recipe — artifacts on cc-ci `/var/lib/cc-ci-runs/<run>/{results.json,
+screenshot.png,summary.html}`; scp the PNG and Read it. Full table with run dirs, levels
+(each = its baseline), exact PNG bytes, and what each image shows: BACKLOG-shot.md "P4 — Proof
+runs". Fixed-class proofs: immich=370 (drone !testme immich#2, posted 05:56:32Z), plausible=371
+(drone !testme plausible#3), keycloak, cryptpad, lasuite-meet, lasuite-docs, lasuite-drive, n8n,
+mattermost-lts (shot-proof3-* = hook v2 → real login form), mumble (best-available loader frame —
+see N/A-variant below). Healthy-class (ghost 444183B, hedgedoc 131967B, discourse 66121B,
+custom-html 35707B, custom-html-tiny 12950B, mailu 33800B, matrix-synapse 33296B,
+uptime-kuma 30858B): cite the P1-matrix artifacts (m2r-*/m2p-* dirs per P1 table) — plan §3 P4 allows
+existing artifact + visual check for class-3; all Read by Builder, all credential-free.
+
+EXPECTED on re-run of any fixed recipe: results.json `screenshot: "screenshot.png"`, PNG ≥ ~26KB
+real app view (mumble excepted), level equal to that recipe's baseline (immich 4, plausible 4,
+keycloak 4, cryptpad 4, lasuite-* 4, n8n 4, mattermost-lts 2, mumble 4).
+
+R7 / budget: wait components 45(nav, only-on-failure)+10(settle)+0.5+4(blank retry)+0.5 = 60s,
+unit-tested (test_wait_budget_within_step_cap); capture() still swallows everything → None →
+placeholder; double-wrapped at the call site (run_recipe_ci.py:1024-1037, unchanged).
+
+Durations (drone, same recipe+PR pre/post): immich 199s→198s, plausible 209s→166s. Drone sqlite:
+`select build_id, build_finished-build_started from builds where build_id in (356,357,370,371)`.
+
+Dashboard/card: `https://ci.commoninternet.net/` grid references runs/370+371 screenshot.png (both
+HTTP 200); summary.html embeds screenshot.png; /badge/immich.svg 200.
+
+N/A + N/A-variant (need Adversary agreement at this gate):
+- bluesky-pds: unchanged upstream MODULE_NOT_FOUND breakage (DEFERRED.md, evidence
+  ab-bluesky-pds-oldmain 2026-06-11, install=fail level=0) → capture correctly skipped, placeholder
+  correct.
+- mumble: web client (rankenstein/mumble-web:0.5) never paints UI for an anonymous browser —
+  ≥90s observation, no console errors, no failed requests, connect-dialog DOM absent, no
+  autoconnect overrides (probes: /tmp/mumble-probe{3,4}.out, /tmp/mumble-orch{4,5}.log on cc-ci).
+  The 7980B loader frame IS the genuine anonymous web view; voice covered by protocol tests.
+  DEFERRED.md entry filed (upstream question). Claimed as documented best-available, not a defect.
+
+## Blocked
+
+(nothing)
--- a/bridge/bridge.py
+++ b/bridge/bridge.py
@ -64,6 +64,8 @@ def parse_trigger(body):
    if s == f"{TRIGGER} --quick":
        return True, True
    return False, False
+
+
 ALLOWLIST = {u.strip() for u in os.environ.get("AUTH_ALLOWLIST", "").split(",") if u.strip()}


@ -167,8 +169,12 @@ def post_commit_status(owner, repo, sha, state, target_url, description=""):
        f"{GITEA_API}/repos/{owner}/{repo}/statuses/{sha}",
        GITEA_TOKEN,
        method="POST",
-        data={"state": state, "target_url": target_url,
-              "description": description, "context": "cc-ci/testme"},
+        data={
+            "state": state,
+            "target_url": target_url,
+            "description": description,
+            "context": "cc-ci/testme",
+        },
    )


@ -217,7 +223,9 @@ def result_comment_body(recipe, sha, num, run_url, status):
        if artifact_available(badge_url):
            body += f"\n\n[![level]({badge_url})]({run_url})"
        return f"{body}\n\n{links}"
-    return f"{header} → {run_url}\n\n_(summary card unavailable — see the run for details.)_ {links}"
+    return (
+        f"{header} → {run_url}\n\n_(summary card unavailable — see the run for details.)_ {links}"
+    )


 def watch_and_reflect(owner, name, number, num, recipe, sha, comment_id, run_url):
--- a/dashboard/dashboard.py
+++ b/dashboard/dashboard.py
@ -38,6 +38,7 @@ _RUN_FILES = {
    "screenshot.png": "image/png",
    "badge.svg": "image/svg+xml",
    "summary.html": "text/html; charset=utf-8",
+    "lint.txt": "text/plain; charset=utf-8",
 }
 _RUN_ID_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")

@ -66,8 +67,12 @@ _COLORS = {
 # Level → colour ramp, kept in sync with runner/harness/card.py LEVEL_COLOR (the dashboard is a
 # standalone stdlib service that doesn't import the runner harness, so the small map is duplicated).
 _LEVEL_COLOR = {
-    0: "#e5534b", 1: "#e0823d", 2: "#e0823d", 3: "#d9b343",
-    4: "#a0b93f", 5: "#57ab5a", 6: "#3fb950",
+    0: "#e5534b",
+    1: "#e0823d",
+    2: "#e0823d",
+    3: "#d9b343",
+    4: "#a0b93f",
+    5: "#3fb950",  # bright green — full 5-rung climb incl. lint (phase lvl5)
 }


@ -147,7 +152,6 @@ def _build_row(b):
        "ref": ref[:8],
        "version": res.get("version") or ref[:12] or "—",
        "level": res.get("level"),
-        "level_cap_reason": res.get("level_cap_reason") or "",
        "has_screenshot": bool(res.get("screenshot")),
        "flags": res.get("flags") or {},
        "finished": b.get("finished") or 0,
@ -215,7 +219,6 @@ a{color:#58a6ff;text-decoration:none} a:hover{text-decoration:underline}
 .name{font-weight:700;font-size:1.05rem;color:#e6edf3}
 .row{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap;font-size:.82rem}
 .pill{color:#fff;padding:.08rem .5rem;border-radius:.5rem;font-size:.75rem;font-weight:600}
-.cap{color:#8b949e;font-size:.75rem}
 code{background:#0d1117;border:1px solid #21262d;border-radius:.3rem;padding:0 .3rem;font-size:.78rem;color:#c9d1d9}
 .flags{display:flex;gap:.4rem;font-size:.72rem;color:#8b949e}
 .foot{margin-top:auto;display:flex;justify-content:space-between;font-size:.8rem;padding-top:.3rem;border-top:1px solid #21262d}
@ -269,13 +272,12 @@ def _card(r):
            f'<a class="shot" href="{run_url}" title="open run">'
            f'<span class="ph">no screenshot</span>{_level_pill(r["level"])}</a>'
        )
-    cap = f'<div class="cap">{html.escape(r["level_cap_reason"])}</div>' if r["level_cap_reason"] else ""
    return (
        f'<div class="card">{shot}<div class="body">'
        f'<div class="name">{html.escape(r["recipe"])}</div>'
        f'<div class="row"><span class="pill" style="background:{color}">{html.escape(r["status"])}</span>'
        f'<code>{html.escape(r["version"])}</code></div>'
-        f"{cap}{_flags_html(r['flags'])}"
+        f"{_flags_html(r['flags'])}"
        f'<div class="foot"><a href="{run_url}">run #{num} · {_ago(r["finished"])}</a>'
        f'<a href="/recipe/{html.escape(r["recipe"])}">history →</a></div>'
        f"</div></div>"
@ -307,7 +309,11 @@ def render_history(recipe, rows):
    trs = []
    for r in rows:
        color = _COLORS.get(r["status"], "#8b949e")
-        lvl = "—" if r["level"] is None else f'<b style="color:{level_color(r["level"])}">L{int(r["level"])}</b>'
+        lvl = (
+            "—"
+            if r["level"] is None
+            else f'<b style="color:{level_color(r["level"])}">L{int(r["level"])}</b>'
+        )
        shot = f'<a href="/runs/{r["number"]}/summary.png">card</a>' if r["has_screenshot"] else "—"
        trs.append(
            f'<tr><td><a href="{html.escape(r["url"])}">#{r["number"]}</a></td>'
@ -317,7 +323,7 @@ def render_history(recipe, rows):
        )
    body = "\n".join(trs) or '<tr><td colspan="6">no runs for this recipe yet</td></tr>'
    inner = (
-        f'<h1>{_FLOWER} {html.escape(recipe)} — run history</h1>'
+        f"<h1>{_FLOWER} {html.escape(recipe)} — run history</h1>"
        '<p class="sub"><a href="/">← all recipes</a> · every <code>!testme</code> run, newest first.</p>'
        "<table><thead><tr><th>Run</th><th>Status</th><th>Level</th><th>Version</th>"
        "<th>When</th><th>Card</th></tr></thead><tbody>"
--- a/docs/concurrency.md
+++ b/docs/concurrency.md
@ -0,0 +1,236 @@
+# Concurrency: how parallel recipe CI runs stay safe
+
+Spec of the concurrent-run system after the 2026-06-10 restructure (branch
+`restructure/concurrency`; plan: cc-ci-plan `concurrency-restructure-full-plan.md`). The previous
+registry + per-recipe-flock model is documented in this file's git history (`5b65c6c`).
+
+## 1. Goal and design summary
+
+Two recipe CI builds may run **at the same time** on the single cc-ci host. Safety is enforced by
+the **harness**, not by serialising everything, and rests on ONE locking mechanism plus ONE
+structural isolation:
+
+| Rule | Mechanism |
+|---|---|
+| Different recipes run in parallel | nothing blocks them (isolation, §3) |
+| Same-RECIPE runs run in parallel too | per-run `ABRA_DIR` recipe trees (§4) — no shared tree, no lock |
+| Same-DOMAIN runs (double-`!testme` of one PR) serialise | per-app-domain `flock` (§5) |
+| A starting run never reaps a live concurrent run's app | janitor probes the app lock; held = live (§6) |
+| A crashed/canceled/rebooted run's leftovers get reaped | lock auto-released by the kernel → probe acquires → reap (§6) |
+
+The invariant chain that makes "held lock = live owner" sound:
+
+```
+lock lifetime ⊆ harness process lifetime ⊆ drone step lifetime ⊆ 60-min hard deadline
+```
+
+- **lock ⊆ process**: locks are kernel flocks on fds the process holds (and PEP 446 makes those
+  fds non-inheritable, so abra/docker/pytest children never carry them). The kernel releases them
+  on process death, however it dies. There is no unlock code path and no stale-lock failure mode.
+- **process ⊆ step**: `PR_SET_PDEATHSIG(SIGTERM)` + the `.drone.yml` setsid/trap wrap (§2) — a
+  dead or canceled build cannot leak a running harness.
+- **step ⊆ 60 min**: `signal.alarm(3600)` self-deadline (§2).
+
+Never steal a held lock; manage the holder's lifetime. There is **no daemon and no shared state
+service** — everything is kernel/file primitives under `/run/lock` and per-run directories.
+
+## 2. Mechanism 0: run-lifetime hardening (`runner/harness/lifetime.py`)
+
+`run_recipe_ci.main()` calls `lifetime.install_lifetime_guards()` before ANY abra call or lock
+acquisition:
+
+1. **`PR_SET_PDEATHSIG(SIGTERM)`** (ctypes prctl, return code checked): if the parent — the drone
+   step shell — dies, the kernel TERMs the harness. A post-prctl `ppid == 1` re-check closes the
+   start race: a harness whose parent died *before* the prctl armed would never get the signal,
+   so it refuses to run orphaned.
+2. **SIGTERM handler**: logs, then raises `SystemExit(143)` so the run's `finally:` teardown
+   funnel executes and the process exits non-zero. Re-entrant signals during teardown are logged
+   and IGNORED (`lifetime.begin_teardown()`, also set at the top of the run's `finally:` blocks)
+   so a second signal can't abort the cleanup the first one asked for.
+3. **`signal.alarm(3600)` hard deadline**: SIGALRM funnels into the same teardown path with a
+   distinct log line (`== run exceeded 60-minute hard deadline — tearing down ==`), exit 142.
+   Recipes keep their own smaller per-tier timeouts; this bounds the whole run. Teardown time
+   after the deadline is deliberately not alarm-bounded — the janitor is the backstop if a
+   teardown wedges and the process is killed harder.
+
+The `.drone.yml` recipe-ci step runs the harness as `setsid cc-ci-run … &` with a
+`trap 'kill -TERM -- "-$PID"' TERM EXIT; wait "$PID"` — a drone **cancel** (TERM to the step
+shell) is forwarded to the harness's whole process group instead of leaking it (the exec runner
+only kills the step shell). PDEATHSIG backstops the no-trap paths.
+
+## 3. Isolation model: what is shared, what is per-run
+
+Per-run (no conflict possible):
+
+- **App + stack + volumes + secrets.** Run app domain = `naming.app_domain()` →
+  `<recipe[:4]>-<sha1(recipe|pr|ref)[:6]>.ci.commoninternet.net`, unique per (recipe, pr, ref);
+  everything abra creates is namespaced by it. Run apps are recognised by
+  `RUN_APP_RE = ^[a-z0-9]{1,4}-[0-9a-f]{6}\.ci\.commoninternet\.net$`; warm/canonical apps
+  (e.g. `warm-keycloak...`) deliberately do NOT match → the janitor never probes them.
+- **Recipe working trees** — `$ABRA_DIR/recipes/<recipe>`, per run (§4). NEW in the restructure.
+- **Drone build workspace** (`/var/lib/drone-runner/drone-<id>/`) and **run artifacts**
+  (`/var/lib/cc-ci-runs/<run-id>/`).
+- **Run-scoped state files** (`/tmp/ccci-{deploys,opstate,deps,depskip}-<run-id>-<pid>…`) —
+  keyed by run id + harness pid via `run_recipe_ci._run_state_path()`, NEVER by app domain.
+  A second run of the same domain executes its `main()` preamble before blocking at the app
+  lock (§5), so domain-keyed files would be reset/removed underneath the live first run
+  (live finding, M2(c) double-`!testme`: false DG4.1 deploy-count in run 1, countfile
+  `FileNotFoundError` in run 2). Tier/hook children get the exact paths via the
+  `CCCI_*_FILE` env vars; removed on normal run exit.
+
+Shared (by design, conflict-free):
+
+- **`/root/.abra/servers`** — app `.env` files, one per domain. The per-run `ABRA_DIR` symlinks
+  `servers/` here, so .env files land in the canonical path: janitor discovery (`abra app ls`)
+  and out-of-run tooling see every app. Per-domain filenames + the app-domain lock prevent write
+  conflicts.
+- **`/root/.abra/catalogue`** — read-mostly, symlinked into each per-run dir.
+- **`HOME=/root`** (forced in `.drone.yml`) — safe: nothing recipe-mutable lives under `~/.abra`
+  for a run anymore except through the two symlinks above.
+
+## 4. Mechanism 1: per-run `ABRA_DIR` (replaces the per-recipe flock)
+
+`run_recipe_ci.setup_run_abra_dir()` — called first thing in `main()`, before any abra call —
+builds `<runs_dir>/<run-id>/abra/` (run-id = Drone build number; `manual-<pid>` for hand runs):
+
+```
+abra/
+  servers/    -> /root/.abra/servers     (symlink; canonical shared .env path)
+  catalogue/  -> /root/.abra/catalogue   (symlink; read-mostly)
+  recipes/    fresh, empty               (THE isolation that matters)
+```
+
+and exports it as `$ABRA_DIR` — honored by the abra CLI itself and by every harness path helper
+(`abra.abra_dir()` / `abra.recipe_dir()`; `generic._recipe_dir`, `prepull_images`,
+`snapshot_recipe_tests`, `warm_reconcile._recipe_dir` all route through the same rule:
+`$ABRA_DIR` if set, else `~/.abra`).
+
+- `fetch_recipe()` is now a plain clone into `$ABRA_DIR/recipes/<recipe>` (PR-head clone+checkout
+  or `abra recipe fetch`); the upgrade tier's mid-run `git checkout`s happen in the run's own
+  tree. Two same-recipe runs can no longer corrupt each other — structurally, with no lock. The
+  old observed failure (immich builds 229/230 deploying a tree missing its config) is impossible.
+- `CCCI_SKIP_FETCH=1` (test/Adversary staging) copies the canonically-staged
+  `~/.abra/recipes/<recipe>` clone into the per-run tree.
+- Out-of-run flows (warm_reconcile's systemd timer, manual abra) set no `ABRA_DIR` and keep using
+  the canonical `/root/.abra` unchanged. In-run flows that touch canonical state on purpose
+  (warm/canonical .env files) go through `servers/` and are unaffected.
+- The per-run dir rides along the existing `/var/lib/cc-ci-runs/<run-id>/` retention. abra
+  auto-clones any recipe it needs to resolve (e.g. during `app ls`) into the per-run `recipes/` —
+  a few seconds of git per run, gone with the run dir.
+
+## 5. Mechanism 2: per-app-domain flock (`lifecycle.acquire_app_lock`)
+
+- Lock file: `/run/lock/cc-ci-app-<domain>.lock` (dir overridable via `CCCI_APP_LOCK_DIR` for the
+  test suite), exclusive `fcntl.flock`, taken in `deploy_app()` **before the app is created** — a
+  concurrent janitor can never see a run app without its held lock.
+- Blocks (with a log line: `== app lock: another run of <domain> is in flight — waiting ==`) when
+  another run of the SAME domain is in flight — the double-`!testme` serialisation point; the
+  waiting run is visibly parked at that line in its drone log, by design.
+- The returned file object is ALSO retained in module-level `_held_app_locks` — if a caller
+  dropped it, GC would close the fd and silently release the lock.
+- mtime is touched at acquisition: lock age feeds the janitor's long-held flag (§6).
+- **Unlink/recreate race guard**: the janitor unlinks reaped lockfiles, so after EVERY
+  acquisition the locked fd is verified to still be the inode the path names
+  (`fstat().st_ino == stat().st_ino`); a waiter that won a just-unlinked inode closes it and
+  retries on the live path. (A lock on an unlinked inode protects nothing: a later opener gets a
+  fresh inode and would acquire "the same" lock.)
+- Release is implicit: process exit (any kind). `teardown_app()` does NOT release or unlink —
+  a clean run's leftover lockfile is unheld and is unlinked on sight by the next janitor sweep.
+
+## 6. The flock-probe janitor (`lifecycle.janitor`)
+
+Runs at every run start (cold + quick paths) and in the warm/upgrade sweeps. Candidate discovery
+is unchanged from the old model: `abra app ls` + a docker-service sweep (catches stacks whose
+`.env` is already gone), both matched against `RUN_APP_RE` — warm/canonical apps never match and
+are never probed.
+
+Decision table (per candidate domain, `_probe_and_reap`):
+
+| Probe (`LOCK_EX\|LOCK_NB`) | Meaning | Action |
+|---|---|---|
+| acquires (+ inode identity OK) | nobody holds it → owner died (kernel-guaranteed) | **reap**: `teardown_app(verify=False)` WHILE HOLDING the probe lock, then unlink the lockfile, then release |
+| acquires, inode stale | another janitor reaped + unlinked while we raced | skip (reap already done; unlinking now would hit a newer run's file) |
+| `BlockingIOError` (held) | live concurrent run | leave it; if lockfile mtime > 120 min (2× the hard deadline): `!! lock for <domain> held >120min — possible leaked run; inspect with lslocks` — flag, **never steal** |
+| `open()` fails (`OSError`) | garbled/unopenable lockfile | skip + log, never crash |
+
+- Reaping under the probe lock closes the janitor-vs-new-run race: a new run of that domain
+  blocks in `acquire_app_lock` until the reap finishes — no window where a fresh app coexists
+  with a half-reaped one.
+- Two racing janitors arbitrate on the flock: one reaps, the other sees "held" and leaves; reaps
+  are idempotent (`teardown_app(verify=False)` tolerates half-gone stacks).
+- After the candidates, a tidy sweep unlinks stale **unheld** `cc-ci-app-*.lock` files with no
+  app behind them (under their own probe lock + identity check), keeping `/run/lock` clean.
+- **Post-reboot**: `/run/lock` is tmpfs → lockfiles gone → every surviving app probes as an
+  orphan → reaped immediately. (Improvement over the old 2-hour age fallback; there IS no age
+  logic anymore.)
+
+## 7. Failure-mode guarantees
+
+| Event | Outcome |
+|---|---|
+| Run crashes / SIGKILL mid-run | flock auto-released by kernel → next janitor probe reaps app + lockfile |
+| Drone build canceled via API | step trap TERMs the harness process group → SIGTERM funnel runs the run's own teardown (exit 143); if anything still leaks, PDEATHSIG + janitor reap (the old "cancel leaks the harness" gap is CLOSED) |
+| Run exceeds 60 min | SIGALRM → distinct log line → own teardown → exit 142 |
+| Host reboot | locks and lockfiles vanish (tmpfs, correct: no owners survived) → all surviving run apps reaped at the next run start, immediately |
+| Two same-recipe `!testme`s (different PRs) | run in parallel — separate domains, separate per-run recipe trees |
+| Double-`!testme` (same PR → same domain) | second blocks on the app lock before creating anything, visibly in its drone log, runs after the first finishes |
+| Janitor vs. app being created | impossible to mis-reap: the lock is held before `app new`, and a held lock is never touched |
+| Janitor unlink vs. blocked waiter | inode identity re-check on every acquisition → waiter retries on the live path |
+| Lock held implausibly long (>120 min) | flagged loudly for a human (`lslocks`), never stolen |
+
+## 8. Where convergence fits (adjacent; unchanged by the restructure)
+
+Two swarm-convergence behaviors in `services_converged()` look like concurrency bugs but aren't —
+any future work must keep them fixed:
+
+- **N/N replicas ≠ converged** during a stop-first rolling update — `UpdateStatus.State` is also
+  inspected (build 238: backupbot exec'd into a container killed seconds later).
+- **`paused` persists forever** (swarm's default `update-failure-action`) — only `updating` and
+  `rollback_started` block convergence; `paused`/`rollback_paused` are settled (build 241).
+- `backup_app()` additionally waits (bounded 300s) for convergence before `backup create`.
+
+## 9. Configuration knobs
+
+| Knob | Where | Current | Meaning |
+|---|---|---|---|
+| `DRONE_RUNNER_CAPACITY` (aka `MAX_TESTS`) | `nix/modules/drone-runner.nix` (`maxTests`) | `2` | **THE single concurrency knob.** Max builds the exec runner executes at once; Drone queues the rest. (The `.drone.yml` `concurrency.limit` duplicate was removed.) Change requires `nixos-rebuild switch`. |
+| `CCCI_APP_LOCK_DIR` | env, read at call time | unset → `/run/lock` | App-domain lockfile dir override — used by `tests/concurrency` to sandbox locks. Never set in production. |
+| hard deadline | `lifetime.HARD_DEADLINE_SECONDS` | 3600 s | the whole-run alarm; long-held flag threshold is 2× this (`LONG_HELD_LOCK_SECONDS`) |
+
+## 10. Testing: `tests/concurrency/`
+
+Real-kernel suite (19 planned cases + companions): helper subprocesses hold REAL flocks and
+install the REAL prctl/signal/alarm guards — flock itself is never mocked; the janitor runs with
+injected candidates + stubbed teardown but probes real locks. **Not part of the default
+`pytest tests/unit` gate** (it spawns processes and sleeps); run it explicitly:
+
+```
+cc-ci-run -m pytest tests/concurrency -q
+```
+
+Covers: kernel auto-release on SIGKILL; LOCK_NB probe semantics; PEP 446 fd non-inheritance;
+same-domain serialisation; orphan reap + unlink; live-run protection; reap-under-probe-lock
+blocking; two-janitor arbitration; reboot-immediate reap; long-held flag; RUN_APP_RE allowlist;
+degrade-on-garbage; PDEATHSIG; ppid start race; deadline + SIGTERM funnels; per-run ABRA_DIR
+construction/export; concurrent same-recipe fetch isolation; symlinked-servers .env canonicality;
+run-keyed (never domain-keyed) run-scoped state files (M2(c) regression, `test_run_state.py`).
+
+## 11. File / symbol index
+
+| What | Where |
+|---|---|
+| lifetime guards (PDEATHSIG, signal funnels, deadline) | `runner/harness/lifetime.py`; installed in `run_recipe_ci.main()` |
+| setsid/trap cancel forwarding | `.drone.yml` (`recipe-ci` step) |
+| `acquire_app_lock`, `_held_app_locks`, `_app_lock_path` | `runner/harness/lifecycle.py` |
+| `acquire_app_lock` call site | `lifecycle.deploy_app()` (before app creation) |
+| janitor + probe (`janitor`, `_probe_and_reap`, `LONG_HELD_LOCK_SECONDS`) | `runner/harness/lifecycle.py` |
+| per-run ABRA_DIR (`setup_run_abra_dir`, `fetch_recipe`) | `runner/run_recipe_ci.py` |
+| path resolution (`abra_dir`, `recipe_dir`) | `runner/harness/abra.py` (used by `generic`, `lifecycle.prepull_images`, `warm_reconcile`) |
+| run-app naming | `runner/harness/naming.py` (`app_domain`), `RUN_APP_RE` in `lifecycle.py` |
+| capacity knob | `nix/modules/drone-runner.nix` (`maxTests`) |
+| convergence (adjacent) | `lifecycle.services_converged()`, `lifecycle.backup_app()` |
+| the test suite | `tests/concurrency/` (`helpers.py` subprocess entrypoints, `concutil.py` probes) |
+
+Deleted in the restructure (grep should find NOTHING): `register_run_app`, `unregister_run_app`,
+`_run_owner_state`, `ACTIVE_RUN_DIR`, `CCCI_JANITOR_MAX_AGE`, `_stack_age_seconds`,
+`acquire_recipe_lock`, `RECIPE_LOCK_DIR`.
--- a/docs/enroll-recipe.md
+++ b/docs/enroll-recipe.md
@ -14,8 +14,9 @@ those are discovered and run against the live app (D4 — see below).
 ```
 tests/<recipe>/
 ├── recipe_meta.py      # optional per-recipe harness config (see below)
-├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup)
-├── ops.py              # optional pre-op seed hooks (pre_install/pre_upgrade/pre_backup/pre_restore)
+├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup + deps env wiring)
+├── compose.ccci.yml    # optional CI-only compose overlay (harness-copied, auto-chaos base deploy)
+├── ops.py              # optional pre_<op>(ctx) seed hooks (install/upgrade/backup/restore)
 ├── test_install.py     # optional install overlay  (runs ADDITIVELY alongside generic)
 ├── test_upgrade.py     # optional upgrade overlay   (runs ADDITIVELY alongside generic)
 ├── test_backup.py      # optional backup overlay    (runs ADDITIVELY alongside generic)
@ -39,11 +40,14 @@ To add recipe-specific coverage, drop a `tests/<recipe>/test_<op>.py` **overlay*
 **ALONGSIDE** the generic for that op (HC3 additive, Phase 1e); the generic floor is never silently
 dropped. Overlays are **assertion-only** against the shared live deployment (the `live_app` fixture;
 they never perform the op or deploy/teardown — the orchestrator owns those). If the overlay needs to
-SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(domain,
-meta)` callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op. Copy an
+SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(ctx)`
+callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op (`ctx` is the
+uniform `HookCtx` every hook receives — `docs/recipe-customization.md` §4.1). Copy an
 existing recipe (`tests/custom-html/` simple/volume marker; `tests/keycloak/` admin-API; `tests/
 matrix-synapse/` `db`-service psql marker). **Do not edit the shared `tests/conftest.py` /
-`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py`:
+`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py` (the COMPLETE key
+reference is the generated table in `docs/recipe-customization.md` §4; unknown ALL-CAPS keys are
+hard errors, recipe-private constants are underscore-prefixed `_FOO`):

 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@ -51,9 +55,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detect (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
-SKIP_GENERIC = ["upgrade"]       # per-recipe opt-out from the generic floor for the listed ops
-                                 #  ("all"/"*" = every op); rarely needed — generic is the floor
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 ```

 Useful `harness.lifecycle` helpers for overlays: `http_get`, `http_fetch`, `http_body`,
@ -76,9 +78,10 @@ Beyond the lifecycle overlays, each recipe carries (plan §4.1):
 - **`playwright/`** — browser flows where the recipe's core UX is a UI (P6).

 The orchestrator's **custom** tier discovers `test_*.py` in `tests/<recipe>/{functional,playwright}/`
-(recursive, via `runner/harness/discovery.custom_tests`) and runs each as its own pytest against
-the same `live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are
-**excluded** from the custom tier — they live at the top level and run as lifecycle overlays.
+ONLY (the placement rule, via `runner/harness/discovery.custom_tests` — a top-level `test_*.py`
+is a lifecycle overlay and nothing else) and runs each as its own pytest against the same
+`live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are **excluded**
+from the custom tier even inside those subdirs (safety net against double-running).

 ### 2.2 Recipe-test dependencies — DEPS = [...] (Phase 2 Q2.3)

@ -89,23 +92,28 @@ them in `recipe_meta.py`:
 DEPS = ["keycloak"]  # one entry per dep recipe name (cc-ci tests/<dep>/ must exist + work)
 ```

-The orchestrator (plan §4.2):
-1. Reads `DEPS` BEFORE deploying the recipe under test.
-2. Deploys each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is
-   hashed from `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do
-   not collide on a single node).
-3. Waits each dep healthy using its own `recipe_meta.py` (HEALTH_PATH/HEALTH_OK/timeouts).
-4. Persists `[{"recipe": "<dep>", "domain": "<dep-domain>"}, ...]` to `$CCCI_DEPS_FILE`.
-5. Deploys + tests the recipe under test as usual.
-6. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
+The orchestrator (plan §4.2; install-time provisioning is the ONLY mode):
+1. Reads `DEPS` and provisions every dep **BEFORE the single deploy** of the recipe under test —
+   each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is hashed from
+   `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do not collide on
+   a single node), waited healthy using the dep's own `recipe_meta.py`.
+2. Persists the full per-dep identity + SSO creds dict to `$CCCI_DEPS_FILE` (jq-readable JSON,
+   `{"<dep>": {"domain": ..., "realm": ..., "client_secret": ..., ...}}`).
+3. Deploys the recipe under test — its `install_steps.sh` reads `$CCCI_DEPS_FILE` and wires
+   OIDC env into that ONE deploy (no post-deploy redeploy). A dep-provisioning failure does NOT
+   block the run: the recipe deploys alone, generic tiers run, and `requires_deps` tests skip
+   with a counted reason (F2-11).
+4. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
   deps fail the run loudly per §9 teardown sacred / F2-5 fix).

-Tests access dep domains via the **`deps_apps` pytest fixture** (`tests/conftest.py`):
+Tests access deps via the **`deps` pytest fixture** (`tests/conftest.py`) — entries expose
+`.domain` plus the full creds dict (attribute or dict-style):

 ```python
-def test_my_recipe_uses_keycloak(live_app, deps_apps):
-    assert "keycloak" in deps_apps, f"keycloak dep not deployed; {deps_apps}"
-    kc_domain = deps_apps["keycloak"]
+@pytest.mark.requires_deps
+def test_my_recipe_uses_keycloak(live_app, deps):
+    assert "keycloak" in deps, f"keycloak dep not deployed; {deps}"
+    kc_domain = deps["keycloak"].domain
    …
 ```

@ -120,7 +128,7 @@ For OIDC-dependent recipes, the shared `runner/harness/sso.py` provides:
 from harness import sso

 creds = sso.setup_keycloak_realm(
-    kc_domain,                   # = deps_apps["keycloak"]
+    kc_domain,                   # = deps["keycloak"].domain
    realm="my-realm",
    client_id="my-client",
    redirect_uris=[f"https://{live_app}/*"],
@ -144,10 +152,10 @@ ARE provider-pluggable.
 Not every recipe is a single HTTP app. `recipe_meta.py` + a few harness mechanisms cover the harder
 shapes (proven on mumble, mailu, and the SSO-dependent suite):

- **`EXTRA_ENV`** — a dict **or** a `callable(domain) -> dict`. The callable form derives values from
-  the per-run domain (e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for cryptpad). Applied
-  at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
- **`READY_PROBE(domain) -> [...]`** — readiness signals beyond replica-convergence + the app's
+- **`EXTRA_ENV`** — a dict **or** a `callable(ctx) -> dict`. The callable form derives values from
+  the per-run domain (`ctx.domain` — e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for
+  cryptpad). Applied at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
+- **`READY_PROBE(ctx) -> [...]`** — readiness signals beyond replica-convergence + the app's
  `HEALTH_PATH`. Two probe shapes:
  - HTTP: `{"host": "...", "path": "/...", "ok": (200,)}` (e.g. lasuite-drive collabora WOPI discovery).
  - **TCP**: `{"tcp_host": "127.0.0.1", "tcp_port": 64738, "stable": 3}` — polls a socket connect N
@ -155,16 +163,16 @@ shapes (proven on mumble, mailu, and the SSO-dependent suite):
    service (mumble: the mumble-web sidecar serves HTTP 200 while the voice server on 64738 is still
    rebinding after an upgrade redeploy — the TCP probe gates the backup tier until the voice server is
    actually up). Runs after install AND after the upgrade chaos redeploy.
- **`CHAOS_BASE_DEPLOY = True`** — make the pinned base deploy use `--chaos` (skips abra's clean-tree +
-  lint gates, still deploys the explicitly-checked-out pinned version, NOT latest). Needed when an
-  `install_steps.sh` adds an UNTRACKED file to the recipe checkout (e.g. mumble copies a
-  `compose.host-ports.yml` into versions that predate it) — abra's pinned-deploy clean-tree check would
-  otherwise FATA. `abra.recipe_checkout` force-checks-out (`-f`) so the upgrade tier's re-checkout to
-  PR-head overwrites such overlays cleanly.
+- **`compose.ccci.yml`** (first-class at `tests/<recipe>/compose.ccci.yml`) — a CI-only compose
+  overlay the harness itself copies into the recipe checkout before the base deploy, automatically
+  using `--chaos` for that deploy (the untracked file would otherwise trip abra's pinned-deploy
+  clean-tree check). Reference it from `EXTRA_ENV`'s `COMPOSE_FILE`. Minimal, justified fallback
+  only (e.g. ghost's 15m `start_period` grace). `abra.recipe_checkout` force-checks-out (`-f`) so
+  the upgrade tier's re-checkout to PR-head overwrites such overlays cleanly.
 - **`install_steps.sh`** (auto-discovered at `tests/<recipe>/install_steps.sh`) — runs after
  `abra app new` + EXTRA_ENV + secret-generate, BEFORE the single deploy, with `CCCI_APP_DOMAIN` /
-  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when DEPS are provisioned at install). Use it to
-  drop a cc-ci-owned compose overlay into the checkout, wire dep-derived env/secrets, etc.
+  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when the recipe declares DEPS — deps are
+  always provisioned before the deploy). Use it to wire dep-derived env/secrets, seed config, etc.

 **Non-HTTP protocol tests (mumble).** Reach a TCP service published `mode: host` (via a host-ports
 overlay) at `127.0.0.1:<port>` — cc-ci runs tests on-host (cc-ci-run). mumble ships a stdlib protocol
@ -227,9 +235,10 @@ RECIPE=<recipe> PR=<n> REF=<sha-or-branch> SRC=recipe-maintainers/<recipe> \

 ```
 tests/lasuite-docs/
-├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(domain) for cold-pull,
+├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(ctx) for cold-pull,
 │                             # DEPS=["keycloak"]  ← Phase 2 dep declaration
-├── ops.py                    # pre_<op> seed hooks (volume marker for backup/restore data-integrity)
+├── install_steps.sh          # wires OIDC env from $CCCI_DEPS_FILE into the single deploy
+├── ops.py                    # pre_<op>(ctx) seed hooks (volume marker for backup/restore data-integrity)
 ├── test_install.py           # lifecycle install overlay (Playwright frontend SPA load)
 ├── test_upgrade.py           # lifecycle upgrade overlay (marker survives chaos redeploy)
 ├── test_backup.py            # lifecycle backup overlay (marker captured)
@ -239,12 +248,14 @@ tests/lasuite-docs/
    ├── test_health_check.py        # parity port (SOURCE comment cites recipe-info file)
    ├── test_auth_required.py       # specific: /api/v1.0/users/me/ → 401 without auth
    └── test_oidc_with_keycloak.py  # specific: full OIDC flow against the dep keycloak (uses
-                                    # harness.sso primitives + deps_apps["keycloak"])
+                                    # harness.sso primitives + the `deps` fixture)
 ```

 `!testme` on a lasuite-docs PR drives the orchestrator to:
-1. Deploy the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`) and wait healthy.
-2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`).
+1. Provision the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`), wait healthy, write
+   creds to `$CCCI_DEPS_FILE` — BEFORE the recipe deploy.
+2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`); `install_steps.sh` wires the OIDC
+   env into that one deploy.
 3. Run install / upgrade / backup / restore + the 3 functional tests against the shared
   deployment (custom tier).
 4. Teardown lasuite-docs, then the keycloak dep (LAST), both with verify=True.
@ -254,12 +265,13 @@ tests/lasuite-docs/
 ### Other shapes (concrete references)

 - **TCP / voice recipe — `tests/mumble/`**: `recipe_meta.py` (EXTRA_ENV sets
-  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml:compose.host-ports.yml`, `WELCOME_TEXT`/`USERS`
-  markers, `CHAOS_BASE_DEPLOY=True`, `READY_PROBE` TCP 64738), `install_steps.sh` (provides the
-  host-ports overlay to older versions), `functional/_mumble_proto.py` + the protocol/config-round-trip
+  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml` for the base; `UPGRADE_EXTRA_ENV` adds the
+  native `compose.host-ports.yml` at PR-head so 64738 is host-published on latest; private
+  `_WELCOME_TEXT_MARKER`/`_MAX_USERS` constants; `READY_PROBE(ctx)` TCP 64738 — phase-aware via
+  the live COMPOSE_FILE), `functional/_mumble_proto.py` + the protocol/config-round-trip
  tests, `ops.py`/`test_backup.py`/`test_restore.py` (sqlite P4). See §2.4.
 - **Multi-service, dep-less, in-container functional — `tests/mailu/`**: `recipe_meta.py`
-  (`EXTRA_ENV(domain)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
+  (`EXTRA_ENV(ctx)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
  `functional/_mailu.py` (flask-CLI helpers), `test_mailbox.py` (create→config-export read-back),
  `test_mail_flow.py` (in-container sendmail→doveadm delivery). No backupbot → P4 N/A (PARITY.md +
  DEFERRED.md). See §2.4.
--- a/docs/recipe-customization.md
+++ b/docs/recipe-customization.md
@ -0,0 +1,360 @@
+# Recipe customization — reference
+
+Status: REFERENCE — describes the customization system as restructured on branch
+`restructure/recipe-custom` (the "rcust" restructure). The pre-restructure system and its defects
+are documented in this file's history (commit `76a4b6b`, the review spec whose §8 R1–R9 drove the
+restructure); §8 below records how each was resolved.
+
+Companion docs: `docs/testing.md` (test architecture / tier semantics), `docs/enroll-recipe.md`
+(step-by-step enrollment). This doc is the **complete reference** for the two questions those docs
+answer only partially:
+
+1. How are custom tests written for a particular recipe?
+2. What are ALL the per-recipe CI settings, where do they live, and who reads them?
+
+---
+
+## 1. The three customization surfaces
+
+A recipe customizes its CI through **three distinct mechanisms**:
+
+| Surface | Form | Examples |
+|---|---|---|
+| **Declarative settings** | Python assignments in `tests/<recipe>/recipe_meta.py` | `DEPLOY_TIMEOUT = 1500`, `UPGRADE_BASE_VERSION = "2.3.1+..."` |
+| **Code hooks** | Callables in `recipe_meta.py`, `ops.py` functions, one shell hook | `def READY_PROBE(ctx): ...`, `pre_upgrade(ctx)`, `install_steps.sh` |
+| **File presence** | A file existing at a discovered path changes behavior | `test_upgrade.py` overlay, `functional/test_*.py`, `compose.ccci.yml` |
+
+There is additionally a fourth, **operator-facing, local-dev-only** surface: environment variables
+(`CCCI_SKIP_GENERIC*`) that suppress the generic floor at run time (§7). Whatever a run resolves
+from all four surfaces is printed at run start as the **customization manifest** and embedded in
+`results.json` under `"customization"` (§7) — one block answers "what does this recipe customize?".
+
+## 2. Zero-config baseline
+
+A recipe with **no `tests/<recipe>/` directory at all** still gets the full generic floor:
+
+- deploy base version → INSTALL (generic `assert_serving`: HTTP on `/`, expect 200/301/302)
+- chaos-upgrade to PR head → UPGRADE (generic `assert_upgraded`: version label matches head, converged, serving)
+- BACKUP (generic `assert_backup_artifact`) — iff the recipe's compose files carry
+  `backupbot.backup` labels (auto-detected), else N/A
+- RESTORE (generic `assert_restore_healthy`)
+- CUSTOM tier: empty (no custom tests discovered)
+- teardown
+
+Defaults: `HEALTH_PATH="/"`, `HEALTH_OK=(200,301,302)`, `DEPLOY_TIMEOUT=600`, `HTTP_TIMEOUT=300`.
+Everything in this doc is opt-in deviation from that floor. The cardinal invariant
+(docs/testing.md §1): the generic floor is **always on** and never depends on custom code;
+custom is **additive** by default.
+
+## 3. The per-recipe tree — every file that can exist
+
+Two locations, with precedence and a security gate between them:
+
+- **cc-ci-owned**: `tests/<recipe>/` in this repo (trusted, maintainer-reviewed)
+- **repo-local**: the recipe repo's own `tests/` dir (PR-author-controlled → **default-deny**,
+  consulted only when the recipe is listed in `tests/repo-local-approved.txt` — gate HC2,
+  centralized in `runner/harness/discovery.py`)
+
+```
+tests/<recipe>/                      # cc-ci side (repo-local mirrors the same shape)
+├── recipe_meta.py                   # THE config file: registry-validated keys + ctx-hooks (§4)
+├── test_<op>.py                     # lifecycle overlay assertions, op ∈ install|upgrade|backup|restore (§5.1)
+├── ops.py                           # pre_<op>(ctx) seed hooks                    (§5.2)
+├── functional/test_*.py             # custom tier: parity ports + recipe-specific (§5.3)
+├── playwright/test_*.py             # custom tier: UI flows                       (§5.3)
+├── install_steps.sh                 # pre-deploy shell hook (the ONLY shell hook) (§5.4)
+├── compose.ccci.yml                 # CI-only compose overlay (first-class)       (§5.5)
+└── PARITY.md                        # enrollment contract doc (human-read only)
+```
+
+**Placement rule (custom tests):** ALL custom-tier tests live under `functional/` or
+`playwright/`. A top-level `test_*.py` is a lifecycle overlay (`test_<op>.py`) and nothing else —
+top-level non-lifecycle files are NOT discovered (`discovery.custom_tests`; the lifecycle-name
+exclusion stays as a safety net so a misfiled `test_<op>.py` can never double-run).
+
+Precedence (machine-docs/DECISIONS.md, implemented in `discovery.py`):
+
+- lifecycle overlay `test_<op>.py`: repo-local **wins** over cc-ci (same-name collision); the
+  generic floor still runs additively alongside.
+- custom tier (`functional/` + `playwright/`): **ALL** run, from both locations (no collision
+  concept).
+- `install_steps.sh`: repo-local > cc-ci, or none.
+- `ops.py` pre-op hook: cc-ci wins; repo-local consulted only if approved.
+- `recipe_meta.py` and `compose.ccci.yml`: cc-ci only — repo-local recipes cannot set CI settings
+  or compose overlays (by design; those surfaces stay maintainer-controlled).
+
+## 4. `recipe_meta.py` — complete settings reference
+
+The single settings file. Plain Python, `exec()`d by the harness in exactly ONE place: the
+registry-backed loader `runner/harness/meta.py::load(recipe) -> RecipeMeta`. Every consumer — the
+orchestrator (which loads once and passes the object down), the pytest `meta` fixture, lifecycle,
+deps, canonical, screenshot — reads from that one loaded object.
+
+**Validation (hard errors at load, before any deploy):**
+
+- A key is "set" by a top-level ALL-CAPS assignment or `def`. Unknown ALL-CAPS top-level names
+  raise `MetaError` listing the unknown name and the nearest registered key (typo gate —
+  misspelling `READY_PROBE` can no longer silently disable the probe).
+- Type mismatches raise `MetaError`; callables are accepted only for hook-typed keys.
+- **Underscore-prefixed names (`_FOO`) are recipe-private and exempt** — that's where private
+  constants live (e.g. mumble's `_WELCOME_TEXT_MARKER`). Lowercase names (helpers/imports) are
+  ignored.
+- Hook callables must have the registered signature (below); a legacy-signature hook raises a
+  `MetaError` naming the migration, never a silent `TypeError` mid-run.
+
+A unit test (`tests/unit/test_meta.py`) loads every `tests/*/recipe_meta.py` through the registry,
+so a typo'd key fails at PR time, not at run time.
+
+<!-- META-TABLE-START -->
+
+_This table is GENERATED from the `runner/harness/meta.py` KEYS registry by `scripts/gen-meta-docs.py` — do not edit by hand (a unit test pins the sync)._
+
+| Key | Type | Default | Meaning |
+|---|---|---|---|
+| `HEALTH_PATH` | `str` | `'/'` | Path probed for serving/health checks (deploy wait + generic `assert_serving`). |
+| `HEALTH_OK` | `tuple[int]` | `(200, 301, 302)` | Acceptable HTTP status codes for health. |
+| `DEPLOY_TIMEOUT` | `int` | `600` | Max seconds to wait for swarm convergence per deploy. |
+| `HTTP_TIMEOUT` | `int` | `300` | Max seconds to wait for HTTP health after convergence. |
+| `BACKUP_CAPABLE` | `bool` | `None` | Override the backup-tier capability auto-detect (compose `backupbot.backup` labels). `False` forces an intentional skip of the backup/restore rung; `True` forces the tier on; unset = auto-detect. |
+| `EXPECTED_NA` | `dict` | `None` | Declare a non-run rung an INTENTIONAL skip: `{rung: reason}` — the level climbs past it; an undeclared non-run rung is *unverified* and blocks the level above it (classification table: machine-docs/DECISIONS.md phase lvl5). Never overrides an exercised pass/fail; the `lint` rung has no escape hatch. |
+| `READY_PROBE` | `hook` | `None` | Callable `(ctx) -> [probe, ...]` returning extra readiness probes, run after install AND after upgrade: HTTP `{host, path, ok}` or TCP `{tcp_host, tcp_port, stable}`. |
+| `UPGRADE_BASE_VERSION` | `str` | `None` | Exact published tag overriding the upgrade tier's base (default: `recipe_versions[-2]`). |
+| `BACKUP_VERIFY` | `hook` | `None` | Callable `(ctx) -> bool` post-backup data-capture check; `False` re-runs the backup (truncated-dump race guard), retried up to 3 attempts. |
+| `UPGRADE_EXTRA_ENV` | `dict_or_hook` | `None` | Extra `.env` keys applied after the PR-head checkout, before the chaos redeploy (env that exists only at head). Dict, or callable `(ctx) -> dict`. |
+| `EXTRA_ENV` | `dict_or_hook` | `{}` | Extra `.env` keys applied at EVERY deploy (base install AND upgrade old-app). Dict, or callable `(ctx) -> dict` deriving values from the per-run domain (`ctx.domain`). |
+| `DEPS` | `list[str]` | `[]` | Dep recipes deployed/provisioned alongside (e.g. `["keycloak"]`); creds land in `$CCCI_DEPS_FILE`. |
+| `WARM_CANONICAL` | `bool` | `False` | Enroll the recipe in the warm/canonical app system (docs/warm.md): green cold runs on LATEST advance the canonical snapshot. |
+| `SCREENSHOT` | `hook` | `None` | Callable `(page, ctx)` driving Playwright to a safe, credential-free post-login view for the results-card screenshot (default: landing page). |
+
+<!-- META-TABLE-END -->
+
+### 4.1 The uniform hook convention — `HookCtx`
+
+Every recipe callable takes a single `ctx` argument (`harness/meta.py::HookCtx`, frozen):
+
+| Field | Meaning |
+|---|---|
+| `ctx.domain` | the app's per-run domain |
+| `ctx.base_url` | `https://<domain>` |
+| `ctx.meta` | the recipe's full `RecipeMeta` |
+| `ctx.deps` | provisioned dep creds (`{dep_recipe: entry}`) or `None` |
+| `ctx.op` | current lifecycle op (`install`/`upgrade`/`backup`/`restore`) or `None` |
+
+Signatures: `EXTRA_ENV(ctx)`, `UPGRADE_EXTRA_ENV(ctx)`, `READY_PROBE(ctx)`, `BACKUP_VERIFY(ctx)`,
+`SCREENSHOT(page, ctx)`, ops.py `pre_<op>(ctx)`. Dict-valued `EXTRA_ENV`/`UPGRADE_EXTRA_ENV`
+(non-callable) are still fine — only the callable form takes ctx. The loader enforces the
+parameter names at load time (a pre-restructure `(domain)`/`(domain, meta)` hook gets a pointed
+`MetaError`, not a mid-run crash).
+
+Worked hook examples: cryptpad (`EXTRA_ENV(ctx)` derives `SANDBOX_DOMAIN` from `ctx.domain`),
+mumble (`READY_PROBE(ctx)` TCP voice-port probe, `UPGRADE_EXTRA_ENV(ctx)` adds a head-only compose
+overlay), ghost/discourse (`BACKUP_VERIFY(ctx)` dump-capture check).
+
+## 5. Writing custom tests & hooks
+
+### 5.1 Lifecycle overlay assertions — `test_<op>.py`
+
+One pytest file per lifecycle op (`install` / `upgrade` / `backup` / `restore`). The
+**orchestrator performs the op exactly once**; the overlay only *asserts* on the resulting state
+(HC3 op/assertion split — overlays never deploy, never restore, never mutate). The generic floor
+test runs additively against the same state.
+
+Conventions (see `tests/immich/test_backup.py` etc.):
+- use the `live_app` fixture (asserts `CCCI_APP_DOMAIN` is set, yields the domain)
+- use the `meta` fixture — the recipe's FULL validated `RecipeMeta` (attribute access)
+- use the `op_state` fixture for op context (versions, `snapshot_id`, artifact paths — the
+  orchestrator's run-scoped op record; skips with a clear reason outside an orchestrator run)
+- execute in-container checks via `harness.lifecycle.exec_in_app(domain, service, cmd)`
+
+### 5.2 Pre-op seed hooks — `ops.py`
+
+`def pre_<op>(ctx)` callables, imported and called by the orchestrator **before** performing the
+op. This is where data gets seeded so the post-op overlay can assert on it:
+
+```python
+# tests/immich/ops.py (pattern)
+def pre_upgrade(ctx):  _psql(ctx.domain, "INSERT ... 'upgrade-survives'")
+def pre_backup(ctx):   _psql(ctx.domain, "INSERT ... 'original'")
+def pre_restore(ctx):  _psql(ctx.domain, "DROP TABLE ci_marker")  # damage, restore must undo
+```
+
+Seed → op → assert is the whole pattern: `pre_backup` writes a marker, the orchestrator backs up,
+`pre_restore` destroys it, the orchestrator restores, `test_restore.py` asserts the marker is back.
+
+### 5.3 Custom tier — `functional/` and `playwright/` ONLY
+
+All custom-tier tests live under `tests/<recipe>/functional/` or `tests/<recipe>/playwright/`
+(discovery: `discovery.custom_tests`; the placement rule, §3). Run in the CUSTOM tier, after
+restore, against the post-upgrade (PR-head) app. ALL discovered files run — cc-ci's and (if
+HC2-approved) repo-local's, additively.
+
+Enrollment contract (`docs/enroll-recipe.md`): ≥2 NEW functional tests beyond ports of existing
+upstream checks; ported tests carry `SOURCE:` comments. Playwright tests get the shared
+browser/harness helpers (`harness.browser`); SSO recipes get `harness.sso`
+(`setup_keycloak_realm` — idempotent, `oidc_password_grant` — provider-pluggable). The documented
+import toolbox for custom tests is `from harness import lifecycle, sso, browser`.
+
+Tests needing deps use the `deps` fixture (entries expose `.domain` plus the full creds dict) and
+carry `@pytest.mark.requires_deps` — when dep provisioning failed they skip with reason
+`deps-not-ready` and the skip count is reported and FAILS a declared-deps run (F2-11; a green exit
+must not mask an unrun SSO test). Fixtures replace direct `os.environ` reads — after the
+restructure no recipe test parses env by hand.
+
+### 5.4 Pre-deploy shell hook — `install_steps.sh`
+
+The ONLY shell hook. Runs after `abra app new` + `EXTRA_ENV` application + secret generation,
+**before** the single base deploy. For setup that must precede the first deploy: writing extra
+config files into the recipe checkout, editing `.env` beyond simple key=val, and — for recipes
+with `DEPS` — wiring dep-derived OIDC env into the deploy (deps are always provisioned BEFORE the
+deploy; install-time wiring is the only mode, so there is exactly one deploy and no post-deploy
+redeploy hook).
+
+Env contract: `CCCI_APP_DOMAIN`, `CCCI_RECIPE`, `CCCI_APP_ENV` (path to the app's `.env`), and —
+when `DEPS` is declared — `CCCI_DEPS_FILE` (jq-readable JSON of dep creds/URLs; see
+lasuite-drive/-meet/-docs for the pattern). Must locate the recipe checkout ABRA_DIR-aware:
+`RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (per-run `ABRA_DIR` since the
+concurrency restructure — a hardcoded `~/.abra` writes to the wrong tree).
+
+Graceful-generic rule: a recipe needing a hook but not shipping one simply fails the generic
+install — a correct reported outcome, not a harness error.
+
+### 5.5 CI-only compose overlay — `compose.ccci.yml`
+
+**First-class:** if `tests/<recipe>/compose.ccci.yml` exists, the harness itself copies it into
+the recipe checkout (ABRA_DIR-aware) before the base deploy and automatically uses `--chaos` for
+that deploy (the untracked file would otherwise trip abra's clean-tree gate). No
+`install_steps.sh` copy boilerplate, no flag to remember (the old `CHAOS_BASE_DEPLOY` ⇄ overlay
+coupling is gone). The overlay is cc-ci-owned only.
+
+Policy unchanged: overlays are a minimal, justified fallback (ghost's is a 15m `start_period`
+grace — a literal, because abra validates `start_period` before env substitution). Reference the
+overlay from `EXTRA_ENV`'s `COMPOSE_FILE` as usual. Users: ghost, discourse.
+
+### 5.6 Environment & fixture contract (what custom code can read)
+
+Pytest fixtures (`tests/conftest.py` — the single fixture file):
+
+| Fixture | Yields |
+|---|---|
+| `recipe` | the recipe name (`$RECIPE`) |
+| `meta` | the FULL validated `RecipeMeta` (single loader) |
+| `live_app` | the shared deployment's domain (asserts it exists) |
+| `op_state` | the orchestrator's op-context dict (skips cleanly outside a run) |
+| `deps` | `{dep_recipe: entry}` — entries expose `.domain` + full SSO creds |
+
+Environment (hooks/shell, and approved repo-local code):
+
+| Var | Set for | Meaning |
+|---|---|---|
+| `CCCI_APP_DOMAIN` | all tests + hooks | the app's per-run domain |
+| `CCCI_BASE_URL` | approved repo-local code | `https://<domain>` |
+| `CCCI_RECIPE`, `CCCI_APP_ENV` | `install_steps.sh` | recipe name, app `.env` path |
+| `CCCI_OP_STATE_FILE` | overlay tests (via `op_state`) | JSON op context (versions, artifacts) |
+| `CCCI_DEPS_FILE` | `install_steps.sh` + harness | JSON dep creds dict |
+| `CCCI_DEPS_READY` / `CCCI_DEPS_NOT_READY_REASON` | custom tier (via `requires_deps`) | gate SSO tests, skip-with-reason |
+
+## 6. Run-model context (what the settings plug into)
+
+One deploy chain per run (full detail: `docs/testing.md` §2):
+
+```
+[DEPS? provision deps FIRST → $CCCI_DEPS_FILE]
+deploy BASE (UPGRADE_BASE_VERSION or recipe_versions[-2]; EXTRA_ENV; install_steps.sh;
+             compose.ccci.yml auto-copied + auto-chaos)
+  → INSTALL tier   (READY_PROBE; generic + overlay asserts)
+  → pre_upgrade(ctx) → chaos-deploy PR HEAD (UPGRADE_EXTRA_ENV)
+  → UPGRADE tier   (READY_PROBE; version-label == head_ref)
+  → pre_backup(ctx) → backup       (BACKUP_CAPABLE; BACKUP_VERIFY)
+  → BACKUP tier
+  → pre_restore(ctx) → restore
+  → RESTORE tier
+  → CUSTOM tier    (functional/ + playwright/; deps via the `deps` fixture)
+  → SCREENSHOT (best-effort, never affects the verdict)
+  → teardown (deps LAST)
+```
+
+Deploy-count guard (DG4.1): exactly `1 + len(DEPS)` deploys per run (chaos redeploys don't
+count); the per-run counter file is keyed by run since the concurrency restructure.
+
+## 7. Local iteration, the manifest, and the dev-only escape hatch
+
+```
+RECIPE=<recipe> PR=<n> REF=<sha> SRC=recipe-maintainers/<recipe> \
+  STAGES=install,upgrade,backup,restore,custom \
+  cc-ci-run runner/run_recipe_ci.py
+```
+
+(`docs/enroll-recipe.md` §5 for the full loop, including dep teardown caveats.)
+
+**Customization manifest.** Every run prints, right after meta load + discovery, one block:
+
+```
+===== customization manifest: <recipe> =====
+meta (non-default): DEPLOY_TIMEOUT=1500 DEPS=['keycloak'] EXTRA_ENV='<hook>'
+hooks: ops.py[pre_backup,pre_upgrade](cc-ci) install_steps.sh(cc-ci) compose.ccci.yml(cc-ci)
+overlays: test_backup.py(cc-ci) test_restore.py(repo-local)
+custom tests: functional/=5 playwright/=2 (cc-ci)
+env overrides: (none)
+```
+
+The same dict is embedded in `results.json` under `"customization"`. It is pure presentation —
+built from the SAME discovery/meta calls the run uses (so it cannot disagree with what executes,
+and it honors the HC2 gate) — and never influences a verdict.
+
+**Dev-only generic skip.** `CCCI_SKIP_GENERIC=1` (all ops) / `CCCI_SKIP_GENERIC_<OP>=1` (one op)
+suppress the generic floor — a LOCAL-DEV-ONLY escape hatch for iterating on one tier. There is no
+declarative equivalent (the old `SKIP_GENERIC` meta key is deleted). If the env form is active in
+a CI (drone) run, the run prints a loud `!!` warning and the manifest records it.
+
+## 8. Restructure outcomes (the review spec's R1–R9)
+
+How each defect identified in the review spec (commit `76a4b6b` §8) was resolved:
+
+- **R1 — six divergent meta loaders → RESOLVED.** One registry-backed loader
+  (`harness/meta.py::load`), the only `exec()` of `recipe_meta.py`. The orchestrator loads once
+  and passes the `RecipeMeta` down; conftest/lifecycle/deps/canonical all read the one object.
+- **R2 — dead `SCREENSHOT` knob → RESOLVED (kept + fixed).** The registry replaced the allowlist
+  that orphaned it; the orchestrator path now delivers the hook to `screenshot.py`
+  (proven end-to-end by `tests/unit/test_screenshot.py::test_screenshot_reachable_through_real_load_path`).
+- **R3 — 4-key pytest `meta` fixture → RESOLVED.** The fixture returns the full validated
+  `RecipeMeta`.
+- **R4 — three config languages → MITIGATED by the manifest** (§7): the surfaces stay (they serve
+  different actors), but every run resolves them into one visible block + results key.
+- **R5 — reference-doc drift → RESOLVED.** §4's key table is generated from the registry
+  (`scripts/gen-meta-docs.py`); a unit test fails CI on drift; `testing.md`/`enroll-recipe.md`
+  point here instead of keeping partial lists.
+- **R6 — silent typos → RESOLVED.** Unknown ALL-CAPS keys and type mismatches are hard
+  `MetaError`s; private constants are underscore-prefixed (exempt).
+- **R7 — `compose.ccci.yml` ⇄ `CHAOS_BASE_DEPLOY` coupling → RESOLVED.** The overlay is
+  first-class: harness-copied, auto-chaos. The flag is deleted.
+- **R8 — zero-user `SKIP_GENERIC` meta key → RESOLVED (deleted).** Env form remains, documented
+  dev-only, loudly flagged in CI runs (§7).
+- **R9 — `recipe_meta.py` is code, not config → REJECTED by decision.** No data/hooks file split:
+  registry validation gets the value (typed, validated keys) at lower cost; one file per recipe
+  remains the single config place. The expressiveness need is real (cryptpad derives env from the
+  per-run domain).
+
+Also settled in the restructure: install-time deps provisioning is the ONLY mode (the legacy
+post-deploy `setup_custom_tests.sh` machinery and its extra redeploy are deleted); the custom-test
+placement rule (§3); the uniform ctx hook convention (§4.1); the consolidated fixture surface
+(§5.6 — `deps` replaces `deps_apps`+`deps_creds`; dead `deployed`/`deployed_app`/`app_domain`
+fixtures deleted).
+
+## 9. File / symbol index
+
+| Concern | Where |
+|---|---|
+| THE meta loader + key registry + `HookCtx` + `MetaError` | `runner/harness/meta.py` (`load`, `KEYS`, `check_hook_signature`) |
+| Generated key table | `scripts/gen-meta-docs.py` → §4 above (sync pinned by `tests/unit/test_meta.py`) |
+| Customization manifest | `runner/harness/manifest.py` (`build`, `render`), printed by `runner/run_recipe_ci.py` |
+| Overlay/custom/hook discovery + HC2 gate + placement rule | `runner/harness/discovery.py` |
+| HC2 allowlist | `tests/repo-local-approved.txt` |
+| Generic assertions + `BACKUP_CAPABLE` detect | `runner/harness/generic.py` |
+| `compose.ccci.yml` auto-copy + auto-chaos | `runner/harness/lifecycle.py` (`provide_ccci_overlay`, `deploy_app`) |
+| `READY_PROBE` consumption | `runner/harness/lifecycle.py` (`wait_ready_probes`) |
+| `EXPECTED_NA` reporting | `runner/harness/results.py` |
+| `SCREENSHOT` consumer | `runner/harness/screenshot.py` |
+| Fixtures (`recipe`/`meta`/`live_app`/`op_state`/`deps`) + F2-11 skip-report | `tests/conftest.py` |
+| Skip-generic env logic (dev-only) | `runner/run_recipe_ci.py` (`_skip_generic`) |
+| Unit tests pinning all of the above | `tests/unit/test_meta.py`, `test_manifest.py`, `test_discovery*.py` |
+| Worked examples | `tests/ghost/` (overlay+compose.ccci.yml), `tests/mumble/` (TCP probe, UPGRADE_EXTRA_ENV, private `_` constants), `tests/lasuite-drive/` (DEPS + install-time OIDC wiring), `tests/immich/` (ops.py seed pattern) |
--- a/docs/results-ux.md
+++ b/docs/results-ux.md
@ -10,12 +10,9 @@ It is the R8 reference for Phase 3 (`plan-phase3-results-ux.md`).

 ---

-## 1. The level ladder (R1)
+## 1. The level ladder (phase lvl5 semantics, operator-decided 2026-06-11)

-Every run earns a single integer **level 0–6**. The ladder is cumulative with **YunoHost
-gap-caps-the-level** semantics: you earn level `L` only if **every rung 1..L was a clean PASS**. The
-first rung that is not a clean PASS — a real **FAIL** *or* genuinely **N/A** for this recipe — stops
-the climb, and `level_cap_reason` records which rung and why.
+Every run earns a single integer **level 0–5** over the FIVE essential rungs:

 | Level | Rung | Earned when |
 |------:|------|-------------|
@ -24,42 +21,52 @@ the climb, and `level_cap_reason` records which rung and why.
 | **L2** | upgrade | previous published version → PR/latest, stays healthy, data intact. |
 | **L3** | backup/restore | seeded data survives backup → wipe → restore. |
 | **L4** | functional | the recipe-specific functional tests pass. |
-| **L5** | integration | SSO/OIDC + cross-app integration tests pass. |
-| **L6** | recipe-local | the recipe repo's own `tests/` (D4) pass and are merged. |
+| **L5** | lint | `abra recipe lint` passes against the exact ref under test. |

-**N/A caps, fairly.** A rung that does not apply to a recipe (only one published version → no
-upgrade; not backup-capable; no SSO/integration surface; no recipe-local tests) is **N/A**, which
-caps the climb at the rung below it with a recorded reason — it is *not* counted as a failure. This is
-the only fair reading of "a missing lower rung caps the level": e.g. a recipe with **no integration
-surface caps at L4 by definition**, shown as `level_cap_reason = "L5 integration … N/A"`. A stateless
-app whose functional tests pass but which cannot be backed up is honestly capped at **L2** (`"L3
-backup/restore … N/A"`) rather than shown as L4 — understating is safe; overstating is forbidden.
+Each rung has one of FOUR statuses, and the level is:

-Worked examples (real runs):
- `uptime-kuma` — install+upgrade+backup+restore+functional all pass, no SSO surface → **L4**
-  (`cap = "L5 integration (SSO/OIDC + cross-app) N/A"`).
- `custom-html-tiny` — stateless, not backup-capable: install+upgrade pass, backup/restore N/A →
-  **L2** (`cap = "L3 backup/restore (data integrity) N/A"`).
+    level = the highest rung that PASSED, where every rung below it is "pass" or an intentional skip
+
+- **pass / fail** — the rung was exercised. A FAIL blocks: no rung above it counts, however green.
+- **skip (intentional)** — the rung *genuinely does not apply*, from a declared or structural fact:
+  not backup-capable (declared), only one published version (no upgrade target), or a declared
+  `EXPECTED_NA`. Intentional skips are **climbed past** — a stateless recipe with passing
+  functional tests and a clean lint reaches **L5**, not the old "capped at 2".
+- **unver (unverified)** — the rung *should* have run but didn't: infra error, missing tool,
+  harness exception, prior-stage abort, timeout. **The level cannot rise above an unverified
+  rung** — it blocks exactly like a fail (we never claim what we didn't check). Anything
+  unclassifiable defaults to unver (conservative).
+
+There is **no capping concept** (no `cap_reason`, no `capped`): the per-rung table
+(✔ / ✘ / intentional-skip / unverified) on the card and in `results.json.rungs` is the sole
+carrier of "why isn't this level higher". Worked examples:
+
+- install ✔, upgrade ✘, backup ✔, functional ✔, lint ✔ → **level 1** (fail blocks).
+- install ✔, upgrade ✔, backup skip (not capable), functional ✔, lint ✔ → **level 5**.
+- install ✔, upgrade ✔, backup unver (harness error), functional ✔, lint ✔ → **level 2**.
+- all four ✔, lint unver (abra missing) → **level 4** (an unverified top rung isn't earned).
+
+Integration (SSO/OIDC + cross-app) and recipe-local tests are **optional capabilities**, not
+rungs — they never affect the level (SSO remains enforced for the run VERDICT).

 ### How tiers map to rungs (the translation layer)

 `run_recipe_ci.py` holds the run's per-tier results (`install/upgrade/backup/restore/custom`) +
-deps/SSO signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict that
-`runner/harness/level.py::compute_level` scores. The mapping (also in `DECISIONS.md`, Phase 3):
+structural signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict
+that `runner/harness/level.py::compute_level` scores. The full intentional-vs-unintentional
+classification table for every N/A source is in `machine-docs/DECISIONS.md` (phase lvl5). Summary:

- **install** ← install tier (pass/fail).
- **upgrade** ← upgrade tier; `skip` → **na** (only one published version).
+- **install** ← install tier (pass/fail; a non-run is unver — install always applies).
+- **upgrade** ← upgrade tier; tier skipped with no upgrade target (single published version,
+  structural) → skip; declared `EXPECTED_NA` → skip; otherwise unver.
 - **backup_restore** ← backup AND restore tiers both pass → pass; either fail → fail; not
-  backup-capable → **na**.
- **functional** ← the custom tier minus its SSO tests; a custom failure conservatively fails this
-  rung (we don't split functional-vs-SSO failure → never inflate); no custom tests → **na**.
- **integration** ← applies only if the recipe declares deps; pass iff deps wired and SSO verified and
-  custom didn't fail; recipes with no declared deps → **na** (the "caps at L4" rule).
- **recipe_local** ← the recipe repo's own `tests/` (discovery source `repo-local`) ran and passed;
-  none present → **na**.
-
-The pure scorer is exhaustively unit-tested + fuzz-verified (all 729 rung combinations: level ==
-count of leading consecutive passes, zero inflation).
+  backup-capable (structural/declared) → skip; unverified-while-capable → unver.
+- **functional** ← the custom tier; a custom failure conservatively fails this rung; no custom
+  tests is a coverage GAP → unver, unless declared `EXPECTED_NA["functional"]` → skip.
+- **lint** ← the lint executor (`runner/harness/lint.py`): `abra recipe lint` on a pristine
+  scratch clone of the run's recipe tree at the exact tested sha, 60s hard budget, full output in
+  the run artifact `lint.txt`. pass/fail only — when lint can't run the rung is **unver** (never
+  a silent pass, never an intentional skip). Lint never changes the run verdict.

 ### Invariant flags (shown, not climbed)

@ -77,19 +84,29 @@ build number, or the run's unique app domain for a hand-run). Schema:

 ```json
 {
-  "schema": 1, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
+  "schema": 2, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
  "finished": 0.0,
-  "level": 4, "level_cap_reason": "L5 integration (SSO/OIDC + cross-app) N/A",
-  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"pass","functional":"pass",
-            "integration":"na","recipe_local":"na"},
+  "level": 5,
+  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"skip","functional":"pass",
+            "lint":"pass"},
+  "lint": {"status":"pass","detail":"","rules_failed":[]},
+  "skips": {"intentional": {"backup_restore": "not backup-capable (no backupbot labels / declared)"},
+            "unintentional": []},
  "stages": [{"name":"install","status":"pass",
              "tests":[{"name":"test_serving","status":"pass","ms":168,"source":"generic"}]}],
-  "results": {"install":"pass","upgrade":"pass","backup":"pass","restore":"pass","custom":"pass"},
+  "results": {"install":"pass","upgrade":"pass","backup":"skip","restore":"skip","custom":"pass"},
  "flags": {"clean_teardown": true, "no_secret_leak": true},
  "screenshot": "screenshot.png", "summary_card": "summary.png"
 }
 ```

+`rungs` carries the four-status vocabulary above; `skips.intentional` maps each intentionally
+skipped rung to its (declared or structural) reason and `skips.unintentional` lists the
+unverified rungs. `lint` carries the L5 rung outcome + failing rule ids; the full
+`abra recipe lint` output is served at `/runs/<run_id>/lint.txt`. Pre-lvl5 artifacts
+(`"schema": 1`, 4-rung ladder, `level_cap_reason`/`level_cap_rung` present, `"na"` statuses)
+are still rendered as-is by the dashboard/card — their stored level is never recomputed.
+
 Assembly is **best-effort**: a failure to build/write `results.json` is logged but never changes the
 run's exit code (cosmetics never block the pipeline, R7).

--- a/docs/testing.md
+++ b/docs/testing.md
@ -16,12 +16,13 @@ year from now, this is the one rule that should still hold.
  ship as the floor for every recipe. No SSO provider, no external deps, no per-recipe state
  scaffolding — just "does this recipe deploy and lifecycle work?"
 - **Generic must not depend on custom.** A custom test or a custom-tests setup (e.g. SSO/OIDC dep
-  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: the
-  orchestrator runs all generic tiers (install → upgrade → backup → restore) against the recipe
-  **alone, with no deps deployed**, then runs the `setup_custom_tests` step (deps + post-deps
-  wiring) only after — and a failure there is **isolated** to the custom tier (tests tagged
-  `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"`; generic tier reports
-  normally). See `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
+  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: deps are
+  provisioned BEFORE the single deploy (so `install_steps.sh` can wire OIDC env into that one
+  deploy), but a dep-provisioning failure is **isolated** to the custom tier — the recipe still
+  deploys alone, every generic tier (install → upgrade → backup → restore) runs normally, and
+  tests tagged `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"` (a counted,
+  reported skip — F2-11). A deps failure can never fail or block a generic tier. See
+  `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
 - **Custom tests are the thoroughness layer — and they cost more to maintain.** They're more
  thorough (authenticated APIs, multi-app flows, version-specific browser selectors, helper
  scripts, state-management) and *therefore* take more maintenance: an SSO provider's admin API
@ -113,9 +114,11 @@ repo-local  <recipe-repo>/tests/test_<op>.py     (upstream-authoritative; gated
 Only ONE overlay source wins for a given op (repo-local > cc-ci); the generic floor runs **in
 addition** unless explicitly opted out.

-**Custom (non-lifecycle) `test_*.py`** — any other `test_*.py` (e.g. `test_sso.py`) is **opt-in and
-additive**: it has no generic equivalent and runs only when present, discovered from both locations
-(repo-local gated by the HC2 allowlist).
+**Custom (non-lifecycle) tests** — e.g. `functional/test_sso.py` — are **opt-in and additive**:
+they have no generic equivalent and run only when present, discovered from both locations
+(repo-local gated by the HC2 allowlist). Placement rule: custom tests live ONLY under
+`functional/` or `playwright/`; a top-level `test_*.py` is a lifecycle overlay and nothing else
+(top-level non-lifecycle files are not discovered).

 ### Pre-op seed hooks (per-recipe `ops.py`)

@ -127,35 +130,38 @@ etc.). Since the orchestrator owns the op, overlays place their seed in an optio
 # tests/<recipe>/ops.py
 from harness import lifecycle

-def pre_upgrade(domain, meta):
+def pre_upgrade(ctx):
    # seed a marker before the harness performs the upgrade
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])

-def pre_backup(domain, meta):
+def pre_backup(ctx):
    # establish a known "original" state before the backup op captures it
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo original > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo original > /path/marker"])

-def pre_restore(domain, meta):
+def pre_restore(ctx):
    # diverge from the backed-up state so a successful restore is observable
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo mutated > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo mutated > /path/marker"])
 ```

 The orchestrator imports `ops.py` in-process (with the recipe dir on `sys.path`, so it can import
-sibling helpers like `kc_admin.py`) and calls `pre_<op>(domain, meta)` immediately before performing
-the op. Then `test_<op>.py` asserts the post-op state. See `tests/custom-html/` (volume marker),
+sibling helpers like `kc_admin.py`) and calls `pre_<op>(ctx)` immediately before performing the
+op — `ctx` is the uniform `HookCtx` every recipe hook receives (`.domain`, `.base_url`, `.meta`,
+`.deps`, `.op` — `docs/recipe-customization.md` §4.1). Then `test_<op>.py` asserts the post-op
+state. See `tests/custom-html/` (volume marker),
 `tests/keycloak/` (admin-API/realm), `tests/matrix-synapse/`, `tests/lasuite-docs/` (psql in the `db`
 service) for worked examples.

-### Opting out of the generic floor
+### Opting out of the generic floor (LOCAL-DEV-ONLY)

-The generic runs additively by default. To skip it (e.g. when an overlay's recipe-specific check
-fully replaces the generic's mechanism check) set, in increasing specificity:
+The generic runs additively by default and there is **no declarative opt-out** — no recipe can
+ship without the floor. For local iteration only (e.g. re-running one tier while developing an
+overlay), two env escape hatches exist:

 - **env `CCCI_SKIP_GENERIC=1`** — skip generic for ALL ops (run-wide).
 - **env `CCCI_SKIP_GENERIC_<OP>=1`** — e.g. `CCCI_SKIP_GENERIC_UPGRADE=1` — skip generic for that one op.
- **declarative in `recipe_meta.py`** — `SKIP_GENERIC = ["upgrade"]` (per-op) or `SKIP_GENERIC = ["all"]`.

-Opting out is per-recipe and visible in git — not a hidden global. Truthy = `1`/`true`/`yes`/`on`.
+Truthy = `1`/`true`/`yes`/`on`. If either is active in a CI (drone) run, the run prints a loud
+`!!` warning and the customization manifest records it (`docs/recipe-customization.md` §7).

 ## Repo-local trust gate (HC2) — default-deny

@ -215,12 +221,14 @@ installs and stays 1.
   `tests/custom-html/test_upgrade.py`). Assert the POST-op state — reading app state through
   `lifecycle.exec_in_app` (volume/DB) for data checks, not HTTP. Generic + your overlay both run.
 3. If the overlay needs to seed PRE-op state (data-continuity markers, the backup→restore
-   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(domain, meta)`.
+   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(ctx)`.
 4. If the recipe needs install-time setup, add `tests/<recipe>/install_steps.sh`.
-5. Set per-recipe knobs (health path, timeouts, opt-out) in `recipe_meta.py`.
+5. Set per-recipe knobs (health path, timeouts) in `recipe_meta.py`.
 6. **Never weaken or skip an assertion to make a run pass** — a red tier is information.

-Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional):
+Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional — the COMPLETE key reference is
+the generated table in `docs/recipe-customization.md` §4; unknown keys are hard errors, private
+constants are underscore-prefixed):

 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@ -228,8 +236,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detection (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
-SKIP_GENERIC = ["upgrade"]       # per-recipe declarative opt-out from generic ops ("all" = every op)
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 ```

 The harness self-tests for discovery / precedence / the HC2 allowlist live in `tests/unit/` (run:
--- a/flake.nix
+++ b/flake.nix
@ -31,34 +31,36 @@
      ];
    in
    {
-      # Canonical live host target: the Hetzner cc-ci server.
-      # Use `.#cc-ci` for the current production host.
-      nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
-        inherit system;
-        modules = [
-          sops-nix.nixosModules.sops
-          ./nix/hosts/cc-ci-hetzner/configuration.nix
-        ];
-      };
+      nixosConfigurations = {
+        # Canonical live host target: the Hetzner cc-ci server.
+        # Use `.#cc-ci` for the current production host.
+        cc-ci = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            sops-nix.nixosModules.sops
+            ./nix/hosts/cc-ci-hetzner/configuration.nix
+          ];
+        };

-      # Legacy Incus VM host definition retained only for historical comparison and fallback.
-      # Do NOT use this target on the live Hetzner server.
-      nixosConfigurations.cc-ci-incus = nixpkgs.lib.nixosSystem {
-        inherit system;
-        modules = [
-          sops-nix.nixosModules.sops
-          ./nix/hosts/cc-ci/configuration.nix
-        ];
-      };
+        # Legacy Incus VM host definition retained only for historical comparison and fallback.
+        # Do NOT use this target on the live Hetzner server.
+        cc-ci-incus = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            sops-nix.nixosModules.sops
+            ./nix/hosts/cc-ci/configuration.nix
+          ];
+        };

-      # Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host target
-      # remains obvious in recovery/migration workflows.
-      nixosConfigurations.cc-ci-hetzner = nixpkgs.lib.nixosSystem {
-        inherit system;
-        modules = [
-          sops-nix.nixosModules.sops
-          ./nix/hosts/cc-ci-hetzner/configuration.nix
-        ];
+        # Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host
+        # target remains obvious in recovery/migration workflows.
+        cc-ci-hetzner = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            sops-nix.nixosModules.sops
+            ./nix/hosts/cc-ci-hetzner/configuration.nix
+          ];
+        };
      };

      devShells.${system} = {
--- a/machine-docs/DECISIONS.md
+++ b/machine-docs/DECISIONS.md
@ -1283,3 +1283,73 @@ the commit), which is the correct SCM integration.
  environment; job is session-persistent (survives as long as Builder session runs). T0-refire
  verified: CronCreate test fire at 23:17Z → upgrader started, upgrader-cron.log created, status
  RUNNING. (2026-06-01)
+
+## conc P3 (2026-06-10, Builder): install_steps.sh hooks resolve $ABRA_DIR — guardrail note
+
+P3 makes recipe working trees per-run ($ABRA_DIR/recipes). tests/{ghost,discourse}/install_steps.sh
+hard-coded `${HOME}/.abra/recipes/...` to copy their compose.ccci.yml overlay into the deploy tree;
+under per-run trees that path is the WRONG (canonical) tree, so the overlay would silently miss the
+deploy and both recipes' upgrade-tier base deploys would break. Fixed with ONE mechanical line per
+hook: `RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (identical resolution rule to
+the abra CLI and abra.recipe_dir()). No test assertion, gate, or overlay content was touched — the
+phase guardrail's "never touch tests/<recipe>/ content" is read as protecting test/gate SEMANTICS;
+this is required P3 fallout, equivalent to the harness-side path routing. Flagged here for the
+Adversary's gate-integrity review.
+
+## Phase lvl5 — L5 lint rung + level semantics de-cap (SETTLED 2026-06-11, operator-specified)
+
+**The level formula (replaces the Phase-3 "N/A caps" stance).** Operator decision 2026-06-11
+(explicit Q&A, recorded verbatim in plan-phase-lvl5-lint-rung.md): with per-rung statuses
+{pass, fail, skip (intentional), unver (unintentional/not-verified)}:
+
+    level = max i such that rung_i == "pass" and all j < i have status in {"pass","skip"}; else 0.
+
+A real FAIL blocks. An INTENTIONAL skip (the rung genuinely does not apply, from a declared or
+structural fact) is climbed past — this is the de-cap: a non-backup-capable recipe is no longer
+stuck at L2. An UNVERIFIED rung (should have run, wasn't checked) blocks exactly like a fail —
+this preserves the honest core of the old N/A-caps rule: never claim what wasn't checked. The
+words cap/capped/cap_reason are deleted from code, schema (results.json schema 2), card,
+dashboard, badge and docs; the per-rung table (✔/✘/intentional-skip/unverified) is the SOLE
+carrier of "why isn't the level higher". The big level badges (card corner, dashboard pill,
+/badge/<recipe>.svg) show ONLY number + colour (operator-specified). Old schema-1 artifacts are
+rendered as-is (their stored level, their 4-rung ladder) — no retroactive relabeling.
+
+**The ladder is now five rungs:** install(1) upgrade(2) backup_restore(3) functional(4)
+**lint(5) = `abra recipe lint` passes against the exact ref under test** (PR head on PR builds).
+Lint is a LEVEL RUNG, not a run gate: no lint outcome ever changes the run verdict.
+
+**N/A classification table (derive_rungs, results.py — every N/A source, Adversary-reviewed).
+Default for anything unclassifiable: UNVER (conservative).**
+
+| rung | source of non-pass/fail | class | status |
+|---|---|---|---|
+| install | tier skipped / missing (any reason — install always applies) | unintentional | unver |
+| upgrade | tier skipped by orchestrator AND no upgrade target (`prev is None`: only one published version — structural) | intentional | skip |
+| upgrade | declared `EXPECTED_NA["upgrade"]` (tier not pass/fail) | intentional | skip |
+| upgrade | tier skipped though a target exists (install failed → downstream abort), or tier missing (CCCI_STAGES dev escape) | unintentional | unver |
+| backup_restore | not backup-capable (no backupbot labels / `BACKUP_CAPABLE=False` — structural/declared) | intentional | skip |
+| backup_restore | declared `EXPECTED_NA["backup_restore"]` (tiers not pass/fail) | intentional | skip |
+| backup_restore | backup-capable but either tier did not produce pass/fail (abort, partial run) | unintentional | unver |
+| functional | declared `EXPECTED_NA["functional"]` (no custom tests / tier skipped) | intentional | skip |
+| functional | no custom tests / tier skipped, undeclared — absent functional coverage is a GAP, not a property | unintentional | unver |
+| lint | executor could not produce pass/fail (timeout, abra/script missing, env FATA, unparseable output) — NO escape hatch, `EXPECTED_NA["lint"]` is ignored | unintentional | unver |
+
+EXPECTED_NA never overrides an exercised rung: pass/fail always stand.
+
+**Lint executor mirror-context decision (plan-phase-lvl5 §2.3).** Probed on cc-ci 2026-06-11
+(JOURNAL-lvl5): (a) abra lint globs every `compose*.yml` in the recipe tree, so the CI's
+untracked install_steps overlays (e.g. compose.ccci.yml) FATA it — harness artifact; (b) abra
+lint force-fetches tags from `origin`, so a PR run's private-mirror origin (token never written
+to .git/config) FATAs "unable to fetch tags" — harness artifact; (c) `abra recipe lint` exits
+non-zero ONLY on FATA — rule verdicts live in its table (error-severity ❌ rows + a trailing
+"WARN critical errors present" sentinel, rc still 0). Decision: the executor (harness/lint.py)
+lints a PRISTINE SCRATCH CLONE of the per-run recipe tree checked out at the exact tested sha —
+origin becomes a local path (offline tag fetch, no auth) and the run's true tag set rides along
+(fetch_recipe already fetches the canonical upstream version tags into the per-run tree, so
+R014 evaluates the recipe's real tags). **No lint rule is filtered or ignored** — the
+plumbing pollution is solved by context, not by exemptions. Classifier: fail iff an
+error-severity rule is unsatisfied (or the FATA is content-attributable: "unable to validate
+recipe"); pass iff the table rendered clean; anything else unver + loud log. Hard 60s budget
+(observed ~0.7s); executor runs before the tiers (tree at tested ref), double-wrapped, R7
+verdict-neutral. Full output → run artifact `lint.txt` (dashboard-served); status + failing
+rule ids → results.json `lint`.
--- a/machine-docs/DEFERRED.md
+++ b/machine-docs/DEFERRED.md
@ -335,3 +335,28 @@ before the build is called done) — but does **not** force closure.
 - **Re-entry trigger:** Builder authors recipe-PR Q4.7b (cache tarball on a volume / wget
  retry+backoff / drop `2>/dev/null` / `set +e` w/ fallback), then runs plausible-full green + claims.
 - **Linked:** REVIEW-2 `e850281` (root-cause + DENY), `71af595` (§4.3 floor); DECISIONS 2026-05-30.
+- discourse upgrade-HC1 @7ae7b0f stamps prev-base tag commit (eb96de94+U) on BOTH old+new harness since ~06-10 (baseline 184 was L4 on 06-05); harness-neutral (rcust exonerated, M2-closed) but abra stamp-resolution mechanism UNATTRIBUTED — worth a standalone dig outside rcust. Evidence: /var/lib/cc-ci-runs/{m2p-discourse,ab-discourse-7ae7b0f-oldmain}, JOURNAL-rcust 2026-06-11.
+- bluesky-pds: UPSTREAM IMAGE BREAKAGE (non-rcust, M2-justified exclusion from baseline match).
+  The app container crash-loops `Error: Cannot find module '/app/index.js'` (MODULE_NOT_FOUND,
+  Node v24.15.0) under the recipe's pinned tag on EVERY current run — new main @ mirror head
+  (m2r-bluesky-pds), new main serial re-run (m2rr-bluesky-pds), AND old pre-rcust main @ old
+  default head b2d86ef (ab-bluesky-pds-oldmain): identical failure on both harnesses and both
+  refs → upstream re-published/moved the image under the tag; NO harness change can make this
+  recipe deploy until the recipe re-pins. Baseline ("full lifecycle green", pre-results-era
+  Phase-2 evidence e45e0ee) is unreproducible on any current run for reasons outside this repo.
+  Evidence: `grep -r MODULE_NOT_FOUND /var/lib/cc-ci-runs/{m2r,m2rr,ab}-bluesky-pds*/abra/logs/
+  default/`; REVIEW-rcust.md 2026-06-11 entries. Follow-up (post-phase): file/propose a re-pin PR
+  against the bluesky-pds recipe mirror.
+- mumble-web client never paints UI for an anonymous browser (phase-shot, 2026-06-11). The recipe's
+  pinned web client (rankenstein/mumble-web:0.5 via compose.mumbleweb.yml, served by websockify)
+  stays at its `loading-container` spinner ≥90s with NO console errors, NO failed asset/requests,
+  connect-dialog DOM elements absent, and no autoconnect overrides in config.local.js (defaults
+  untouched) — so the CI screenshot's best-available frame is the genuine loader view every visitor
+  gets. The voice server itself is fully exercised (protocol handshake/config tests pass; that is
+  mumble's actual function). A harness-side fix is impossible without changing what the recipe
+  deploys (guardrail: prefer upstream over cc-ci overlays). **Operator input needed:** whether to
+  pursue an upstream recipe issue/PR (newer mumble-web image or one that renders its connect dialog)
+  — until then the dashboard shows the loader frame as the recipe's web-surface reality.
+  Evidence: /tmp/mumble-probe{2,3,4}.out + /tmp/mumble-orch{4,5}.log on cc-ci (90s DOM/console/
+  network observation; websockify reachable, /ws & /websocket 404 from websockify itself);
+  /var/lib/cc-ci-runs/shot-proof-mumble/screenshot.png (L4 run, loader frame).
--- a/nix/hosts/cc-ci-hetzner/configuration.nix
+++ b/nix/hosts/cc-ci-hetzner/configuration.nix
@ -7,7 +7,7 @@
 #   git clone --recursive https://git.autonomic.zone/recipe-maintainers/cc-ci.git /etc/cc-ci
 #   install -m600 <age-private-key> /var/lib/sops-nix/key.txt
 #   nixos-rebuild switch --flake /etc/cc-ci#cc-ci-hetzner
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 {
  imports = [
    ./hardware.nix
--- a/nix/hosts/cc-ci-hetzner/hardware.nix
+++ b/nix/hosts/cc-ci-hetzner/hardware.nix
@ -11,13 +11,17 @@
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

-  boot.loader = {
-    efi.efiSysMountPoint = "/boot/efi";
-    grub = {
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-      device = "nodev";
+  boot = {
+    loader = {
+      efi.efiSysMountPoint = "/boot/efi";
+      grub = {
+        efiSupport = true;
+        efiInstallAsRemovable = true;
+        device = "nodev";
+      };
    };
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    initrd.kernelModules = [ "nvme" ];
  };

  fileSystems."/boot/efi" = {
@ -25,9 +29,6 @@
    fsType = "vfat";
  };

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
--- a/nix/modules/drone-runner.nix
+++ b/nix/modules/drone-runner.nix
@ -8,14 +8,19 @@
 { pkgs, config, lib, ... }:
 let
  # MAX_TESTS (plan §4.2/§4.3 resource safety): max CI builds the exec runner runs at once. Drone
-  # queues the rest in its native pending-build queue (no custom queue). THE concurrency cap that
-  # bounds how many test apps can be live at once — kept LOW (1) on this single 28GiB node since
-  # recipes are heavy (immich/matrix large volumes). With capacity=1 there is never a concurrent
-  # in-flight run, so the run-start janitor can safely reap *any* orphan (a SIGKILL'd build runs no
-  # teardown) and the "at most MAX_TESTS apps live" bound holds exactly. Raise to 2 only if the node
-  # is shown to handle two light recipes at once (then the janitor MUST stay age-based to avoid
-  # reaping a concurrent run — see DECISIONS.md "Resource safety").
-  maxTests = "1";
+  # queues the rest in its native pending-build queue (no custom queue). THE SINGLE concurrency
+  # knob — nothing else caps recipe-ci parallelism (the .drone.yml concurrency.limit was removed:
+  # one knob, one place). Bounds how many test apps can be live at once.
+  #
+  # Raised to 2 (operator request 2026-06-09) so two recipes can be tested in parallel (e.g. immich
+  # and plausible under active development at once). Verified safe on the current node (Hetzner cpx22,
+  # ~7.6 GiB / 4 vCPU — NOTE: smaller than the original 28 GiB this was written for): a full immich CI
+  # stack measured ~1 GiB (server+ML+pg+redis) with multiple GiB free, so two concurrent recipes fit.
+  # Concurrent-run safety is the harness's job at ANY capacity (docs/concurrency.md): per-run
+  # ABRA_DIR recipe trees, per-app-domain flocks, and a flock-probe janitor that reaps a crashed
+  # build's orphan immediately (held lock = live run, never touched). Revert to "1" if OOM /
+  # disk-I/O contention is observed under load.
+  maxTests = "2";
 in
 {
  # Drone ships under the Polyform Small Business license (nixpkgs marks it unfree);
--- a/nix/modules/nightly-sweep.nix
+++ b/nix/modules/nightly-sweep.nix
@ -29,7 +29,7 @@ in
    serviceConfig = {
      Type = "oneshot";
      # A full sweep across several recipes (each a cold deploy/test/teardown) is long; bound it.
-      TimeoutStartSec = "21600";  # 6h ceiling
+      TimeoutStartSec = "21600"; # 6h ceiling
      ExecStart = "${sweep}/bin/cc-ci-nightly-sweep";
    };
  };
@ -39,7 +39,7 @@ in
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "*-*-* 03:00:00";
-      Persistent = true;   # catch up a missed nightly after downtime
+      Persistent = true; # catch up a missed nightly after downtime
      RandomizedDelaySec = "600";
    };
  };
--- a/runner/harness/abra.py
+++ b/runner/harness/abra.py
@ -10,6 +10,7 @@ Bakes in the known abra gotchas (re-verify per installed abra version, currently
 from __future__ import annotations

 import json
+import os
 import subprocess

 ABRA = "abra"
@ -19,6 +20,20 @@ class AbraError(RuntimeError):
    pass


+def abra_dir() -> str:
+    """abra's state dir, resolved the same way the abra CLI resolves it: $ABRA_DIR if set, else
+    ~/.abra. Inside a CI run, run_recipe_ci exports a PER-RUN $ABRA_DIR (fresh recipes/, shared
+    servers/+catalogue/ symlinks) before any abra call, so every helper here and every abra
+    subprocess agree on the same tree; outside a run (warm_reconcile's systemd timer, manual use)
+    both fall back to the canonical /root/.abra."""
+    return os.environ.get("ABRA_DIR") or os.path.expanduser("~/.abra")
+
+
+def recipe_dir(recipe: str) -> str:
+    """The current ABRA_DIR's working tree for a recipe (per-run inside a CI run)."""
+    return os.path.join(abra_dir(), "recipes", recipe)
+
+
 def _run_pty(
    args: list[str], timeout: int = 900, check: bool = True
 ) -> subprocess.CompletedProcess:
@ -77,9 +92,7 @@ def recipe_checkout(recipe: str, version: str) -> None:
    a chaos (`-C`) deploy ignores ENV VERSION and uses the current checkout — together that silently
    deployed LATEST for a 'previous-version' base, making the upgrade a no-op (Adversary F1d-2). With
    this checkout + a non-chaos deploy, a pinned deploy genuinely deploys that version."""
-    import os
-
-    path = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    path = recipe_dir(recipe)
    # -f (force): the version-pinning checkout must yield the EXACT ref tree. Without it, a cc-ci
    # install_steps-provided overlay (e.g. discourse's compose.ccci.yml, copied into the pinned base)
    # is an UNTRACKED file that collides with the same path TRACKED in a later ref, and
@ -100,9 +113,7 @@ def has_lightweight_version_tags(recipe: str) -> bool:
    'reference not found'.) The caller (deploy_app) uses this to fall back to a chaos base deploy
    (which skips lint and deploys the explicitly-checked-out pinned version — see lifecycle.deploy_app).
    Read-only: just `git tag` + `cat-file -t`; no fetch/mutation, so it can't trigger abra's revert."""
-    import os
-
-    path = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    path = recipe_dir(recipe)
    tags = subprocess.run(
        ["git", "-C", path, "tag", "-l"], capture_output=True, text=True
    ).stdout.split()
@ -168,7 +179,9 @@ def secret_generate(domain: str, timeout: int = 300) -> None:
    )


-def deploy(domain: str, chaos: bool = True, timeout: int = 900, no_converge_checks: bool = False) -> None:
+def deploy(
+    domain: str, chaos: bool = True, timeout: int = 900, no_converge_checks: bool = False
+) -> None:
    args = ["app", "deploy", domain, "-o", "-n"]
    if chaos:
        args.append("-C")
@ -203,7 +216,10 @@ def backup_create(domain: str, timeout: int = 900) -> str:
    # remote and fails "authentication required: Unauthorized". Returns the captured output, whose
    # restic JSON summary line carries the produced "snapshot_id" (the backup artifact, DG3) — note
    # `abra app backup snapshots` needs a TTY and is awkward to script, so we read the create output.
-    out = _run_pty(["app", "backup", "create", domain, "-n", "-C", "-o"], timeout=timeout).stdout or ""
+    out = (
+        _run_pty(["app", "backup", "create", domain, "-n", "-C", "-o"], timeout=timeout).stdout
+        or ""
+    )
    # Echo the backup output (incl. backupbot's pre-hook run / any "Failed to run command" or
    # "Container ... not running" ERROR) into the run log. Backup is otherwise opaque: a pre-hook that
    # fails to register/run leaves the DB dump out of the snapshot, surfacing only as a downstream
@ -226,9 +242,7 @@ def recipe_head_commit(recipe: str) -> str | None:
    """The current HEAD commit of the recipe checkout — captured right after fetch (the PR head, or
    the catalogue current) so the upgrade tier can re-checkout it for the chaos redeploy after the
    prev-tag base deploy reset the working tree (HC1)."""
-    import os
-
-    path = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    path = recipe_dir(recipe)
    proc = subprocess.run(["git", "-C", path, "rev-parse", "HEAD"], capture_output=True, text=True)
    out = proc.stdout.strip()
    return out or None
@ -236,10 +250,7 @@ def recipe_head_commit(recipe: str) -> str | None:

 def recipe_versions(recipe: str) -> list[str]:
    """Published versions of a recipe, oldest→newest (from the recipe git tags)."""
-    import os
-    import subprocess
-
-    path = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    path = recipe_dir(recipe)
    proc = subprocess.run(
        ["git", "-C", path, "tag", "--sort=creatordate"], capture_output=True, text=True
    )
--- a/runner/harness/browser.py
+++ b/runner/harness/browser.py
@ -13,8 +13,15 @@ from __future__ import annotations
 import time


-def goto_with_retry(page, url, *, deadline_seconds: int = 120, accept_statuses=(200, 304),
-                    goto_timeout_ms: int = 30_000, wait_until: str = "domcontentloaded"):
+def goto_with_retry(
+    page,
+    url,
+    *,
+    deadline_seconds: int = 120,
+    accept_statuses=(200, 304),
+    goto_timeout_ms: int = 30_000,
+    wait_until: str = "domcontentloaded",
+):
    """Poll `page.goto(url)` until status is in `accept_statuses` OR the deadline expires.

    Returns the final Playwright response. Raises AssertionError if the deadline expires without
--- a/runner/harness/canonical.py
+++ b/runner/harness/canonical.py
@ -30,17 +30,13 @@ import subprocess
 import time

 from . import abra, warm, warmsnap
+from . import meta as meta_mod


 def is_enrolled(recipe: str) -> bool:
-    """True if `tests/<recipe>/recipe_meta.py` sets `WARM_CANONICAL = True`. Missing meta → False."""
-    path = os.path.join(os.path.dirname(__file__), "..", "..", "tests", recipe, "recipe_meta.py")
-    if not os.path.exists(path):
-        return False
-    ns: dict = {}
-    with open(path) as fh:
-        exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-    return bool(ns.get("WARM_CANONICAL"))
+    """True if `tests/<recipe>/recipe_meta.py` sets `WARM_CANONICAL = True`. Missing meta → False.
+    Reads through the single meta loader (rcust P1 — no per-module exec)."""
+    return bool(meta_mod.load(recipe).WARM_CANONICAL)


 def canonical_domain(recipe: str) -> str:
@ -51,11 +47,13 @@ def canonical_domain(recipe: str) -> str:
 def enrolled_recipes() -> list[str]:
    """All recipes enrolled as data-warm canonicals (recipe_meta.WARM_CANONICAL=True), sorted. Used
    by the WC6 nightly sweep to know which canonicals to refresh via a green cold run on latest."""
-    tests_dir = os.path.join(os.path.dirname(__file__), "..", "..", "tests")
+    tests_dir = meta_mod.TESTS_DIR
    out = []
    try:
        for name in sorted(os.listdir(tests_dir)):
-            if os.path.isfile(os.path.join(tests_dir, name, "recipe_meta.py")) and is_enrolled(name):
+            if os.path.isfile(os.path.join(tests_dir, name, "recipe_meta.py")) and is_enrolled(
+                name
+            ):
                out.append(name)
    except OSError:
        pass
@ -122,11 +120,15 @@ def deploy_canonical(recipe: str, timeout: int = 900) -> None:
    abra.recipe_checkout(recipe, version)
    r = subprocess.run(
        ["abra", "app", "deploy", domain, version, "-o", "-n", "-f"],
-        capture_output=True, text=True, timeout=timeout,
+        capture_output=True,
+        text=True,
+        timeout=timeout,
    )
    if r.returncode != 0:
-        raise RuntimeError(f"deploy canonical {domain} {version} failed: "
-                           f"{(r.stderr + ' ' + r.stdout).strip()[:300]}")
+        raise RuntimeError(
+            f"deploy canonical {domain} {version} failed: "
+            f"{(r.stderr + ' ' + r.stdout).strip()[:300]}"
+        )
    _set_status(recipe, "warm")


--- a/runner/harness/card.py
+++ b/runner/harness/card.py
@ -21,23 +21,24 @@ from __future__ import annotations
 import html
 import os

-# Level → colour ramp (YunoHost-ish): red at the floor, climbing to green at the top.
+# Level → colour ramp (YunoHost-ish): red at the floor, climbing to green at the top (L5 = full
+# clean climb incl. lint — phase lvl5).
 LEVEL_COLOR = {
    0: "#e5534b",  # red — install failed
    1: "#e0823d",  # orange
    2: "#e0823d",
    3: "#d9b343",  # amber
-    4: "#a0b93f",  # yellow-green
-    5: "#57ab5a",  # green
-    6: "#3fb950",  # bright green — full climb
+    4: "#a0b93f",  # yellow-green — above functional, lint not earned
+    5: "#3fb950",  # bright green — full climb (lint passed)
 }
-STATUS_MARK = {"pass": "✔", "fail": "✘", "skip": "–", "error": "✘", "na": "–"}
+STATUS_MARK = {"pass": "✔", "fail": "✘", "skip": "–", "error": "✘", "na": "–", "unver": "⊘"}
 STATUS_COLOR = {
    "pass": "#3fb950",
    "fail": "#f85149",
    "error": "#f85149",
    "skip": "#8b949e",
    "na": "#8b949e",
+    "unver": "#d29922",  # amber — exercised? no: should have run and wasn't verified
 }


@ -79,44 +80,15 @@ def render_badge_svg(label: str, message: str, color: str) -> str:
    )


-# Third-segment colours for the level badge: amber = an UNINTENTIONAL skip (a rung skipped but not
-# in the recipe's intentional list — likely missing coverage) capped the climb; muted = an
-# INTENTIONAL skip (declared in recipe_meta.EXPECTED_NA — nothing to fix). Font-safe text labels
-# (no emoji) so the SVG renders anywhere.
+# Amber for UNVERIFIED rung rows in the table (a rung that should have run and wasn't checked).
 GAP_COLOR = "#d29922"
-EXPECT_COLOR = "#6e7681"


-def level_badge_svg(level: int, cap_reason: str = "", cap_skip: str = "") -> str:
-    """Per-recipe/-run LEVEL badge: 'cc-ci | level N' coloured by level (R6), with a THIRD segment
-    that differentiates *why* the climb stopped when a SKIP capped it (`cap_skip`):
-      - "unintentional" (a rung skipped but not in the recipe's intentional list): amber 'gap?'.
-      - "intentional"   (a skip declared in recipe_meta.EXPECTED_NA): muted 'expected'.
-      - "" (clean cap / full climb / a real failure): no third segment (the level + card carry it).
-    The badge never inflates — it only annotates the cap the level already reflects."""
-    label, msg = "cc-ci", f"level {int(level)}"
-    lw, mw = _text_width(label), _text_width(msg)
-    third: tuple[str, str] | None = None
-    if cap_skip == "unintentional":
-        third = ("gap?", GAP_COLOR)
-    elif cap_skip == "intentional":
-        third = ("expected", EXPECT_COLOR)
-    if third is None:
-        return render_badge_svg(label, msg, level_color(level))
-    txt, tcolor = third
-    tw = _text_width(txt)
-    w = lw + mw + tw
-    return (
-        f'<svg xmlns="http://www.w3.org/2000/svg" width="{w}" height="20" role="img" '
-        f'aria-label="{html.escape(label)}: {html.escape(msg)} ({html.escape(txt)})">'
-        f'<rect width="{lw}" height="20" fill="#555"/>'
-        f'<rect x="{lw}" width="{mw}" height="20" fill="{level_color(level)}"/>'
-        f'<rect x="{lw + mw}" width="{tw}" height="20" fill="{tcolor}"/>'
-        f'<g fill="#fff" font-family="Verdana,Geneva,sans-serif" font-size="11">'
-        f'<text x="6" y="14">{html.escape(label)}</text>'
-        f'<text x="{lw + 6}" y="14">{html.escape(msg)}</text>'
-        f'<text x="{lw + mw + 6}" y="14">{html.escape(txt)}</text></g></svg>'
-    )
+def level_badge_svg(level: int) -> str:
+    """Per-recipe/-run LEVEL badge: 'cc-ci | level N' coloured by level — NUMBER + COLOUR ONLY
+    (operator-specified, phase lvl5). 'Why isn't it higher' lives in the card's per-rung table,
+    never on the badge."""
+    return render_badge_svg("cc-ci", f"level {int(level)}", level_color(level))


 def _stage_rows(stages: list[dict]) -> str:
@ -141,37 +113,43 @@ def _stage_rows(stages: list[dict]) -> str:
    return "\n".join(rows) or '<tr><td colspan="3">no stages</td></tr>'


-# Friendly rung labels for the skip rows (the four essential rungs).
+# Friendly rung labels for the skip/unverified rows (the five essential rungs).
 RUNG_LABEL = {
    "install": "install",
    "upgrade": "upgrade",
    "backup_restore": "backup/restore",
    "functional": "functional",
+    "lint": "lint",
 }
-SKIP_GREEN = "#57ab5a"  # muted green — an intentional skip reads like a pass (but labelled, never inflating)
+SKIP_GREEN = (
+    "#57ab5a"  # muted green — an intentional skip reads like a pass (but labelled, never inflating)
+)


 def _skip_rows(skips: dict) -> str:
-    """Render SKIPPED rungs as stage-like rows. An intentional (declared) skip looks like a pass row
-    but its status says 'INTENTIONAL SKIP' (muted green) with the declared reason on the line below;
-    an unintentional skip is amber 'UNINTENTIONAL SKIP' with a prompt to add a test or declare it."""
+    """Render the non-run rungs as stage-like rows (phase lvl5 semantics). An INTENTIONAL skip
+    (declared/structural — the rung does not apply, the climb continues past it) is muted green
+    with its reason on the line below; an UNVERIFIED rung (should have run, wasn't checked — the
+    level cannot rise above it) is amber 'unverified'."""
    rows = []
    for rung, reason in (skips.get("intentional") or {}).items():
        rows.append(
            f'<tr class="stage"><td colspan="2"><span class="mark" style="color:{SKIP_GREEN}">⊘</span>'
-            f'<b>{html.escape(RUNG_LABEL.get(rung, rung))}</b></td>'
+            f"<b>{html.escape(RUNG_LABEL.get(rung, rung))}</b></td>"
            f'<td class="st" style="color:{SKIP_GREEN}">intentional skip</td></tr>'
        )
-        rows.append(f'<tr class="skipreason"><td></td><td colspan="2">{html.escape(reason)}</td></tr>')
+        rows.append(
+            f'<tr class="skipreason"><td></td><td colspan="2">{html.escape(reason)}</td></tr>'
+        )
    for rung in skips.get("unintentional") or []:
        rows.append(
            f'<tr class="stage"><td colspan="2"><span class="mark" style="color:{GAP_COLOR}">⊘</span>'
-            f'<b>{html.escape(RUNG_LABEL.get(rung, rung))}</b></td>'
-            f'<td class="st" style="color:{GAP_COLOR}">unintentional skip</td></tr>'
+            f"<b>{html.escape(RUNG_LABEL.get(rung, rung))}</b></td>"
+            f'<td class="st" style="color:{GAP_COLOR}">unverified</td></tr>'
        )
        rows.append(
-            '<tr class="skipreason"><td></td><td colspan="2">not declared in EXPECTED_NA — add the '
-            "missing test/label, or declare the skip with a reason</td></tr>"
+            '<tr class="skipreason"><td></td><td colspan="2">rung did not run / could not be '
+            "checked — the level cannot rise above an unverified rung</td></tr>"
        )
    return "\n".join(rows)

@ -180,13 +158,15 @@ def render_card_html(data: dict, screenshot_rel: str | None = "screenshot.png")
    """Build the summary-card HTML from a results.json dict. `screenshot_rel` is the relative path to
    the screenshot PNG (same dir as the card) — omitted from the card if None / absent.

-    The card shows exactly what the data says: recipe + version, the level badge + cap reason, the
-    per-stage/per-test ✔/✘ table, the invariant flags, and the app screenshot. No computation here."""
+    The card shows exactly what the data says: recipe + version, the level, the per-stage/per-test
+    ✔/✘ table (+ skip/unverified rung rows — the SOLE carrier of "why isn't the level higher"),
+    the invariant flags, and the app screenshot. No computation here. Tolerates old (schema-1)
+    artifacts: the ladder height is read off the rungs the artifact actually has."""
    recipe = html.escape(str(data.get("recipe", "?")))
    version = html.escape(str(data.get("version") or data.get("ref") or ""))
    level = int(data.get("level", 0))
-    cap_reason = str(data.get("level_cap_reason") or "")
-    cap = html.escape(cap_reason)
+    # Old (pre-lvl5) artifacts have a 4-rung ladder — render their "of N" honestly.
+    ladder_top = 5 if "lint" in (data.get("rungs") or {}) else 4
    sk = data.get("skips", {}) or {}
    color = level_color(level)
    flags = data.get("flags", {}) or {}
@ -217,7 +197,7 @@ body{{margin:0;font-family:system-ui,-apple-system,Segoe UI,sans-serif;backgroun
 .lvl .num{{display:inline-block;min-width:64px;padding:.3rem .7rem;border-radius:10px;
  font-size:1.6rem;font-weight:700;color:#0d1117;background:{color}}}
 .lvl .lbl{{display:block;color:#8b949e;font-size:.72rem;text-transform:uppercase;margin-top:.2rem}}
-.cap{{padding:.4rem 1.3rem;color:#8b949e;font-size:.82rem;border-bottom:1px solid #21262d}}
+.ladder{{padding:.4rem 1.3rem;color:#8b949e;font-size:.82rem;border-bottom:1px solid #21262d}}
 .body{{display:flex;gap:1rem;padding:1rem 1.3rem}}
 .tbl{{flex:1}}
 table{{border-collapse:collapse;width:100%;font-size:.85rem}}
@ -234,12 +214,12 @@ tr.skipreason td{{color:#8b949e;font-size:.78rem;font-style:italic;padding-top:0
 .shot.noshot{{display:flex;align-items:center;justify-content:center;height:225px;color:#8b949e;font-size:.85rem}}
 .flags{{display:flex;gap:.6rem;padding:.6rem 1.3rem 1rem}}
 .flag{{border:1px solid;border-radius:6px;padding:.15rem .5rem;font-size:.78rem;color:#c9d1d9}}
-.cap b{{color:#c9d1d9}}
+.ladder b{{color:#c9d1d9}}
 </style></head><body><div class="card">
 <div class="hd">{FLOWER_SVG}
 <div class="title"><h1>{recipe}</h1><span class="ver">{version}</span></div>
 <div class="lvl"><span class="num">{level}</span><span class="lbl">level</span></div></div>
-<div class="cap">{("<b>capped:</b> " + cap) if cap else "<b>full clean climb</b> — top level (4)"}</div>
+<div class="ladder"><b>level {level} of {ladder_top}</b></div>
 <div class="body"><div class="tbl"><table>{rows}</table></div>{shot_html}</div>
 <div class="flags">{"".join(flag_bits)}</div>
 </div></body></html>"""
--- a/runner/harness/deps.py
+++ b/runner/harness/deps.py
@ -20,7 +20,7 @@ Per Phase-2 DECISIONS:
 Run state:
 - `$CCCI_DEPS_FILE` — JSON file written by the orchestrator after each dep deploys; each entry is
  `{"recipe": "<dep-recipe>", "domain": "<dep-domain>", "version": null}`. Tests access via the
-  `deps_apps` pytest fixture defined in `tests/conftest.py`.
+  `deps` pytest fixture defined in `tests/conftest.py`.
 """

 from __future__ import annotations
@ -28,24 +28,10 @@ from __future__ import annotations
 import contextlib
 import json
 import os
-from typing import Iterable
+from collections.abc import Iterable

 from . import lifecycle, naming
-
-
-def declared_deps(recipe: str) -> list[str]:
-    """Read `DEPS` from `tests/<recipe>/recipe_meta.py` — a list of recipe names this recipe needs
-    deployed alongside it. Returns [] if none."""
-    path = os.path.join(
-        os.path.dirname(__file__), "..", "..", "tests", recipe, "recipe_meta.py"
-    )
-    if not os.path.exists(path):
-        return []
-    ns: dict = {}
-    with open(path) as fh:
-        exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-    deps = ns.get("DEPS") or []
-    return [str(d) for d in deps if d]
+from . import meta as meta_mod


 def dep_domain(parent_recipe: str, pr: str, ref: str | None, dep_recipe: str) -> str:
@ -64,11 +50,11 @@ def write_run_state(deps_state) -> None:
    """Write the deps state file ($CCCI_DEPS_FILE). Two shapes supported (canonical=keyed dict):

    1. **Legacy list-of-entries:** `[{"recipe": "<dep>", "domain": "<d>"}, ...]` (Q2.3 original).
-       Still accepted by `load_run_state` for backwards compat — `deps_apps` fixture flattens.
+       Still accepted by `load_run_state` for backwards compat — the `deps` fixture flattens.
    2. **NEW per-spec dict (operator-2026-05-28 SSO-dep plan §3.2):**
       `{"<dep_recipe>": {"recipe": "<dep>", "domain": "<d>", "realm": "...",
       "client_id": "...", "client_secret": "...", "admin_user": "...", "admin_password": "..."}}`.
-       The `setup_custom_tests.sh` per-recipe hook reads this via `jq` to wire OIDC env.
+       The per-recipe `install_steps.sh` hook reads this via `jq` to wire OIDC env.

    No-op if `$CCCI_DEPS_FILE` isn't set."""
    path = os.environ.get("CCCI_DEPS_FILE")
@ -83,11 +69,12 @@ def deploy_deps(
    pr: str,
    ref: str | None,
    deps: Iterable[str],
-    meta_for: dict[str, dict] | None = None,
+    meta_for: dict | None = None,
 ) -> list[dict]:
    """Deploy each declared dep, sequentially, at its per-run domain. Returns the list of state
-    dicts (one per dep). `meta_for` maps dep_recipe -> meta (HEALTH_PATH/HEALTH_OK/timeouts) so the
-    readiness wait uses per-dep config; missing dep meta falls back to (/, 200/301/302, 600s)."""
+    dicts (one per dep). `meta_for` maps dep_recipe -> RecipeMeta (HEALTH_PATH/HEALTH_OK/timeouts)
+    so the readiness wait uses per-dep config; a missing dep meta is loaded via meta.load()
+    (defaults: /, 200/301/302, 600s)."""
    meta_for = meta_for or {}
    state: list[dict] = []
    for dep in deps:
@ -96,20 +83,21 @@ def deploy_deps(
        # NB: each dep_app gets a fresh deploy_count entry only on `_record_deploy` which fires
        # inside `lifecycle.deploy_app`. For Phase 2 the deploy-count guard (DG4.1) counts the
        # parent + its deps as distinct install events — by design, since each is a separate app.
-        dm = meta_for.get(dep, {})
+        dm = meta_for.get(dep) or meta_mod.load(dep)
        lifecycle.deploy_app(
            dep,
            domain,
            secrets=True,
-            deploy_timeout=int(dm.get("DEPLOY_TIMEOUT", 900)),
+            deploy_timeout=int(dm.DEPLOY_TIMEOUT),
+            meta=dm,
        )
        try:
            lifecycle.wait_healthy(
                domain,
-                ok_codes=tuple(dm.get("HEALTH_OK", (200, 301, 302))),
-                path=dm.get("HEALTH_PATH", "/"),
-                deploy_timeout=int(dm.get("DEPLOY_TIMEOUT", 600)),
-                http_timeout=int(dm.get("HTTP_TIMEOUT", 600)),
+                ok_codes=tuple(dm.HEALTH_OK),
+                path=dm.HEALTH_PATH,
+                deploy_timeout=int(dm.DEPLOY_TIMEOUT),
+                http_timeout=int(dm.HTTP_TIMEOUT),
            )
        except Exception:
            # If a dep fails to converge, abort the whole resolve — let the caller teardown
@ -165,7 +153,7 @@ def load_run_state():


 def deps_as_dict(state) -> dict[str, dict]:
-    """Coerce either shape (legacy list or new dict) into a recipe→entry dict for the deps_apps
+    """Coerce either shape (legacy list or new dict) into a recipe→entry dict for the `deps`
    fixture + dependent-tests consumption."""
    if isinstance(state, dict):
        return state
--- a/runner/harness/discovery.py
+++ b/runner/harness/discovery.py
@ -11,7 +11,8 @@ hook; the orchestrator decides additive-vs-skip. Sources, in precedence order
      > cc-ci       tests/<recipe>/test_<op>.py
    (the generic tests/_generic/test_<op>.py is the always-present floor, run separately by default)

-    custom (non-lifecycle) test_*.py — ALL run, additively, from BOTH locations (opt-in).
+    custom test_*.py (functional/ + playwright/ ONLY, rcust P4 placement rule) — ALL run,
+        additively, from BOTH locations (opt-in).

    install-steps hook — install_steps.sh: repo-local > cc-ci, or none.

@ -100,29 +101,22 @@ def resolve_op(recipe: str, op: str, repo_local_dir: str | None) -> tuple[str, s


 def custom_tests(recipe: str, repo_local_dir: str | None) -> list[tuple[str, str]]:
-    """All non-lifecycle test_*.py from cc-ci's tests/<recipe>/ and (if approved) the recipe's
-    repo-local tests/. Discovered locations (Phase 2 §4.1):
-      - the top-level dir   tests/<recipe>/test_*.py  (legacy + cross-cutting)
-      - functional/         tests/<recipe>/functional/test_*.py  (parity ports + recipe-specific)
-      - playwright/         tests/<recipe>/playwright/test_*.py  (UI flows P6)
-    Files named `test_<op>.py` (lifecycle ops) are excluded from this list — the orchestrator runs
-    those in their lifecycle tier, not the custom one. Repo-local is consulted only for
-    allowlist-approved recipes (HC2)."""
+    """All custom-tier test_*.py from cc-ci's tests/<recipe>/ and (if approved) the recipe's
+    repo-local tests/. PLACEMENT RULE (rcust P4): custom tests live ONLY under
+      - functional/   tests/<recipe>/functional/test_*.py  (parity ports + recipe-specific)
+      - playwright/   tests/<recipe>/playwright/test_*.py  (UI flows)
+    A top-level test_*.py is a LIFECYCLE OVERLAY (test_<op>.py) and nothing else — top-level
+    non-lifecycle files are NOT discovered (zero users at the time of the change; the lifecycle-
+    name exclusion below stays as a safety net so a misfiled test_<op>.py can never double-run).
+    Repo-local is consulted only for allowlist-approved recipes (HC2)."""
    lifecycle_names = {f"test_{op}.py" for op in LIFECYCLE_OPS}
    subdirs = ("functional", "playwright")
    found: list[tuple[str, str]] = []
    for source, d in (("cc-ci", cc_ci_dir(recipe)), ("repo-local", _gated(recipe, repo_local_dir))):
        if not d or not os.path.isdir(d):
            continue
-        # top-level (legacy / cross-cutting tests not under functional/playwright)
-        for p in sorted(glob.glob(os.path.join(d, "test_*.py"))):
-            if os.path.basename(p) not in lifecycle_names:
-                found.append((source, p))
-        # functional/ and playwright/ subdirs (Phase 2 §4.1)
        for sub in subdirs:
            for p in sorted(glob.glob(os.path.join(d, sub, "test_*.py"))):
-                # Phase-2 layout: lifecycle ops never live under functional/playwright, but be
-                # explicit so a misfiled file doesn't silently get double-run.
                if os.path.basename(p) not in lifecycle_names:
                    found.append((source, p))
    return found
@ -144,7 +138,7 @@ def install_steps(recipe: str, repo_local_dir: str | None) -> tuple[str, str] |

 def pre_op_hook(recipe: str, op: str, repo_local_dir: str | None) -> tuple[str, str] | None:
    """The pre-op seed hook for `op`: the path to a recipe `ops.py` module that defines a
-    `pre_<op>(domain, meta)` callable, or None. cc-ci's tests/<recipe>/ops.py wins; the repo-local
+    `pre_<op>(ctx)` callable, or None. cc-ci's tests/<recipe>/ops.py wins; the repo-local
    ops.py is consulted only for allowlist-approved recipes (HC2). The orchestrator imports the
    module and calls pre_<op> BEFORE performing the op (HC3 op/assertion split — overlays seed
    pre-op state here, then assert post-op in test_<op>.py)."""
--- a/runner/harness/generic.py
+++ b/runner/harness/generic.py
@ -19,22 +19,24 @@ import ssl
 import time

 from . import abra, lifecycle
+from . import meta as meta_mod

 # A recipe is backup-capable iff a compose file carries a truthy backupbot.backup label.
 _BACKUPBOT_RE = re.compile(r"backupbot\.backup\b[^\n]*\btrue\b", re.IGNORECASE)


 def _recipe_dir(recipe: str) -> str:
-    return os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    return abra.recipe_dir(recipe)  # the per-run tree inside a CI run ($ABRA_DIR)


-def backup_capable(recipe: str, meta: dict | None = None) -> bool:
+def backup_capable(recipe: str, meta=None) -> bool:
    """Whether the harness should run the backup/restore tiers (else they are a clean N/A skip, DG3).

-    `recipe_meta.BACKUP_CAPABLE` (bool) overrides; otherwise auto-detect by scanning the recipe's
-    compose*.yml for a truthy `backupbot.backup` label (the Co-op Cloud backup convention)."""
-    if meta and "BACKUP_CAPABLE" in meta:
-        return bool(meta["BACKUP_CAPABLE"])
+    `recipe_meta.BACKUP_CAPABLE` (bool) overrides when explicitly set (RecipeMeta default is None =
+    unset); otherwise auto-detect by scanning the recipe's compose*.yml for a truthy
+    `backupbot.backup` label (the Co-op Cloud backup convention)."""
+    if meta is not None and meta.BACKUP_CAPABLE is not None:
+        return bool(meta.BACKUP_CAPABLE)
    for path in glob.glob(os.path.join(_recipe_dir(recipe), "compose*.yml")):
        try:
            with open(path) as fh:
@ -75,7 +77,7 @@ def served_cert(domain: str, port: int = 443) -> tuple[bool, str]:
    return (True, f"CN={cn} SAN={sans}")


-def assert_serving(domain: str, meta: dict) -> None:
+def assert_serving(domain: str, meta) -> None:
    """The single generic "is the app really serving?" assertion (DG1).

    The app-vs-Traefik-fallback proof is steps 1+2 (both load-bearing, verified by the Adversary):
@ -90,14 +92,14 @@ def assert_serving(domain: str, meta: dict) -> None:

    Steps 1–2 are BOUNDED POLLS (no bare sleep), so a state-mutating op (upgrade/restore) that leaves
    the app briefly reconverging settles, while a persistent failure still fails within the timeout."""
-    deadline = time.time() + meta["DEPLOY_TIMEOUT"]
+    deadline = time.time() + meta.DEPLOY_TIMEOUT
    while time.time() < deadline and not lifecycle.services_converged(domain):
        time.sleep(5)
    assert lifecycle.services_converged(domain), f"{domain}: services did not converge"

-    path = meta["HEALTH_PATH"]
-    ok = tuple(meta["HEALTH_OK"])
-    deadline = time.time() + meta["HTTP_TIMEOUT"]
+    path = meta.HEALTH_PATH
+    ok = tuple(meta.HEALTH_OK)
+    deadline = time.time() + meta.HTTP_TIMEOUT
    served = False
    status, body = 0, ""
    while time.time() < deadline:
@ -141,7 +143,7 @@ def op_state() -> dict:
        return {}


-def assert_upgraded(domain: str, meta: dict) -> None:
+def assert_upgraded(domain: str, meta) -> None:
    """Generic UPGRADE assertion (post-op): the orchestrator already performed the upgrade once via
    `abra app deploy --chaos` of the PR-head checkout. Assert it reconverged + still serves AND that
    the deployment is genuinely the PR-head code under test (HC1) — non-vacuously (guarding F1d-2).
@ -212,7 +214,7 @@ def assert_backup_artifact(domain: str) -> str:
    return snap_id


-def assert_restore_healthy(domain: str, meta: dict) -> None:
+def assert_restore_healthy(domain: str, meta) -> None:
    """Generic RESTORE assertion (post-op): the orchestrator already restored. Assert the app is
    healthy + serving again (assert_serving polls, so the post-restore reconverge settles)."""
    assert_serving(domain, meta)
@ -222,7 +224,11 @@ def assert_restore_healthy(domain: str, meta: dict) -> None:


 def perform_upgrade(
-    domain: str, recipe: str, head_ref: str | None, deploy_timeout: int = 900, meta: dict | None = None
+    domain: str,
+    recipe: str,
+    head_ref: str | None,
+    deploy_timeout: int = 900,
+    meta=None,
 ) -> dict[str, str | None]:
    """Perform the UPGRADE op once, in place, to the PR-HEAD code under test (HC1): re-checkout the
    PR head (the prev-tag base deploy reset the recipe working tree), then `abra app deploy --chaos`
@ -240,7 +246,8 @@ def perform_upgrade(
    STRICTER convergence+health wait here: services N/N (wait_healthy) + app HEALTH_PATH healthy +
    any recipe READY_PROBE (collabora WOPI discovery 200). This bounds readiness by OUR generous
    deadline, not abra's impatient one — and is stronger evidence than abra's monitor."""
-    meta = meta or {}
+    if meta is None:
+        meta = meta_mod.load(recipe)
    before = lifecycle.deployed_identity(domain)
    if head_ref:
        lifecycle.recipe_checkout_ref(recipe, head_ref)
@ -249,9 +256,7 @@ def perform_upgrade(
    # (target) version, so the base deploys minimally WITHOUT it and the upgrade adds it to COMPOSE_FILE
    # here, after the PR-head checkout (which ships the overlay) and before the chaos redeploy that
    # picks up the new .env. Dict or callable(domain)->dict. No-op for recipes without it.
-    upgrade_env = meta.get("UPGRADE_EXTRA_ENV") or {}
-    if callable(upgrade_env):
-        upgrade_env = upgrade_env(domain) or {}
+    upgrade_env = meta_mod.upgrade_extra_env(meta, meta_mod.hook_ctx(domain, meta, op="upgrade"))
    for k, v in upgrade_env.items():
        print(f"  upgrade-env: {k}={v}", flush=True)
        abra.env_set(domain, k, v)
@ -262,12 +267,12 @@ def perform_upgrade(
    # Own the convergence verification (abra's monitor was skipped via -c).
    lifecycle.wait_healthy(
        domain,
-        ok_codes=tuple(meta.get("HEALTH_OK", (200, 301, 302))),
-        path=meta.get("HEALTH_PATH", "/"),
-        deploy_timeout=int(meta.get("DEPLOY_TIMEOUT", deploy_timeout)),
-        http_timeout=int(meta.get("HTTP_TIMEOUT", 300)),
+        ok_codes=tuple(meta.HEALTH_OK),
+        path=meta.HEALTH_PATH,
+        deploy_timeout=int(meta.DEPLOY_TIMEOUT),
+        http_timeout=int(meta.HTTP_TIMEOUT),
    )
-    lifecycle.wait_ready_probes(meta, domain, timeout=int(meta.get("DEPLOY_TIMEOUT", deploy_timeout)))
+    lifecycle.wait_ready_probes(meta, domain, timeout=int(meta.DEPLOY_TIMEOUT), op="upgrade")
    after = lifecycle.deployed_identity(domain)
    # Evidence (HC1): the chaos-version label = the deployed recipe commit; it should match the
    # PR-head we checked out — proving the upgrade deployed the code under test, not a published tag.
--- a/runner/harness/http.py
+++ b/runner/harness/http.py
@ -73,7 +73,7 @@ def http_post(
    `data` is JSON-encoded if content_type='application/json',
    form-encoded if 'application/x-www-form-urlencoded' (the OIDC token endpoint form),
    or sent raw bytes if data is already bytes."""
-    if isinstance(data, (bytes, bytearray)):
+    if isinstance(data, bytes | bytearray):
        body: bytes | None = bytes(data)
    elif content_type == "application/json" and data is not None:
        body = json.dumps(data).encode()
@ -107,7 +107,7 @@ def http_request(
 ) -> tuple[int, object | None]:
    """Arbitrary-method HTTP (PUT/DELETE/PATCH) for parity tests that mutate. Same shape as
    http_post (returns (status, json_or_None))."""
-    if isinstance(data, (bytes, bytearray)):
+    if isinstance(data, bytes | bytearray):
        body: bytes | None = bytes(data)
    elif content_type == "application/json" and data is not None:
        body = json.dumps(data).encode()
@ -142,7 +142,7 @@ def post_with_headers(
    """Like http_post but ALSO returns the response headers as a dict — for APIs that hand back an
    auth token in a response header rather than the body (e.g. mattermost login → `Token` header).
    Returns (status, parsed_json_or_None, response_headers). status=0 + {} on transport failure."""
-    if isinstance(data, (bytes, bytearray)):
+    if isinstance(data, bytes | bytearray):
        body: bytes | None = bytes(data)
    elif content_type == "application/json" and data is not None:
        body = json.dumps(data).encode()
@ -252,13 +252,16 @@ def retry_http_post(
 ) -> tuple[int, object | None]:
    """POST with retry until expect_fn(status, json) is truthy. Defaults to any 2xx."""
    if expect_fn is None:
+
        def expect_fn(s, _j):  # noqa: ARG001
            return 200 <= s < 300

    result: list[tuple[int, object | None]] = [(0, None)]

    def _check():
-        s, j = http_post(url, data=data, headers=headers, content_type=content_type, timeout=timeout)
+        s, j = http_post(
+            url, data=data, headers=headers, content_type=content_type, timeout=timeout
+        )
        result[0] = (s, j)
        return expect_fn(s, j)

--- a/runner/harness/level.py
+++ b/runner/harness/level.py
@ -1,67 +1,67 @@
-"""Phase 3 — the level ladder (plan-phase3-results-ux.md §4.1, R1).
+"""The level ladder — five rungs, no capping (phase lvl5, plan-phase-lvl5-lint-rung.md).

-A single integer **level** summarising how far up the quality ladder a recipe run climbed, with
-YunoHost semantics: **a gap caps the level** — you only earn level L if every rung 1..L was a clean
-PASS. The first rung that is not a clean PASS (a real FAIL *or* genuinely N/A for this recipe) stops
-the climb; `cap_reason` records why. This is deliberately conservative: presentation must NEVER make
-a run look greener than its tests (plan §6 cardinal guardrail), so an N/A rung caps just like a fail
-— with a recorded reason so the level is *fair*, not inflated.
-
-The ladder is the FOUR essential rungs every recipe is held to:
+A single integer **level** summarising how far up the quality ladder a recipe run climbed:
  L0 — install failed / app never became healthy.
  L1 — Installs: deploys + passes health/readiness.
  L2 — Upgrades: previous published version → PR version, stays healthy, data intact.
  L3 — Backup/restore: seeded data survives backup → wipe → restore.
  L4 — Functional: recipe-specific functional tests pass.
+  L5 — Lint: `abra recipe lint` passes against the exact ref under test.

-Integration (SSO/OIDC + cross-app) and recipe-local (the recipe repo's own tests/) are **OPTIONAL**
-capabilities — they are NOT part of the level ladder and never cap it. They still run when present
-(and SSO is still enforced for the run VERDICT via the deps/SSO checks in run_recipe_ci.py), but a
-recipe without an SSO surface or without repo-local tests is simply not penalised on the level.
+Semantics (operator-decided 2026-06-11, recorded in DECISIONS.md — replaces the Phase-3
+"N/A caps" rule):

-This module is PURE (no I/O) so it is cheaply unit-testable and the Adversary can re-run the unit
-test cold (`cc-ci-run -m pytest tests/unit/test_level.py -q`). The orchestrator
-(`run_recipe_ci.py`) is responsible for translating its raw per-tier results into the rung-status
-dict this function consumes; that mapping is documented in DECISIONS.md (Phase 3).
+    level = max i such that rung_i == "pass" and every rung j < i is "pass" or "skip"; 0 if none.

-Rung status vocabulary (each rung ∈ these three):
-  "pass" — the rung was exercised and passed.
-  "fail" — the rung was exercised and failed.
-  "na"   — the rung does not apply to this recipe (e.g. only one published version → no upgrade;
-           not backup-capable). N/A is NOT a failure, but it DOES cap the climb (with a distinct
-           cap_reason) so the level never overstates what was actually verified.
+A rung has one of FOUR statuses:
+  "pass"  — exercised and passed.
+  "fail"  — exercised and failed. Blocks: no rung above it can count.
+  "skip"  — INTENTIONAL skip: the rung genuinely does not apply to this recipe, from a
+            declared or structural fact (not backup-capable; only one published version;
+            declared in recipe_meta.EXPECTED_NA). Does NOT stop the climb.
+  "unver" — UNINTENTIONAL not-verified: the rung SHOULD have run but didn't (infra error,
+            missing tool, harness exception, prior-stage abort, timeout). Blocks exactly
+            like a fail — the level never rises above a rung that wasn't actually checked.
+
+The per-rung table (results.json `rungs`, card, dashboard) is the SOLE carrier of "why isn't
+this level higher" — there is no cap_reason. The classification of every N/A source into
+skip-vs-unver lives in derive_rungs (results.py) and is tabulated in DECISIONS.md; anything
+unclassifiable defaults to "unver" (conservative: never claim what wasn't checked).
+
+Integration (SSO/OIDC + cross-app) and recipe-local (the recipe repo's own tests/) remain
+OPTIONAL capabilities — not rungs, never counted (SSO is still enforced for the run VERDICT
+via the deps/SSO checks in run_recipe_ci.py).
+
+This module is PURE (no I/O) so it is cheaply unit-testable and the Adversary can re-run the
+unit test cold (`cc-ci-run -m pytest tests/unit/test_level.py -q`).
 """

 from __future__ import annotations

-# The climbable rungs in ascending order. install (L1) is the foundation; L0 means install itself
-# did not pass. Each later rung requires every earlier rung to be a clean PASS. These four are the
-# ESSENTIAL rungs — integration/recipe-local are optional and deliberately NOT in this tuple.
-RUNGS = ("install", "upgrade", "backup_restore", "functional")
+# The climbable rungs in ascending order. install (L1) is the foundation; L0 means install
+# itself did not pass. These five are the ESSENTIAL rungs — integration/recipe-local are
+# optional and deliberately NOT in this tuple.
+RUNGS = ("install", "upgrade", "backup_restore", "functional", "lint")

-# Human-readable label per rung level, for cap_reason + the summary card.
+# Human-readable label per rung level, for the summary card / docs.
 RUNG_LABEL = {
    1: "install (deploy + health)",
    2: "upgrade (prev published → PR)",
    3: "backup/restore (data integrity)",
    4: "functional (recipe-specific tests)",
+    5: "lint (abra recipe lint)",
 }

-VALID = {"pass", "fail", "na"}
+VALID = {"pass", "fail", "skip", "unver"}


-def compute_level(rungs: dict[str, str]) -> tuple[int, str]:
-    """Map a rung-status dict → (level 0..4, cap_reason).
+def compute_level(rungs: dict[str, str]) -> int:
+    """Map a rung-status dict → level 0..5.

-    `rungs` must contain a status in {"pass","fail","na"} for every name in RUNGS. The level is the
-    highest L such that rungs[1..L] are all "pass"; the first non-"pass" rung caps the climb. L0 is
-    returned when the install rung itself is not "pass" (install failed / never healthy).
-
-    cap_reason explains where the climb stopped:
-      - "" (empty) when the recipe earned the top rung (L4, full clean climb).
-      - "L<k> <label> FAILED" when a rung was exercised and failed.
-      - "L<k> <label> N/A" when a rung does not apply to this recipe.
-    Returns the reason for the FIRST rung that stopped the climb (the binding constraint).
+    `rungs` must contain a status in VALID for every name in RUNGS. The level is the highest
+    i such that rungs[i] == "pass" and every rung below i is "pass" or "skip" (an intentional
+    skip does not stop the climb). A "fail" or "unver" rung blocks: rungs above it cannot
+    count, however green. 0 when no rung qualifies.
    """
    for name in RUNGS:
        st = rungs.get(name)
@ -69,52 +69,44 @@ def compute_level(rungs: dict[str, str]) -> tuple[int, str]:
            raise ValueError(
                f"rung {name!r} has invalid status {st!r} (expect one of {sorted(VALID)})"
            )
-
-    # L0: install did not pass.
-    if rungs["install"] != "pass":
-        if rungs["install"] == "fail":
-            return 0, "L1 " + RUNG_LABEL[1] + " FAILED"
-        # install N/A is not a real-world state for a deploy run, but handle it for totality.
-        return 0, "L1 " + RUNG_LABEL[1] + " N/A"
-
-    # Climb: stop at the first rung that is not a clean pass.
    level = 0
    for idx, name in enumerate(RUNGS, start=1):
-        if rungs[name] == "pass":
+        st = rungs[name]
+        if st == "pass":
            level = idx
+        elif st == "skip":
            continue
-        # first non-pass rung — caps the climb
-        kind = "FAILED" if rungs[name] == "fail" else "N/A"
-        return level, f"L{idx} {RUNG_LABEL[idx]} {kind}"
-
-    # Full clean climb to the top rung.
-    return level, ""
+        else:  # fail / unver — nothing above this rung can count
+            break
+    return level


 def backup_restore_status(backup: str | None, restore: str | None, backup_capable: bool) -> str:
    """Collapse the backup + restore tier results into the single L3 rung status.

-    Both tiers must pass for the rung to pass (the rung is "seeded data survives backup→wipe→restore",
-    which is only verified if BOTH the backup and the restore tier are green). If the recipe is not
-    backup-capable, both tiers skip → the rung is N/A (caps at L2, recorded). A fail in either tier
-    fails the rung.
+    Not backup-capable (a declared/structural fact: no backupbot labels, or
+    recipe_meta.BACKUP_CAPABLE=False) → "skip" — the rung genuinely does not apply.
+    Otherwise both tiers must pass for the rung to pass; a fail in either tier fails it; any
+    other shape (tier skipped or never ran while backup-capable — e.g. a prior-stage abort)
+    is "unver": the rung should have been verified and wasn't.
    """
    if not backup_capable:
-        return "na"
+        return "skip"
    vals = {backup, restore}
    if "fail" in vals:
        return "fail"
    if backup == "pass" and restore == "pass":
        return "pass"
-    # any skip/None while backup-capable → not verified → treat as N/A (cannot claim L3)
-    return "na"
+    return "unver"


 def tier_to_rung(status: str | None) -> str:
-    """Map a single tier result ('pass'|'fail'|'skip'|None) to a rung status. 'skip'/None → 'na'
-    (the tier did not apply / did not run), so it caps the climb without being counted as a failure."""
+    """Map a single tier result ('pass'|'fail'|'skip'|None) to a rung status, with NO
+    intentionality information: a tier that did not produce a pass/fail is "unver" (it should
+    have run and wasn't verified). The caller (derive_rungs) upgrades "unver" to "skip" where
+    a declared/structural fact makes the skip intentional — never the other way around."""
    if status == "pass":
        return "pass"
    if status == "fail":
        return "fail"
-    return "na"
+    return "unver"
--- a/runner/harness/lifecycle.py
+++ b/runner/harness/lifecycle.py
@ -7,17 +7,20 @@ next run. Callers wrap deploy()/teardown() in try/finally (or a pytest finalizer
 from __future__ import annotations

 import contextlib
-import datetime
+import fcntl
+import glob
 import json
 import os
 import re
+import shutil
 import socket
 import ssl
 import subprocess
 import time
 import urllib.request

-from . import abra
+from . import abra, lifetime
+from . import meta as meta_mod

 GATEWAY_IP = "143.244.213.108"  # *.ci.commoninternet.net -> gateway (TLS passthrough to cc-ci)
 # A run app domain is "<recipe[:4]>-<6hex>.ci.commoninternet.net" (see DECISIONS.md). Used by the
@ -29,6 +32,68 @@ class TeardownError(RuntimeError):
    pass


+# --- Concurrent-run safety (capacity=2) -------------------------------------------------------
+# ONE mechanism, process-lifetime-scoped so SIGKILL can't leak a stale claim: every run holds an
+# exclusive kernel flock on its app DOMAIN (/run/lock/cc-ci-app-<domain>.lock) for the whole run.
+# A held lock implies a live owner — the kernel releases a flock when the holding process dies,
+# however it dies. The janitor probes the lock (LOCK_NB) to tell a live concurrent run (held →
+# leave it) from a crashed run's orphan (acquirable → reap it); it never inspects pids and never
+# steals a held lock. Recipe-tree corruption between same-recipe runs is gone structurally (each
+# run deploys from its own per-run ABRA_DIR — there is no shared recipe tree and no recipe lock),
+# and same-domain runs (double-!testme of one PR) serialise on this app lock.
+# See docs/concurrency.md.
+
+# Acquired app-lock file objects are retained here for the REMAINING PROCESS LIFETIME: if the
+# caller drops the returned file object, GC would close the fd and silently release the lock —
+# this list is the lock's owner of record. Never cleared; release is process exit.
+_held_app_locks: list = []
+
+
+def _app_lock_dir() -> str:
+    """The app-domain lockfile dir. /run/lock (tmpfs: a reboot clears locks AND lockfiles, so
+    post-reboot apps probe as orphans and are reaped immediately). Env-overridable so the
+    tests/concurrency suite (and its helper subprocesses) can use a sandbox dir."""
+    return os.environ.get("CCCI_APP_LOCK_DIR", "/run/lock")
+
+
+def _app_lock_path(domain: str) -> str:
+    return os.path.join(_app_lock_dir(), f"cc-ci-app-{domain}.lock")
+
+
+def acquire_app_lock(domain: str):
+    """Take the per-app-domain exclusive lock; blocks (with a log line) if another run of the
+    same domain is in flight (double-!testme serialisation). Returns the open lock file, which is
+    ALSO retained in _held_app_locks so the flock lives exactly as long as the process.
+
+    Unlink/recreate race guard: the janitor unlinks a reaped orphan's lockfile while holding its
+    flock, so a waiter blocked on the OLD inode can win a lock no later opener can observe (a new
+    open() at the path creates a FRESH inode). After every acquisition, verify the locked fd is
+    still the file at the path (st_ino match); if not, drop it and retry on the live path."""
+    path = _app_lock_path(domain)
+    waited = False
+    while True:
+        # PEP 446: the fd is non-inheritable, so subprocess children never carry the lock.
+        f = open(path, "a")  # noqa: SIM115 — deliberately held for the rest of the process
+        try:
+            fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        except BlockingIOError:
+            if not waited:
+                print(f"== app lock: another run of {domain} is in flight — waiting ==", flush=True)
+                waited = True
+            fcntl.flock(f, fcntl.LOCK_EX)
+        try:
+            if os.fstat(f.fileno()).st_ino == os.stat(path).st_ino:
+                break  # we hold the lock on the inode the path names — done
+        except FileNotFoundError:
+            pass
+        f.close()  # locked a stale (unlinked) inode — retry on the live path
+    os.utime(f.fileno())  # mtime = acquisition time = lock age (janitor's long-held flag)
+    _held_app_locks.append(f)
+    if waited:
+        print(f"== app lock: acquired {path} ==", flush=True)
+    return f
+
+
 def _docker_names(kind: str, stack: str) -> list[str]:
    """docker <kind> ls names filtered to a stack (kind: service|volume|secret)."""
    proc = subprocess.run(
@ -48,62 +113,6 @@ def _residual(domain: str) -> dict:
    }


-def _stack_age_seconds(stack: str) -> float | None:
-    """Age of the stack's oldest service, or None if not present."""
-    svcs = _docker_names("service", stack)
-    if not svcs:
-        return None
-    oldest = None
-    for s in svcs:
-        p = subprocess.run(
-            ["docker", "service", "inspect", s, "--format", "{{.CreatedAt}}"],
-            capture_output=True,
-            text=True,
-        )
-        ts = p.stdout.strip()
-        try:
-            # docker emits e.g. 2026-05-27 00:12:33.123 +0000 UTC -> take the leading 19 chars
-            dt = datetime.datetime.strptime(ts[:19], "%Y-%m-%d %H:%M:%S").replace(
-                tzinfo=datetime.UTC
-            )
-        except ValueError:
-            continue
-        age = (datetime.datetime.now(datetime.UTC) - dt).total_seconds()
-        oldest = age if oldest is None else max(oldest, age)
-    return oldest
-
-
-def _recipe_extra_env(recipe: str, domain: str) -> dict[str, str]:
-    """Per-recipe extra .env keys, applied at every deploy (install + upgrade's old_app) so a recipe
-    with multi-domain / config needs is enrolled with NO shared-harness change (D5/M6.5). A recipe
-    declares `EXTRA_ENV` in tests/<recipe>/recipe_meta.py as either a dict or a callable
-    `EXTRA_ENV(domain) -> dict` (callable form lets it derive values from the per-run domain, e.g.
-    cryptpad's SANDBOX_DOMAIN). Returns {} if none."""
-    path = os.path.join(os.path.dirname(__file__), "..", "..", "tests", recipe, "recipe_meta.py")
-    if not os.path.exists(path):
-        return {}
-    ns: dict = {}
-    with open(path) as fh:
-        exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-    ee = ns.get("EXTRA_ENV")
-    if callable(ee):
-        ee = ee(domain)
-    return {str(k): str(v) for k, v in (ee or {}).items()}
-
-
-def _recipe_meta_flag(recipe: str, key: str) -> bool:
-    """Read a boolean flag from tests/<recipe>/recipe_meta.py (e.g. CHAOS_BASE_DEPLOY). Returns
-    False if the recipe ships no meta or the flag is absent/falsey. Trusted in-repo exec, same as
-    _recipe_extra_env."""
-    path = os.path.join(os.path.dirname(__file__), "..", "..", "tests", recipe, "recipe_meta.py")
-    if not os.path.exists(path):
-        return False
-    ns: dict = {}
-    with open(path) as fh:
-        exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-    return bool(ns.get(key))
-
-
 def _record_deploy() -> None:
    """Increment the per-run deploy counter (DG4.1: one deploy per run). No-op unless the
    orchestrator set CCCI_DEPLOY_COUNT_FILE — so it never affects standalone/manual use."""
@ -117,6 +126,34 @@ def _record_deploy() -> None:
        f.write(str(n + 1))


+def ccci_overlay_path(recipe: str) -> str:
+    """The cc-ci-owned compose overlay for a recipe (rcust P2a: first-class, auto-discovered)."""
+    return os.path.join(meta_mod.TESTS_DIR, recipe, "compose.ccci.yml")
+
+
+def has_ccci_overlay(recipe: str) -> bool:
+    return os.path.isfile(ccci_overlay_path(recipe))
+
+
+def provide_ccci_overlay(recipe: str) -> None:
+    """Copy tests/<recipe>/compose.ccci.yml into THIS run's recipe checkout (ABRA_DIR-aware), so
+    the recipe's COMPOSE_FILE reference resolves (rcust P2a — the harness owns the copy; recipes
+    no longer ship install_steps.sh boilerplate for it). No-op for recipes without an overlay."""
+    src = ccci_overlay_path(recipe)
+    if not os.path.isfile(src):
+        return
+    dest_dir = abra.recipe_dir(recipe)
+    if not os.path.isdir(dest_dir):
+        print(f"  ccci-overlay: recipe dir {dest_dir} missing — cannot provide overlay", flush=True)
+        raise RuntimeError(f"recipe checkout missing for {recipe}: {dest_dir}")
+    shutil.copy(src, os.path.join(dest_dir, "compose.ccci.yml"))
+    print(
+        f"  ccci-overlay: provided compose.ccci.yml to the {recipe} checkout "
+        "(first-class overlay; base deploy auto-chaos)",
+        flush=True,
+    )
+
+
 def _run_install_steps(hook: tuple[str, str], recipe: str, domain: str) -> None:
    """Run a recipe's custom install-steps hook (install_steps.sh) during the install tier — after
    `abra app new` + env defaults + secret generate, before deploy (Phase 1d DG5). The hook gets the
@ -149,9 +186,9 @@ def prepull_images(recipe: str, domain: str) -> None:
    app-INIT time (slow-init apps like collabora/immich still need their recipe healthcheck/READY_PROBE).
    Best-effort on resolution failure (skip + let the deploy pull as usual); HARD-fails on a real
    pull error (don't mask it)."""
-    import os
-
-    recipe_dir = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    recipe_dir = abra.recipe_dir(recipe)  # per-run tree inside a CI run
+    # The app .env lives in the CANONICAL servers path (the per-run ABRA_DIR's servers/ is a
+    # symlink to it, so abra and this path agree on the same file).
    env_path = os.path.expanduser(f"~/.abra/servers/default/{domain}.env")
    if not os.path.isdir(recipe_dir) or not os.path.isfile(env_path):
        print(f"  prepull: recipe dir or .env missing for {recipe} — skipping", flush=True)
@ -161,7 +198,8 @@ def prepull_images(recipe: str, domain: str) -> None:
    # --env-file supplies $VERSION-style interpolation so pinned tags resolve correctly.
    cf = subprocess.run(
        ["bash", "-c", f'set -a; . "{env_path}"; printf "%s" "${{COMPOSE_FILE:-compose.yml}}"'],
-        capture_output=True, text=True,
+        capture_output=True,
+        text=True,
    ).stdout.strip()
    files = [f for f in cf.split(":") if f] or ["compose.yml"]
    args = ["docker", "compose", "--env-file", env_path]
@ -199,16 +237,28 @@ def deploy_app(
    secrets: bool = True,
    install_steps_hook: tuple[str, str] | None = None,
    deploy_timeout: int = 900,
+    meta=None,
 ) -> None:
    """Create + configure + deploy an app. Forces LETS_ENCRYPT_ENV='' so traefik serves the
    wildcard cert via the file provider and NEVER attempts ACME (adversary finding A1). Applies any
-    per-recipe EXTRA_ENV (recipe_meta.py) and the custom install-steps hook (Phase 1d) before deploy.
+    per-recipe EXTRA_ENV (recipe_meta.py), the custom install-steps hook (Phase 1d), and the
+    first-class `tests/<recipe>/compose.ccci.yml` overlay (rcust P2a) before deploy.
+
+    `meta` is the recipe's loaded RecipeMeta (EXTRA_ENV); the orchestrator loads once and passes
+    it down. Callers without one in hand (fixtures, warm reconcile) may omit it — it is then
+    loaded here via the single meta.load() path.

    `deploy_timeout` is the subprocess timeout for `abra app deploy`. Caller (orchestrator) passes
    `recipe_meta.DEPLOY_TIMEOUT` so heavy recipes (ghost, matrix-synapse, lasuite-meet) can extend
    past the 900s default. abra's INTERNAL TIMEOUT (recipe's TIMEOUT env, default 300s) is set via
    EXTRA_ENV; this is the Python subprocess wrapper's timeout so abra doesn't get SIGKILLed mid-deploy."""
+    if meta is None:
+        meta = meta_mod.load(recipe)
    _record_deploy()
+    # Lock BEFORE the app exists: a concurrent run's janitor must never see this app without a
+    # held app lock (it would probe it as an orphan and reap an in-flight deploy). Also the
+    # double-!testme serialisation point: a second run of the same domain blocks here.
+    acquire_app_lock(domain)
    abra.app_config_remove(domain)  # clear any stale .env from a prior crashed run
    abra.app_new(recipe, domain, version=version, secrets=secrets)
    # A pinned version must actually deploy that version: check the recipe out to the tag so the
@ -231,16 +281,18 @@ def deploy_app(
                flush=True,
            )
            chaos = True
-        # A recipe may force a chaos base deploy via recipe_meta CHAOS_BASE_DEPLOY=True when an
-        # install_steps hook adds an untracked compose overlay to the recipe checkout (e.g. discourse's
-        # compose.ccci.yml, provided by install_steps for the pinned base). The untracked file makes
-        # abra's pinned-deploy clean-tree check FATA ('has locally unstaged changes'); chaos skips lint +
-        # the clean-tree gate and deploys the EXPLICITLY-checked-out pinned version (we already ran
-        # recipe_checkout(version) above) — NOT latest. Same mechanism as the lightweight-tag branch.
-        elif _recipe_meta_flag(recipe, "CHAOS_BASE_DEPLOY"):
+        # A first-class cc-ci compose overlay (tests/<recipe>/compose.ccci.yml, copied into the
+        # checkout below — rcust P2a) is an UNTRACKED file in the recipe checkout, which makes
+        # abra's pinned-deploy clean-tree check FATA ('has locally unstaged changes'). Auto-chaos:
+        # chaos skips lint + the clean-tree gate and deploys the EXPLICITLY-checked-out pinned
+        # version (we already ran recipe_checkout(version) above) — NOT latest. Same mechanism as
+        # the lightweight-tag branch. (Replaces the deleted CHAOS_BASE_DEPLOY meta flag — the
+        # overlay's presence IS the signal, killing the R7 implicit coupling.)
+        elif has_ccci_overlay(recipe):
            print(
-                f"  deploy_app({recipe}@{version}): CHAOS_BASE_DEPLOY set → chaos base deploy of the "
-                "checked-out pinned version (skips clean-tree/lint; deploys version, not LATEST)",
+                f"  deploy_app({recipe}@{version}): compose.ccci.yml overlay present → chaos base "
+                "deploy of the checked-out pinned version (skips clean-tree/lint; deploys version, "
+                "not LATEST)",
                flush=True,
            )
            chaos = True
@ -250,12 +302,18 @@ def deploy_app(
    # it ourselves is recipe-agnostic and canonical (the run domain IS the app's domain).
    abra.env_set(domain, "DOMAIN", domain)
    abra.env_set(domain, "LETS_ENCRYPT_ENV", "")
-    for k, v in _recipe_extra_env(recipe, domain).items():
+    for k, v in meta_mod.extra_env(meta, meta_mod.hook_ctx(domain, meta)).items():
        abra.env_set(domain, k, v)
    if secrets:
        abra.secret_generate(domain)
    if install_steps_hook:
        _run_install_steps(install_steps_hook, recipe, domain)
+    # First-class cc-ci compose overlay (rcust P2a): if the recipe ships
+    # tests/<recipe>/compose.ccci.yml, copy it into THIS run's recipe checkout (ABRA_DIR-aware)
+    # so the COMPOSE_FILE reference in the recipe's EXTRA_ENV resolves. Untracked, so it persists
+    # across the later PR-head checkout (idempotent when the head ships the same fix). Replaces
+    # the per-recipe install_steps.sh copy boilerplate + CHAOS_BASE_DEPLOY flag (auto-chaos above).
+    provide_ccci_overlay(recipe)
    # HQ1: warm the local image store before the (real, unchanged) abra deploy.
    prepull_images(recipe, domain)
    abra.deploy(domain, chaos=chaos, timeout=deploy_timeout)
@ -268,25 +326,76 @@ def _stack_name(domain: str) -> str:


 def services_converged(domain: str) -> bool:
-    """True when every service in the stack reports replicas N/N (N>0)."""
+    """True when every service in the stack reports replicas N/N (N>0) AND no service is
+    mid-rolling-update (swarm UpdateStatus settled)."""
    stack = _stack_name(domain)
    proc = subprocess.run(
-        ["docker", "stack", "services", stack, "--format", "{{.Replicas}}"],
+        ["docker", "stack", "services", stack, "--format", "{{.Name}} {{.Replicas}}"],
        capture_output=True,
        text=True,
    )
    rows = [r for r in proc.stdout.split("\n") if r.strip()]
    if not rows:
        return False
+    names = []
    for r in rows:
-        cur, _, want = r.partition("/")
+        name, _, replicas = r.partition(" ")
+        names.append(name)
+        cur, _, want = replicas.partition("/")
        # A service at its DESIRED replica count is converged — including a `replicas: 0`
        # on-demand one-shot (e.g. lasuite-drive's `minio-createbuckets`, which is scaled up
        # manually only when buckets need (re)creating), which reports "0/0". The earlier
        # `want == "0"` rejection wrongly treated those as never-converged, hanging the deploy
        # forever. `cur == want` (with `want` present) is the correct convergence test; a service
        # still spinning up shows e.g. "0/1" (cur != want) and is correctly not-yet-converged.
-        if not want or cur != want:
+        if not want:
+            return False
+        if cur != want:
+            # A TRIGGERED one-shot (restart_policy none, scaled 0→1, runs once, exits 0) reports
+            # "0/1" FOREVER after its task completes — swarm never restarts it, so a bare
+            # `cur != want` rejection would block convergence for the rest of the run (lasuite-drive
+            # minio-createbuckets, rcust M2: install assert burned the full DEPLOY_TIMEOUT after the
+            # P2b port moved the bucket trigger BEFORE the install assert; pre-restructure the
+            # trigger ran after it, so converge never saw the 0/1). A replica deficit explained
+            # entirely by COMPLETE tasks IS converged: the one-shot did its job and will never run
+            # again. Anything else in the deficit (Running/Starting/Pending = still spinning up;
+            # Failed/Rejected = genuinely broken) stays not-converged, and a desired>0 service with
+            # no tasks yet is still scheduling.
+            tasks = subprocess.run(
+                ["docker", "service", "ps", name, "--format", "{{.CurrentState}}"],
+                capture_output=True,
+                text=True,
+            )
+            states = [ln.split()[0] for ln in tasks.stdout.split("\n") if ln.strip()]
+            if not (states and all(s == "Complete" for s in states)):
+                return False
+    # N/N alone is NOT convergence during a stop-first rolling update: a chaos redeploy that changes
+    # a non-app service image (e.g. immich's db pin) registers the update immediately, but swarm may
+    # not have cycled that service's task yet — the OLD task still shows 1/1, then dies seconds later
+    # (immich CI 238: backupbot exec'd the db pre-hook into the just-killed container → 409). Require
+    # every service's UpdateStatus to be settled too, so the wait spans the whole rolling update.
+    proc = subprocess.run(
+        [
+            "docker",
+            "service",
+            "inspect",
+            *names,
+            "--format",
+            "{{if .UpdateStatus}}{{.UpdateStatus.State}}{{end}}",
+        ],
+        capture_output=True,
+        text=True,
+    )
+    if proc.returncode != 0:
+        return False  # a service vanished mid-check — not settled
+    for state in proc.stdout.split("\n"):
+        # Only ACTIVE states block convergence. 'paused'/'rollback_paused' are terminal-without-
+        # intervention: swarm's default update-failure-action pauses the update on one task flicker
+        # and the flag then persists FOREVER (immich CI 241: app service 'paused' from a restart
+        # during restore, service back at 1/1 and healthy — the wait hung to its deadline). With
+        # N/N already required above, a paused update is settled for our purposes; the HTTP-health
+        # and tier assertions still gate whether the app actually works.
+        if state.strip() in ("updating", "rollback_started"):
            return False
    return True

@ -415,7 +524,9 @@ def recipe_checkout_ref(recipe: str, ref: str) -> None:
    abra.recipe_checkout(recipe, ref)


-def chaos_redeploy(domain: str, deploy_timeout: int = 900, no_converge_checks: bool = False) -> None:
+def chaos_redeploy(
+    domain: str, deploy_timeout: int = 900, no_converge_checks: bool = False
+) -> None:
    """In-place `abra app deploy --chaos`: redeploy the running app at the CURRENT recipe checkout
    (HC1: the PR-head code under test). This is the upgrade op, not a fresh install — it does NOT go
    through deploy_app, so the deploy-count guard (DG4.1) is not incremented.
@ -433,7 +544,7 @@ def chaos_redeploy(domain: str, deploy_timeout: int = 900, no_converge_checks: b
    abra.deploy(domain, chaos=True, timeout=deploy_timeout, no_converge_checks=no_converge_checks)


-def wait_ready_probes(meta: dict, domain: str, timeout: int = 600) -> None:
+def wait_ready_probes(meta, domain: str, timeout: int = 600, op: str | None = None) -> None:
    """Poll a recipe's optional READY_PROBE endpoints until each returns an accepted status, or raise.

    A recipe_meta may define `READY_PROBE(domain) -> [{"host":..., "path":..., "ok":(200,)}, ...]`
@ -450,10 +561,10 @@ def wait_ready_probes(meta: dict, domain: str, timeout: int = 600) -> None:
    must be released by the old task + rebound by the new) the voice server can be down while
    HTTP-200 still passes — and backup-bot then execs into a not-running app container (409). Requiring
    the voice port to be stably listening before proceeding closes that window."""
-    probe_fn = meta.get("READY_PROBE")
+    probe_fn = meta.READY_PROBE
    if not callable(probe_fn):
        return
-    probes = probe_fn(domain) or []
+    probes = probe_fn(meta_mod.hook_ctx(domain, meta, op=op)) or []
    for probe in probes:
        if "tcp_port" in probe:
            host = probe.get("tcp_host", "127.0.0.1")
@ -498,6 +609,16 @@ def wait_ready_probes(meta: dict, domain: str, timeout: int = 600) -> None:

 def backup_app(domain: str) -> str:
    """Create a backup; return the abra/restic output (carries the produced snapshot_id)."""
+    # Never back up a stack that is still converging/rolling-updating: backupbot resolves each
+    # service's hook container ONCE up front, so a task that cycles between that lookup and the
+    # pre-hook exec crashes the whole backup with a 409 (immich CI 238). Bounded wait — on timeout
+    # we still attempt the backup and let the tier's assertion deliver the verdict.
+    deadline = time.time() + 300
+    while time.time() < deadline and not services_converged(domain):
+        print(
+            f"  backup: {domain} stack not settled yet — waiting before backup create", flush=True
+        )
+        time.sleep(5)
    return abra.backup_create(domain)


@ -603,17 +724,84 @@ def teardown_app(domain: str, verify: bool = True) -> None:
        residual = _residual(domain)
        if any(residual.values()):
            raise TeardownError(f"teardown left residual for {domain}: {residual}")
+    # No unregistration step: the app lock releases implicitly at process exit. The clean run's
+    # leftover lockfile (unheld) is unlinked on sight by the next janitor's stale-lockfile sweep.


-def janitor(max_age_seconds: int | None = None) -> None:
-    """Reap orphaned run apps from crashed/rebooted runs. Matches the real naming scheme and only
-    reaps apps older than max_age_seconds (so concurrent in-flight runs are never killed). Reaps via
-    docker primitives so it works even when the .env is gone (A2/A3). Default 2h, env-overridable
-    via CCCI_JANITOR_MAX_AGE (e.g. 0 to reap all matching orphans immediately)."""
-    import os
+# A lock held longer than 2x the 60-min hard deadline can only be a leaked run (the deadline
+# bounds every healthy run). Flag it for a human — NEVER steal a held lock.
+LONG_HELD_LOCK_SECONDS = 2 * lifetime.HARD_DEADLINE_SECONDS

-    if max_age_seconds is None:
-        max_age_seconds = int(os.environ.get("CCCI_JANITOR_MAX_AGE", "7200"))
+
+def _probe_and_reap(domain: str) -> None:
+    """Probe one run app's lock; reap iff nobody holds it (kernel-guaranteed orphan).
+
+    Reaping happens WHILE HOLDING the probe lock, closing the janitor-vs-new-run race: a new run
+    of the same domain blocks in acquire_app_lock until the reap finishes, so a fresh app never
+    coexists with a half-reaped one. The lockfile is unlinked before release (still holding the
+    lock); a waiter that blocked on the unlinked inode re-checks identity and retries. Two racing
+    janitors arbitrate on the same flock: one reaps, the other sees 'held' and leaves —
+    teardown_app(verify=False) is idempotent either way."""
+    path = _app_lock_path(domain)
+    try:
+        # PEP 446: non-inheritable fd, same as acquire_app_lock.
+        f = open(path, "a")  # noqa: SIM115 — closed in the finally below, lock released with it
+    except OSError as e:
+        print(f"!! janitor: cannot open lockfile {path} ({e}) — skipping {domain}", flush=True)
+        return
+    try:
+        try:
+            fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        except BlockingIOError:
+            # Held -> live run. Never steal; flag if it has been held implausibly long.
+            try:
+                held_for = time.time() - os.stat(path).st_mtime
+            except OSError:
+                held_for = 0
+            if held_for > LONG_HELD_LOCK_SECONDS:
+                print(
+                    f"!! lock for {domain} held >{LONG_HELD_LOCK_SECONDS // 60}min — possible "
+                    "leaked run; inspect with lslocks",
+                    flush=True,
+                )
+            else:
+                print(
+                    f"  janitor: {domain} lock held — live concurrent run, leaving it", flush=True
+                )
+            return
+        # Acquired — but only the inode the PATH names counts (another janitor may have reaped
+        # and unlinked this inode while we raced; a lock on an unlinked inode protects nothing
+        # and unlinking the path now would delete a NEWER run's lockfile).
+        try:
+            if os.fstat(f.fileno()).st_ino != os.stat(path).st_ino:
+                return
+        except FileNotFoundError:
+            return
+        # Orphan: no live owner (the kernel released the lock when the owner died). Reap while
+        # holding the probe lock, then unlink the lockfile before releasing.
+        print(f"  janitor: {domain} lock acquirable — orphan, reaping", flush=True)
+        with contextlib.suppress(Exception):
+            teardown_app(domain, verify=False)
+        with contextlib.suppress(OSError):
+            os.unlink(path)
+    finally:
+        f.close()
+
+
+def janitor() -> None:
+    """Reap orphaned run apps from crashed/rebooted runs; the kernel flock is the only liveness
+    oracle. For every candidate run app, probe its app-domain lock (LOCK_NB):
+
+      acquirable -> nobody holds it -> orphan -> reap under the probe lock + unlink lockfile
+      held       -> live concurrent run -> leave it (warn if held >2x the hard deadline)
+
+    Candidate discovery is unchanged: `abra app ls` + a docker-service sweep (catches stacks
+    whose .env is already gone), both matched against RUN_APP_RE — warm/canonical apps never
+    match and are never probed. Post-reboot, /run/lock (tmpfs) is empty, so every surviving app
+    probes as an orphan and is reaped immediately (no age threshold). Stale lockfiles with no
+    app behind them are unlinked on sight. Degrades safely: an unreadable lockfile/dir is
+    skipped with a log line, never a crash. Reaps via docker primitives so it works even when
+    the .env is gone (A2/A3)."""
    seen = set()
    for app in abra.app_ls():
        name = app.get("appName") or app.get("domain") or ""
@ -627,9 +815,22 @@ def janitor(max_age_seconds: int | None = None) -> None:
            seen.add(f"{m.group(1)}.ci.commoninternet.net")

    for name in seen:
-        stack = _stack_name(name)
-        age = _stack_age_seconds(stack)
-        if age is not None and age < max_age_seconds:
-            continue  # likely a concurrent in-flight run; leave it
-        with contextlib.suppress(Exception):
-            teardown_app(name, verify=False)
+        _probe_and_reap(name)
+
+    # Tidy /run/lock: a clean run's leftover lockfile is unheld and appless — unlink it (under
+    # its own probe lock, with the same identity check as above).
+    with contextlib.suppress(OSError):
+        for path in glob.glob(os.path.join(_app_lock_dir(), "cc-ci-app-*.lock")):
+            domain = os.path.basename(path)[len("cc-ci-app-") : -len(".lock")]
+            if domain in seen:
+                continue  # handled (or deliberately left) above
+            with contextlib.suppress(OSError):
+                f = open(path, "a")  # noqa: SIM115 — closed below, lock released with it
+                try:
+                    fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
+                    if os.fstat(f.fileno()).st_ino == os.stat(path).st_ino:
+                        os.unlink(path)
+                except (BlockingIOError, FileNotFoundError):
+                    pass  # held (live run pre-deploy) or already gone — leave it
+                finally:
+                    f.close()
--- a/runner/harness/lifetime.py
+++ b/runner/harness/lifetime.py
@ -0,0 +1,95 @@
+"""Run-lifetime hardening (concurrency restructure P1).
+
+The concurrency model's invariant chain is:
+
+    lock lifetime ⊆ harness process lifetime ⊆ drone step lifetime ⊆ 60-min hard deadline
+
+Locks are kernel flocks released on process exit, so the only thing that needs managing is the
+PROCESS lifetime. Three guards, installed at run startup (before any abra call) by
+`install_lifetime_guards()`:
+
+  1. `PR_SET_PDEATHSIG(SIGTERM)`: if the parent (the drone step shell) dies — cancel, runner
+     crash, host shutdown of the step — the kernel delivers SIGTERM to the harness, so a dead
+     build can never leak a running harness that holds locks. Paired with a ppid==1 re-check
+     AFTER the prctl: a parent that died BEFORE the prctl took effect would never trigger the
+     death signal, so a harness that finds itself already reparented refuses to run.
+  2. SIGTERM handler: raise SystemExit so the run's `finally:` teardown funnel executes and the
+     process exits non-zero. Re-entrant deliveries during teardown are logged and IGNORED so a
+     second signal can't abort the cleanup the first one asked for (`begin_teardown()` guards
+     this; the run's own `finally:` blocks also call it so a signal landing mid-normal-teardown
+     can't abort that either).
+  3. `signal.alarm(3600)`: self-imposed hard deadline. SIGALRM funnels into the same teardown
+     path with a distinct log line. Teardown time after the deadline is not alarm-bounded —
+     interrupting a teardown buys nothing; the janitor (flock probe) is the backstop if a
+     teardown wedges and the process is killed harder.
+"""
+
+from __future__ import annotations
+
+import ctypes
+import os
+import signal
+import sys
+
+HARD_DEADLINE_SECONDS = 60 * 60
+
+_PR_SET_PDEATHSIG = 1  # linux/prctl.h
+
+_state = {"tearing_down": False}
+
+
+def begin_teardown() -> None:
+    """Mark the teardown funnel as running. From here on SIGTERM/SIGALRM must NOT raise — it
+    would abort the very cleanup it asks for — so the handlers log and return instead. Called by
+    the handlers themselves before raising, and at the top of the run's `finally:` blocks."""
+    _state["tearing_down"] = True
+
+
+def _funnel_handler(log_line: str, exit_code: int):
+    """A signal handler that routes into the teardown funnel exactly once: log, then raise
+    SystemExit (propagates through the run's try/finally → teardown executes → non-zero exit).
+    While teardown is already running, further signals are logged and swallowed."""
+
+    def handler(signum: int, frame) -> None:  # noqa: ARG001
+        print(log_line, flush=True)
+        if _state["tearing_down"]:
+            print(
+                f"== signal {signum} during teardown — ignored (teardown continues, "
+                "exit stays non-zero) ==",
+                flush=True,
+            )
+            return
+        begin_teardown()
+        raise SystemExit(exit_code)
+
+    return handler
+
+
+def install_lifetime_guards(deadline_seconds: int = HARD_DEADLINE_SECONDS) -> None:
+    """Install all three lifetime guards (see module docstring). Must run at harness startup,
+    before any abra call and before any lock is taken."""
+    libc = ctypes.CDLL("libc.so.6", use_errno=True)
+    if libc.prctl(_PR_SET_PDEATHSIG, signal.SIGTERM, 0, 0, 0) != 0:
+        err = ctypes.get_errno()
+        raise OSError(err, f"prctl(PR_SET_PDEATHSIG, SIGTERM) failed: {os.strerror(err)}")
+    # The prctl is armed now — but only fires for a parent death AFTER this point. If the parent
+    # already died, we are reparented (ppid 1) and would never get the signal: refuse to run, an
+    # orphaned harness would hold locks/apps with nothing managing its lifetime.
+    if os.getppid() == 1:
+        sys.exit("parent died before prctl(PR_SET_PDEATHSIG) — refusing to run orphaned")
+    signal.signal(
+        signal.SIGTERM,
+        _funnel_handler(
+            "== SIGTERM received (drone cancel / parent death) — tearing down ==",
+            128 + signal.SIGTERM,
+        ),
+    )
+    minutes = deadline_seconds // 60
+    signal.signal(
+        signal.SIGALRM,
+        _funnel_handler(
+            f"== run exceeded {minutes}-minute hard deadline — tearing down ==",
+            128 + signal.SIGALRM,
+        ),
+    )
+    signal.alarm(deadline_seconds)
--- a/runner/harness/lint.py
+++ b/runner/harness/lint.py
@ -0,0 +1,174 @@
+"""L5 lint rung — run `abra recipe lint` against the exact ref under test (phase lvl5).
+
+Executor + classifier for the fifth ladder rung. Design constraints (plan-phase-lvl5 §2):
+
+- **Lints the recipe's CONTENT, not the harness plumbing.** abra lint reads every
+  `compose*.yml` in the tree (including the CI's untracked install_steps overlays) and
+  force-fetches tags from `origin` (which on PR runs is the private mirror, unauthenticated
+  here → FATA). Both are harness artifacts, so the executor lints a PRISTINE scratch clone of
+  the per-run tree, checked out at the exact tested ref: `origin` becomes a local path (tag
+  fetch works offline, no auth) and the run's true tag set rides along (fetch_recipe pulls the
+  upstream version tags into the per-run tree). No lint rule is filtered or ignored.
+- **rc is not the verdict.** `abra recipe lint` exits non-zero only when it cannot lint
+  (FATA); rule outcomes live in its table — error-severity ❌ rows print a trailing
+  "WARN critical errors present …" sentinel but still exit 0. So the classifier parses the
+  table: FAIL iff an error-severity rule is unsatisfied (or the FATA is content-attributable:
+  "unable to validate recipe" — the recipe config itself is invalid). PASS iff the table
+  rendered and no error rule failed. ANYTHING else — timeout, abra/script missing, tag-fetch
+  FATA, unparseable output — is "unver": loud, never a silent pass, never an intentional skip.
+- **Best-effort + time-bounded.** Hard ~60s timeout (observed runtime ≈0.7s); the caller
+  wraps run_lint in try/except besides — a wedged lint can never hang or fail a run, and the
+  run VERDICT is untouched by any lint outcome (lint is a level rung, not a gate).
+- Full command output (+ cmd, rc, ref header) is captured to `lint.txt` in the run artifact
+  dir; results.json carries status + short excerpt (failing rule ids).
+
+abra needs a PTY even with -n ("inappropriate ioctl on device") → run via util-linux
+`script -qec`, same trick as harness.abra._run_pty.
+"""
+
+from __future__ import annotations
+
+import os
+import re
+import shlex
+import shutil
+import subprocess
+import tempfile
+
+from . import abra
+
+LINT_TIMEOUT = 60  # hard budget, seconds; observed ~0.7s per recipe
+
+# Strip ANSI escape sequences from PTY output before parsing.
+_ANSI = re.compile(r"\x1b\[[0-9;?]*[A-Za-z]")
+
+# A table row: ┃ R014 ┃ description ┃ error ┃ ✅/❌ ┃ skipped ┃ how-to-fix ┃ — abra renders the
+# grid with HEAVY box-drawing verticals (┃ U+2503); accept the light variant (│ U+2502) too.
+_ROW = re.compile(
+    r"^\s*[│┃]\s*(R\d+)\s*[│┃](.*?)[│┃]\s*(warn|error)\s*[│┃]\s*(✅|❌)\s*[│┃]\s*([^│┃]*)[│┃]"
+)
+
+# abra's trailing sentinel when any error-severity rule is unsatisfied (cross-check only).
+_SENTINEL = "critical errors present"
+
+# FATA classes that are the RECIPE's fault (its config cannot even be validated) — a lint
+# FAIL, not an unverified rung. Everything else non-zero is environmental → unver.
+_CONTENT_FATA = "unable to validate recipe"
+
+
+def parse_table(output: str) -> list[dict]:
+    """Parse the lint table → rows {rule, desc, severity, satisfied(bool), skipped(bool)}.
+    Tolerant: lines that don't match are ignored; returns [] when no table rendered."""
+    rows = []
+    for line in _ANSI.sub("", output).replace("\r", "\n").splitlines():
+        m = _ROW.match(line)
+        if not m:
+            continue
+        rule, desc, severity, mark, skipped = m.groups()
+        rows.append(
+            {
+                "rule": rule,
+                "desc": desc.strip(),
+                "severity": severity,
+                "satisfied": mark == "✅",
+                "skipped": skipped.strip() not in ("", "-"),
+            }
+        )
+    return rows
+
+
+def classify(rc: int | None, output: str) -> tuple[str, str, list[str]]:
+    """(status, detail, failed_rule_ids) from a finished lint invocation.
+
+    status ∈ {"pass","fail","unver"}; never a silent pass: pass requires a parsed table with
+    zero unsatisfied error-severity rules AND no sentinel. `rc=None` means the run itself blew
+    up (timeout/missing binary) — always unver; the caller supplies the detail.
+    """
+    if rc is None:
+        return "unver", "lint did not run", []
+    if rc != 0:
+        first = next((ln for ln in _ANSI.sub("", output).splitlines() if "FATA" in ln), "").strip()
+        if _CONTENT_FATA in output:
+            # The recipe config itself failed validation — attributable to recipe content.
+            return "fail", first or "recipe config failed validation", []
+        return "unver", first or f"abra recipe lint exited {rc} with no table", []
+    rows = parse_table(output)
+    if not rows:
+        return "unver", "no lint table in output (rc=0)", []
+    failed = [
+        r["rule"]
+        for r in rows
+        if r["severity"] == "error" and not r["satisfied"] and not r["skipped"]
+    ]
+    if failed:
+        return "fail", f"error rule(s) unsatisfied: {', '.join(failed)}", failed
+    if _SENTINEL in output:
+        # abra says critical errors but our parse found none — distrust the parse, never inflate.
+        return "fail", "abra reported critical errors (table parse found none)", []
+    return "pass", "", []
+
+
+def run_lint(recipe: str, ref: str | None, out_dir: str | None) -> dict:
+    """Execute the lint rung for `recipe` at exactly `ref` (a sha; None → the per-run tree's
+    current HEAD). Returns {"status","detail","rules_failed"} and writes lint.txt into
+    `out_dir` (when given). Never raises: every failure mode is caught into status "unver"."""
+    scratch = None
+    rc: int | None = None
+    output = ""
+    try:
+        src_tree = abra.recipe_dir(recipe)
+        scratch = tempfile.mkdtemp(prefix="ccci-lint-")
+        lint_abra = os.path.join(scratch, "abra")
+        os.makedirs(os.path.join(lint_abra, "recipes"))
+        clone = os.path.join(lint_abra, "recipes", recipe)
+        subprocess.run(
+            ["git", "clone", "--quiet", src_tree, clone],
+            check=True,
+            capture_output=True,
+            text=True,
+            timeout=LINT_TIMEOUT,
+        )
+        if ref:
+            subprocess.run(
+                ["git", "-C", clone, "checkout", "-f", "--quiet", ref],
+                check=True,
+                capture_output=True,
+                text=True,
+                timeout=LINT_TIMEOUT,
+            )
+        # catalogue: R006 (published catalogue version) reads it; servers: harmless, some abra
+        # paths stat it. Symlink the live ones (read-only use).
+        for shared in ("catalogue", "servers"):
+            src = os.path.join(abra.abra_dir(), shared)
+            if os.path.exists(src):
+                os.symlink(os.path.realpath(src), os.path.join(lint_abra, shared))
+        env = dict(os.environ, ABRA_DIR=lint_abra)
+        proc = subprocess.run(
+            ["script", "-qec", f"abra recipe lint -n {shlex.quote(recipe)}", "/dev/null"],
+            capture_output=True,
+            text=True,
+            timeout=LINT_TIMEOUT,
+            env=env,
+        )
+        rc, output = proc.returncode, proc.stdout + proc.stderr
+        status, detail, failed = classify(rc, output)
+    except subprocess.TimeoutExpired:
+        status, detail, failed = "unver", f"lint timed out after {LINT_TIMEOUT}s", []
+    except Exception as e:  # noqa: BLE001 — rung must never break the run; unver is the honest floor
+        status, detail, failed = "unver", f"lint executor error: {e.__class__.__name__}: {e}", []
+    finally:
+        if scratch:
+            shutil.rmtree(scratch, ignore_errors=True)
+    if status == "unver":
+        print(f"!! lint rung UNVERIFIED for {recipe}: {detail}", flush=True)
+    if out_dir:
+        try:
+            os.makedirs(out_dir, exist_ok=True)
+            with open(os.path.join(out_dir, "lint.txt"), "w", encoding="utf-8") as f:
+                f.write(
+                    f"$ abra recipe lint -n {recipe}  (ref={ref or 'HEAD'})\n"
+                    f"rc={rc}  status={status}  {detail}\n\n{output}"
+                )
+        except OSError as e:
+            print(f"  lint: could not write lint.txt (non-fatal): {e}", flush=True)
+    return {"status": status, "detail": detail, "rules_failed": failed}
--- a/runner/harness/manifest.py
+++ b/runner/harness/manifest.py
@ -0,0 +1,153 @@
+"""Customization manifest (rcust P5; spec §8 R4 mitigation).
+
+One block at run start answering "what does this recipe customize?" across ALL the surfaces
+(recipe_meta keys, hook files, file-presence, run-time env overrides) — printed to the run log and
+embedded verbatim in results.json under "customization". PURE PRESENTATION: building or printing
+the manifest must never influence any verdict (R7-class invariant).
+"""
+
+from __future__ import annotations
+
+import os
+import re
+
+from . import discovery, lifecycle
+from . import meta as meta_mod
+
+_PRE_OP_RE = re.compile(r"^def (pre_[a-z]+)\(", re.MULTILINE)
+
+# Meta values are repo-public by construction (recipe_meta.py is committed; real secrets are
+# class-B generated, never meta), but the manifest lands on the dashboard — mask values whose
+# key NAME is secret-shaped so a field literally called SECRET_KEY_BASE never shows a value
+# (defense in depth + keeps dashboard secret-scans quiet). `KEY` matches only as a word segment
+# (API_KEY yes, KEYCLOAK_URL no).
+_SENSITIVE_NAME_RE = re.compile(r"SECRET|PASSWORD|TOKEN|CREDENTIAL|(^|_)KEY(_|$)", re.IGNORECASE)
+
+
+def _jsonable(v, name=""):
+    """Manifest values must be JSON-serializable + deterministic: hooks render as '<hook>',
+    tuples become lists, secret-named entries (by key name, incl. nested dict keys) as
+    '<redacted>'."""
+    if callable(v):
+        return "<hook>"
+    if name and _SENSITIVE_NAME_RE.search(name):
+        return "<redacted>"
+    if isinstance(v, tuple):
+        return list(v)
+    if isinstance(v, dict):
+        return {k: _jsonable(x, name=str(k)) for k, x in v.items()}
+    return v
+
+
+def _pre_ops(path: str) -> list[str]:
+    """The pre_<op> hook names an ops.py defines (cheap source scan, same approach as
+    discovery._module_defines — no import)."""
+    try:
+        with open(path) as fh:
+            return sorted(set(_PRE_OP_RE.findall(fh.read())))
+    except OSError:
+        return []
+
+
+def _custom_counts(recipe: str, repo_local: str | None) -> dict[str, dict[str, int]]:
+    out: dict[str, dict[str, int]] = {}
+    for source, path in discovery.custom_tests(recipe, repo_local):
+        sub = os.path.basename(os.path.dirname(path))  # functional | playwright
+        out.setdefault(source, {}).setdefault(sub, 0)
+        out[source][sub] += 1
+    return out
+
+
+def build(recipe: str, meta, repo_local: str | None) -> dict:
+    """Collect the run's resolved customization into one deterministic, JSON-serializable dict.
+
+    Keys: meta_non_default (explicitly-customized recipe_meta keys), hooks (ops.py pre-ops +
+    install_steps.sh + compose.ccci.yml with their source), overlays (lifecycle overlay files by
+    op + source), custom_tests (counts per source/subdir), env_overrides (active
+    CCCI_SKIP_GENERIC* — the dev-only escape hatch, flagged when riding a CI run)."""
+    hooks: dict = {}
+    pre_ops: dict[str, list[str]] = {}
+    for source, d in (
+        ("cc-ci", discovery.cc_ci_dir(recipe)),
+        ("repo-local", discovery._gated(recipe, repo_local)),  # noqa: SLF001 — same HC2 gate
+    ):
+        if not d:
+            continue
+        p = os.path.join(d, "ops.py")
+        if os.path.isfile(p):
+            ops = _pre_ops(p)
+            if ops:
+                pre_ops[source] = ops
+    if pre_ops:
+        hooks["ops.py"] = pre_ops
+    ist = discovery.install_steps(recipe, repo_local)
+    if ist:
+        hooks["install_steps.sh"] = ist[0]
+    if lifecycle.has_ccci_overlay(recipe):
+        hooks["compose.ccci.yml"] = "cc-ci"
+
+    overlays = {}
+    for op in discovery.LIFECYCLE_OPS:
+        ov = discovery.resolve_overlay_op(recipe, op, repo_local)
+        if ov:
+            overlays[op] = ov[0]
+
+    env_overrides = sorted(
+        k
+        for k in os.environ
+        if k.startswith("CCCI_SKIP_GENERIC")
+        and str(os.environ.get(k) or "").strip().lower() in ("1", "true", "yes", "on")
+    )
+
+    return {
+        "meta_non_default": {
+            k: _jsonable(v, name=k) for k, v in sorted(meta_mod.non_default(meta).items())
+        },
+        "hooks": hooks,
+        "overlays": overlays,
+        "custom_tests": _custom_counts(recipe, repo_local),
+        "env_overrides": env_overrides,
+    }
+
+
+def render(recipe: str, manifest: dict) -> str:
+    """The human block printed at run start (same content as the results.json key)."""
+    lines = [f"===== customization manifest: {recipe} ====="]
+    nd = manifest["meta_non_default"]
+    lines.append(
+        "meta (non-default): "
+        + (" ".join(f"{k}={v!r}" for k, v in nd.items()) if nd else "(none — zero-config floor)")
+    )
+    hk = manifest["hooks"]
+    parts = []
+    for source, ops in hk.get("ops.py", {}).items():
+        parts.append(f"ops.py[{','.join(ops)}]({source})")
+    if "install_steps.sh" in hk:
+        parts.append(f"install_steps.sh({hk['install_steps.sh']})")
+    if "compose.ccci.yml" in hk:
+        parts.append(f"compose.ccci.yml({hk['compose.ccci.yml']})")
+    lines.append("hooks: " + (" ".join(parts) if parts else "(none)"))
+    ov = manifest["overlays"]
+    lines.append(
+        "overlays: "
+        + (" ".join(f"test_{op}.py({src})" for op, src in ov.items()) if ov else "(none)")
+    )
+    ct = manifest["custom_tests"]
+    lines.append(
+        "custom tests: "
+        + (
+            " ".join(
+                " ".join(f"{sub}/={n}" for sub, n in sorted(counts.items())) + f" ({source})"
+                for source, counts in sorted(ct.items())
+            )
+            if ct
+            else "(none)"
+        )
+    )
+    eo = manifest["env_overrides"]
+    if eo:
+        suffix = "   !! dev-only override active in CI" if os.environ.get("DRONE") else ""
+        lines.append("env overrides: " + " ".join(f"{k}=1" for k in eo) + suffix)
+    else:
+        lines.append("env overrides: (none)")
+    return "\n".join(lines)
--- a/runner/harness/meta.py
+++ b/runner/harness/meta.py
@ -0,0 +1,320 @@
+"""Single recipe-meta loader + declarative key registry (recipe-custom restructure P1; spec
+docs/recipe-customization.md §8 R1).
+
+THE one place `tests/<recipe>/recipe_meta.py` is `exec()`d. Every consumer (orchestrator, pytest
+`meta` fixture, deploy env shaping, deps, warm-canonical enrollment, screenshot) reads the ONE
+loaded `RecipeMeta` object instead of re-exec'ing the file and cherry-picking keys — that drift
+(six divergent loaders, spec §4 L1–L6) is what made `SCREENSHOT` an unreachable knob (R2) and let
+key typos silently disable coverage (R6).
+
+Validation (locked decision, recipe-custom-restructure-full-plan.md):
+- unknown ALL-CAPS top-level name → MetaError (hard error, fails fast at load; the all-recipes
+  unit test catches it at PR time). Underscore-prefixed names (`_FOO`) are recipe-private and
+  exempt; lowercase names (helper functions/imports) are ignored.
+- type mismatch → MetaError. Callables are accepted ONLY for hook-typed keys.
+
+The KEYS registry is the single source of truth for the key set: it drives validation, the
+RecipeMeta dataclass fields, and the generated reference table in docs/recipe-customization.md §4
+(scripts/gen-meta-docs.py; a unit test asserts the committed table matches).
+"""
+
+from __future__ import annotations
+
+import copy
+import dataclasses
+import difflib
+import inspect
+import json
+import os
+from collections.abc import Callable
+
+ROOT = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+TESTS_DIR = os.path.join(ROOT, "tests")
+
+
+class MetaError(Exception):
+    """A recipe_meta.py failed registry validation (unknown key / type mismatch / callable on a
+    data key). Hard error by design: a typo'd key must fail the run at load, not silently reduce
+    coverage (spec §8 R6 — the worst failure mode for a CI harness)."""
+
+
+@dataclasses.dataclass(frozen=True)
+class Key:
+    """One registered recipe_meta key: name, type tag, default, one-line doc (rendered into the
+    generated reference table), optional extra validator, and a deprecation marker (deprecated
+    keys still load+validate but are scheduled for deletion)."""
+
+    name: str
+    type: str  # "int"|"str"|"tuple[int]"|"bool"|"dict_or_hook"|"hook"|"list[str]"|"dict"
+    default: object
+    doc: str
+    validate: Callable[[object], None] | None = None
+    deprecated: bool = False
+    # Expected positional-parameter names for a callable value (rcust P3 uniform ctx convention).
+    # Enforced at load so a legacy-signature hook (e.g. `def READY_PROBE(domain)`) fails with a
+    # CLEAR MetaError naming the migration — never a silent TypeError mid-run.
+    hook_params: tuple[str, ...] | None = None
+
+
+KEYS: tuple[Key, ...] = (
+    Key(
+        "HEALTH_PATH",
+        "str",
+        "/",
+        "Path probed for serving/health checks (deploy wait + generic `assert_serving`).",
+    ),
+    Key("HEALTH_OK", "tuple[int]", (200, 301, 302), "Acceptable HTTP status codes for health."),
+    Key("DEPLOY_TIMEOUT", "int", 600, "Max seconds to wait for swarm convergence per deploy."),
+    Key("HTTP_TIMEOUT", "int", 300, "Max seconds to wait for HTTP health after convergence."),
+    Key(
+        "BACKUP_CAPABLE",
+        "bool",
+        None,
+        "Override the backup-tier capability auto-detect (compose `backupbot.backup` labels). `False` forces an intentional skip of the backup/restore rung; `True` forces the tier on; unset = auto-detect.",
+    ),
+    Key(
+        "EXPECTED_NA",
+        "dict",
+        None,
+        "Declare a non-run rung an INTENTIONAL skip: `{rung: reason}` — the level climbs past it; an undeclared non-run rung is *unverified* and blocks the level above it (classification table: machine-docs/DECISIONS.md phase lvl5). Never overrides an exercised pass/fail; the `lint` rung has no escape hatch.",
+    ),
+    Key(
+        "READY_PROBE",
+        "hook",
+        None,
+        "Callable `(ctx) -> [probe, ...]` returning extra readiness probes, run after install AND after upgrade: HTTP `{host, path, ok}` or TCP `{tcp_host, tcp_port, stable}`.",
+        hook_params=("ctx",),
+    ),
+    Key(
+        "UPGRADE_BASE_VERSION",
+        "str",
+        None,
+        "Exact published tag overriding the upgrade tier's base (default: `recipe_versions[-2]`).",
+    ),
+    Key(
+        "BACKUP_VERIFY",
+        "hook",
+        None,
+        "Callable `(ctx) -> bool` post-backup data-capture check; `False` re-runs the backup (truncated-dump race guard), retried up to 3 attempts.",
+        hook_params=("ctx",),
+    ),
+    Key(
+        "UPGRADE_EXTRA_ENV",
+        "dict_or_hook",
+        None,
+        "Extra `.env` keys applied after the PR-head checkout, before the chaos redeploy (env that exists only at head). Dict, or callable `(ctx) -> dict`.",
+        hook_params=("ctx",),
+    ),
+    Key(
+        "EXTRA_ENV",
+        "dict_or_hook",
+        {},
+        "Extra `.env` keys applied at EVERY deploy (base install AND upgrade old-app). Dict, or callable `(ctx) -> dict` deriving values from the per-run domain (`ctx.domain`).",
+        hook_params=("ctx",),
+    ),
+    Key(
+        "DEPS",
+        "list[str]",
+        [],
+        'Dep recipes deployed/provisioned alongside (e.g. `["keycloak"]`); creds land in `$CCCI_DEPS_FILE`.',
+    ),
+    Key(
+        "WARM_CANONICAL",
+        "bool",
+        False,
+        "Enroll the recipe in the warm/canonical app system (docs/warm.md): green cold runs on LATEST advance the canonical snapshot.",
+    ),
+    Key(
+        "SCREENSHOT",
+        "hook",
+        None,
+        "Callable `(page, ctx)` driving Playwright to a safe, credential-free post-login view for the results-card screenshot (default: landing page).",
+        hook_params=("page", "ctx"),
+    ),
+    # (CHAOS_BASE_DEPLOY, OIDC_AT_INSTALL and SKIP_GENERIC were deleted in restructure P2:
+    # compose.ccci.yml is first-class + auto-chaos; install-time deps wiring is the only mode;
+    # the generic floor is suppressible only via the dev-only CCCI_SKIP_GENERIC* env form.)
+)
+
+_REGISTRY: dict[str, Key] = {k.name: k for k in KEYS}
+
+# The one validated, attribute-access view of a recipe's customization. Generated from KEYS so the
+# field set can never drift from the registry (frozen: consumers share one immutable object).
+RecipeMeta = dataclasses.make_dataclass(
+    "RecipeMeta",
+    [(k.name, object, dataclasses.field(default=None)) for k in KEYS],
+    frozen=True,
+)
+RecipeMeta.__doc__ = (
+    "Validated per-recipe customization (one field per registered key; attribute access). "
+    "Built ONLY by meta.load()."
+)
+
+
+def meta_path(recipe: str, tests_dir: str | None = None) -> str:
+    """Canonical path of a recipe's meta file (pure)."""
+    return os.path.join(tests_dir or TESTS_DIR, recipe, "recipe_meta.py")
+
+
+def check_hook_signature(fn, expected: tuple[str, ...], where: str) -> None:
+    """Enforce the uniform ctx hook convention (rcust P3): a hook callable's positional parameters
+    must be exactly `expected` (e.g. ("ctx",) or ("page", "ctx")). A legacy-signature hook (the
+    pre-restructure `(domain)` / `(domain, meta)` / `(page, domain, meta)` forms) raises a CLEAR
+    MetaError naming the migration — never a silent TypeError mid-run."""
+    try:
+        params = [
+            p.name
+            for p in inspect.signature(fn).parameters.values()
+            if p.kind in (p.POSITIONAL_ONLY, p.POSITIONAL_OR_KEYWORD)
+        ]
+    except (TypeError, ValueError):  # builtins/odd callables — let the call site surface it
+        return
+    if tuple(params) != expected:
+        raise MetaError(
+            f"{where}: hook signature is ({', '.join(params)}) — the recipe-customization "
+            f"restructure (P3) changed ALL recipe hook signatures to ({', '.join(expected)}); "
+            f"read fields off the HookCtx (ctx.domain, ctx.base_url, ctx.meta, ctx.deps, ctx.op). "
+            f"See docs/recipe-customization.md §5."
+        )
+
+
+def _coerce(key: Key, value: object, path: str) -> object:
+    """Validate `value` against `key`'s declared type; normalize containers (tuple[int]/list[str]).
+    Raises MetaError on mismatch — including a callable supplied for a data-typed key."""
+    t = key.type
+    if callable(value) and t not in ("hook", "dict_or_hook"):
+        raise MetaError(
+            f"{path}: {key.name} is a data key (type {t}) — callables are accepted only for "
+            f"hook-typed keys"
+        )
+    if t == "int":
+        if isinstance(value, int) and not isinstance(value, bool):
+            return value
+    elif t == "str":
+        if isinstance(value, str):
+            return value
+    elif t == "bool":
+        if isinstance(value, bool):
+            return value
+    elif t == "tuple[int]":
+        if isinstance(value, tuple | list) and all(
+            isinstance(x, int) and not isinstance(x, bool) for x in value
+        ):
+            return tuple(value)
+    elif t == "list[str]":
+        if isinstance(value, tuple | list) and all(isinstance(x, str) for x in value):
+            return list(value)
+    elif t == "dict":
+        if isinstance(value, dict):
+            return value
+    elif (
+        t == "hook"
+        and callable(value)
+        or t == "dict_or_hook"
+        and (isinstance(value, dict) or callable(value))
+    ):
+        return value
+    raise MetaError(f"{path}: {key.name} must be {t}, got {type(value).__name__} ({value!r})")
+
+
+def load(recipe: str, tests_dir: str | None = None):
+    """Load + validate a recipe's customization -> RecipeMeta. THE only exec() of recipe_meta.py.
+
+    Missing file -> all registry defaults (the zero-config baseline, spec §2). Unknown
+    non-underscore ALL-CAPS top-level name or type mismatch -> MetaError (hard error).
+    `tests_dir` overrides the recipe-meta root (unit tests / fixtures)."""
+    path = meta_path(recipe, tests_dir)
+    values = {k.name: copy.copy(k.default) for k in KEYS}
+    if os.path.exists(path):
+        ns: dict = {}
+        with open(path) as fh:
+            exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
+        for name in sorted(ns):
+            if name.startswith("_") or not name.isupper():
+                continue  # _FOO = recipe-private (exempt); lowercase = helpers/imports (ignored)
+            key = _REGISTRY.get(name)
+            if key is None:
+                near = difflib.get_close_matches(name, _REGISTRY, n=1)
+                hint = f" — did you mean {near[0]!r}?" if near else ""
+                raise MetaError(
+                    f"{path}: unknown recipe_meta key {name!r}{hint}. Registered keys: "
+                    f"{', '.join(sorted(_REGISTRY))}. Recipe-private constants must be "
+                    f"underscore-prefixed (e.g. _{name})."
+                )
+            values[name] = _coerce(key, ns[name], path)
+            if key.hook_params and callable(values[name]):
+                check_hook_signature(values[name], key.hook_params, f"{path}: {name}")
+            if key.validate:
+                key.validate(values[name])
+    return RecipeMeta(**values)
+
+
+def as_dict(meta) -> dict:
+    """RecipeMeta -> {key: value} (every registered key, defaults included)."""
+    return dataclasses.asdict(meta)
+
+
+def non_default(meta) -> dict:
+    """The keys a recipe explicitly customized: {key: value} where value differs from the registry
+    default. Hooks compare by identity-vs-None (a set hook is always non-default). Feeds the run's
+    customization manifest (P5)."""
+    out = {}
+    for k in KEYS:
+        v = getattr(meta, k.name)
+        if v != k.default:
+            out[k.name] = v
+    return out
+
+
+@dataclasses.dataclass(frozen=True)
+class HookCtx:
+    """The single argument every recipe hook receives (rcust P3 uniform ctx convention):
+    `EXTRA_ENV(ctx)`, `UPGRADE_EXTRA_ENV(ctx)`, `READY_PROBE(ctx)`, `BACKUP_VERIFY(ctx)`,
+    `SCREENSHOT(page, ctx)`, ops.py `pre_<op>(ctx)`."""
+
+    domain: str  # the app's per-run domain
+    base_url: str  # https://<domain>
+    meta: object  # the recipe's full RecipeMeta
+    deps: dict | None  # provisioned dep creds ({dep_recipe: entry}) or None if absent/empty
+    op: str | None  # current lifecycle op (install|upgrade|backup|restore) or None
+
+
+def _run_deps() -> dict | None:
+    """The current run's provisioned dep creds from $CCCI_DEPS_FILE (either shape), or None.
+    Read directly (not via harness.deps) to keep meta.py import-cycle-free."""
+    path = os.environ.get("CCCI_DEPS_FILE")
+    if not path or not os.path.exists(path):
+        return None
+    try:
+        with open(path) as f:
+            data = json.load(f)
+    except (OSError, ValueError):
+        return None
+    if isinstance(data, dict):
+        return data or None
+    if isinstance(data, list):
+        out = {e["recipe"]: e for e in data if isinstance(e, dict) and e.get("recipe")}
+        return out or None
+    return None
+
+
+def hook_ctx(domain: str, meta, *, op: str | None = None) -> HookCtx:
+    """Build the HookCtx for a hook call site. Dep creds are picked up from the run's
+    $CCCI_DEPS_FILE when present (None otherwise)."""
+    return HookCtx(domain=domain, base_url=f"https://{domain}", meta=meta, deps=_run_deps(), op=op)
+
+
+def _env_map(value, ctx: HookCtx) -> dict[str, str]:
+    if callable(value):
+        value = value(ctx)
+    return {str(k): str(v) for k, v in (value or {}).items()}
+
+
+def extra_env(meta, ctx: HookCtx) -> dict[str, str]:
+    """Resolve EXTRA_ENV (dict or callable(ctx)->dict) to the concrete per-run env map."""
+    return _env_map(meta.EXTRA_ENV, ctx)
+
+
+def upgrade_extra_env(meta, ctx: HookCtx) -> dict[str, str]:
+    """Resolve UPGRADE_EXTRA_ENV (dict or callable(ctx)->dict) to the concrete env map."""
+    return _env_map(meta.UPGRADE_EXTRA_ENV, ctx)
--- a/runner/harness/results.py
+++ b/runner/harness/results.py
@ -1,20 +1,22 @@
-"""Phase 3 — structured run results + results.json (plan-phase3-results-ux.md §4.2, R1/R3).
+"""Structured run results + results.json (Phase 3 §4.2 R1/R3; level semantics: phase lvl5).

-Turns a run's per-tier pytest outcomes into a single `results.json` artifact carrying, per the plan:
+Turns a run's per-tier pytest outcomes into a single `results.json` artifact carrying:
  { recipe, version, pr, ref, run_id, finished, stages:[{name,status,tests:[{name,status,ms}]}],
-    level, level_cap_reason, level_cap_rung, rungs,
+    level, rungs, lint:{status,detail,rules_failed},
    skips:{intentional:{rung:reason}, unintentional:[rung]},
    flags:{clean_teardown,no_secret_leak}, screenshot, summary_card }

-`skips` splits the N/A (skipped) rungs by a simple rule: a skip is INTENTIONAL iff the recipe lists
-it (with a reason) in `recipe_meta.EXPECTED_NA = {rung: reason}`; any rung skipped but not listed is
-UNINTENTIONAL (a coverage gap to fill or declare). Skips still cap the level either way — the harness
-never claims a rung it did not verify; this only labels *why* a skip happened.
+Rung statuses (phase lvl5, operator-decided — see harness.level + DECISIONS.md): every rung is
+"pass" | "fail" | "skip" (INTENTIONAL — a declared/structural fact says the rung does not apply)
+| "unver" (UNINTENTIONAL — the rung should have run and wasn't verified; blocks the level like a
+fail). `derive_rungs` is the single place every N/A source is classified; anything it cannot
+attribute to a declared/structural fact defaults to "unver" (conservative). `skips` mirrors that
+split into results.json: intentional {rung: reason} / unintentional [rung] (= the unver rungs).

 The per-test breakdown comes from JUnit XML emitted by each tier's pytest invocation (`--junitxml`),
 parsed here with the stdlib (no new dep). The integer **level** is computed by harness.level from a
-rung-status dict derived here (`derive_rungs`) from the tier results + deps/SSO signals the
-orchestrator holds; that mapping is documented in DECISIONS.md (Phase 3).
+rung-status dict derived here (`derive_rungs`) from the tier results + structural signals the
+orchestrator holds; the classification table is in DECISIONS.md (phase lvl5).

 This module is import-pure (no side effects at import). `write_results` is the only writer; the
 orchestrator calls the build/write path inside a try/except so a results failure NEVER changes the
@ -138,53 +140,90 @@ def derive_rungs(
    results: dict[str, str],
    *,
    backup_capable: bool,
-    has_custom: bool,
+    has_upgrade_target: bool,
+    expected_na: dict | None = None,
+    lint_status: str | None = None,
 ) -> dict[str, str]:
-    """Translate the orchestrator's tier results into the rung-status dict harness.level consumes —
-    the FOUR essential rungs only. Conservative by design — never reports a rung 'pass' it can't
-    substantiate (cardinal guardrail: presentation never inflates).
+    """Translate the orchestrator's tier results + structural signals into the rung-status dict
+    harness.level consumes — the FIVE essential rungs. This is the SINGLE place every N/A source
+    is classified intentional ("skip") vs unintentional ("unver"); the table lives in DECISIONS.md
+    (phase lvl5). Conservative by design: never reports "pass" it can't substantiate, and any
+    rung that did not produce a pass/fail and has NO declared/structural reason is "unver".

-      L1 install    : install tier pass.
-      L2 upgrade    : upgrade tier (skip → N/A: only one published version).
-      L3 backup/res : backup AND restore tiers pass (N/A if not backup-capable).
-      L4 functional : recipe-specific functional tests pass — the custom tier. N/A if none ran.
+      L1 install    : install tier pass. Always applies — never "skip" (non-run → unver).
+      L2 upgrade    : upgrade tier. Tier skipped + no upgrade target (only one published
+                      version, structural) → "skip"; declared in EXPECTED_NA → "skip";
+                      anything else non-pass/fail (prior-stage abort, tier excluded) → "unver".
+      L3 backup/res : backup AND restore tiers pass. Not backup-capable (declared/structural)
+                      → "skip"; EXPECTED_NA → "skip"; unverified-while-capable → "unver".
+      L4 functional : the custom tier. No custom tests / tier skipped → EXPECTED_NA-declared
+                      "skip", else "unver" (absent functional coverage is a gap, not an
+                      intentional property of the recipe).
+      L5 lint       : from the lint executor (harness.lint). pass/fail only — every recipe can
+                      be linted, so there is NO intentional-skip escape hatch: a lint that
+                      could not run (timeout, abra missing, executor error) is "unver".

    Integration (SSO/OIDC) and recipe-local are OPTIONAL and intentionally NOT rungs here — they
-    never cap the level (SSO is still enforced for the run VERDICT in run_recipe_ci.py).
+    never affect the level (SSO is still enforced for the run VERDICT in run_recipe_ci.py).
    """
+    expected = set((expected_na or {}).keys())
    rungs: dict[str, str] = {}
    rungs["install"] = level_mod.tier_to_rung(results.get("install"))
-    rungs["upgrade"] = level_mod.tier_to_rung(results.get("upgrade"))
-    rungs["backup_restore"] = level_mod.backup_restore_status(
+
+    up = results.get("upgrade")
+    if up in ("pass", "fail"):
+        rungs["upgrade"] = up
+    elif up == "skip" and not has_upgrade_target:
+        # The orchestrator skipped the tier for the structural reason: nothing to upgrade from.
+        rungs["upgrade"] = "skip"
+    elif "upgrade" in expected:
+        rungs["upgrade"] = "skip"
+    else:
+        rungs["upgrade"] = "unver"
+
+    br = level_mod.backup_restore_status(
        results.get("backup"), results.get("restore"), backup_capable
    )
+    if br == "unver" and "backup_restore" in expected:
+        br = "skip"
+    rungs["backup_restore"] = br

    custom = results.get("custom")
-    if not has_custom or custom == "skip" or custom is None:
-        rungs["functional"] = "na"
-    elif custom == "fail":
-        rungs["functional"] = "fail"
-    else:  # custom == "pass"
-        rungs["functional"] = "pass"
+    if custom in ("pass", "fail"):
+        rungs["functional"] = custom
+    elif "functional" in expected:
+        rungs["functional"] = "skip"
+    else:
+        rungs["functional"] = "unver"
+
+    rungs["lint"] = lint_status if lint_status in ("pass", "fail") else "unver"
    return rungs


-def skips(rungs: dict[str, str], expected_na: dict | None) -> dict:
-    """Split the SKIPPED (N/A) rungs into intentional vs unintentional (operator model).
+# Reasons attached to STRUCTURAL intentional skips (no EXPECTED_NA declaration needed — the
+# fact is read off the recipe itself).
+_STRUCTURAL_REASON = {
+    "upgrade": "only one published version — no upgrade target",
+    "backup_restore": "not backup-capable (no backupbot labels / declared)",
+}

-    A recipe lists the rungs it intentionally skips, each with a reason, in
-    `recipe_meta.EXPECTED_NA = {rung: reason}`. The rule is dead simple: a skipped rung is
-    **intentional** iff it is in that list; any rung that is skipped and NOT in the list is
-    **unintentional** (a coverage gap someone should either fill or declare). N/A still caps the
-    level either way — the harness never claims a rung it did not verify — this only labels *why* a
-    skip happened. Returns:
-      { "intentional": {rung: reason, ...},   # skipped AND declared in EXPECTED_NA
-        "unintentional": [rung, ...] }         # skipped but NOT declared
-    """
+
+def skips(
+    rungs: dict[str, str],
+    expected_na: dict | None,
+) -> dict:
+    """Mirror the rung classification into results.json's `skips` block:
+      { "intentional": {rung: reason, ...},   # status "skip" — declared/structural, with why
+        "unintentional": [rung, ...] }         # status "unver" — should have run, wasn't verified
+    The reason is the recipe's EXPECTED_NA declaration when present, else the structural fact
+    derive_rungs skipped on. Purely descriptive — the level math lives in harness.level."""
    expected = {str(k): str(v) for k, v in (expected_na or {}).items()}
-    na = [r for r, st in rungs.items() if st == "na"]
-    intentional = {r: expected[r] for r in na if r in expected}
-    unintentional = sorted(r for r in na if r not in expected)
+    intentional = {
+        r: expected.get(r) or _STRUCTURAL_REASON.get(r, "declared intentional")
+        for r, st in rungs.items()
+        if st == "skip"
+    }
+    unintentional = sorted(r for r, st in rungs.items() if st == "unver")
    return {"intentional": intentional, "unintentional": unintentional}


@ -200,23 +239,50 @@ def build_results(
    clean_teardown: bool,
    no_secret_leak: bool,
    finished_ts: float | None,
+    has_upgrade_target: bool = True,
+    lint: dict | None = None,
    screenshot: str | None = None,
    summary_card: str | None = None,
    expected_na: dict | None = None,
+    customization: dict | None = None,
 ) -> dict:
    """Assemble the full results.json dict (no I/O). `finished_ts` is passed in (the orchestrator
    stamps it) so this stays pure and deterministic for unit tests. `expected_na` is the recipe's
-    declared intentional-skip map (recipe_meta.EXPECTED_NA) used to distinguish a deliberate skip from
-    accidentally-missing coverage."""
+    declared intentional-skip map (recipe_meta.EXPECTED_NA); `has_upgrade_target` is the structural
+    "a previous published version exists" fact; `lint` is harness.lint.run_lint's result dict
+    (None — e.g. an old caller — derives the lint rung as "unver": never a silent pass)."""
    stages = collect_stages(records)
-    has_custom = any(r["tier"] == "custom" for r in records)
-    rungs = derive_rungs(results, backup_capable=backup_capable, has_custom=has_custom)
-    lvl, cap_reason = level_mod.compute_level(rungs)
-    # The rung that capped the climb (lowest non-pass), or None on a full climb — lets a consumer
-    # (card/badge) tell whether the cap was an intentional skip, an unintentional one, or a failure.
-    capped = level_mod.RUNGS[lvl] if cap_reason else None
+    lint = lint or {}
+    lint_status = lint.get("status")
+    rungs = derive_rungs(
+        results,
+        backup_capable=backup_capable,
+        has_upgrade_target=has_upgrade_target,
+        expected_na=expected_na,
+        lint_status=lint_status,
+    )
+    # Surface lint in the per-stage table too (it has no pytest/JUnit tier), so the card's
+    # stage breakdown carries all five rungs.
+    if rungs["lint"] != "skip":  # lint is never "skip", but stay defensive
+        stages.append(
+            {
+                "name": "lint",
+                "status": rungs["lint"],
+                "tests": [
+                    {
+                        "name": "abra recipe lint",
+                        "classname": "lint",
+                        "source": "harness",
+                        "status": rungs["lint"],
+                        "ms": 0,
+                        "message": str(lint.get("detail") or ""),
+                    }
+                ],
+            }
+        )
+    lvl = level_mod.compute_level(rungs)
    return {
-        "schema": 1,
+        "schema": 2,
        "run_id": run_id(),
        "recipe": recipe,
        "version": version,
@ -224,9 +290,12 @@ def build_results(
        "ref": (ref or "")[:12],
        "finished": finished_ts,
        "level": lvl,
-        "level_cap_reason": cap_reason,
-        "level_cap_rung": capped,
        "rungs": rungs,
+        "lint": {
+            "status": rungs["lint"],
+            "detail": str(lint.get("detail") or ""),
+            "rules_failed": list(lint.get("rules_failed") or []),
+        },
        "skips": skips(rungs, expected_na),
        "stages": stages,
        "results": results,
@ -236,6 +305,9 @@ def build_results(
        },
        "screenshot": screenshot,
        "summary_card": summary_card,
+        # rcust P5: the run's resolved customization manifest (pure presentation — consumers must
+        # never derive a verdict from it).
+        "customization": customization,
    }


--- a/runner/harness/screenshot.py
+++ b/runner/harness/screenshot.py
@ -8,7 +8,7 @@ Secret-safety (R7, the cardinal screenshot guardrail): the screenshot step must
 that displays generated credentials (an install wizard showing the initial admin password, a secrets
 page, etc.). The DEFAULT capture is the app's **landing page** (a login form shows fields, not the
 password) — safe for every recipe. A recipe that needs a post-login view opts in via a recipe-meta
-`SCREENSHOT` hook: a callable `screenshot(page, domain, meta) -> None` that drives Playwright to a
+`SCREENSHOT` hook: a callable `SCREENSHOT(page, ctx) -> None` that drives Playwright to a
 safe, credential-free view and is responsible for not landing on a secrets page. The harness never
 auto-fills a wizard.

@ -18,27 +18,103 @@ missing, app slow, navigation error) is swallowed and returns None so the run/ve

 from __future__ import annotations

+import contextlib
 import os

 from . import browser as harness_browser
+from . import meta as meta_mod

 # Default viewport for the captured screenshot — a desktop-ish frame that crops well into the card.
 VIEWPORT = {"width": 1280, "height": 800}
 # Hard cap so a wedged app can never hang the run on the screenshot step (R7 / Phase-1 timeouts).
 NAV_DEADLINE_S = 45

+# ---- post-navigation settle (phase-shot fix, 2026-06-11) ----
+# SPAs (immich, n8n, cryptpad, the keycloak admin console, lasuite-*, mumble-web, mattermost) fire
+# `domcontentloaded` on their empty HTML shell and only paint after the JS bundle loads — snapping
+# immediately produced solid blank frames (byte-stable 4801-2 B) or loading spinners. After nav,
+# wait for network-idle up to SETTLE_TIMEOUT_MS (apps that never go idle — continuous polling —
+# simply spend the cap; bounded, never raises), then RENDER_GRACE_MS for the final paint.
+SETTLE_TIMEOUT_MS = 10_000
+RENDER_GRACE_MS = 500
+# A 1280x800 PNG below this is near-certainly a solid frame or a bare loading spinner (phase-shot
+# audit: blank frames were 4801-2 B across three different apps, lone spinners 5.9-8.8 KB; the
+# smallest real page was 12950 B). One bounded retry with an extra settle, then keep what we get —
+# an honest late frame beats none, and the retry only ever replaces a tiny frame with a later one.
+BLANK_SIZE_BYTES = 10_000
+BLANK_RETRY_SETTLE_MS = 4_000
+# Wait-budget arithmetic (plan-phase-shot §3 P3: step worst case ≤ ~60s): NAV_DEADLINE_S (45s,
+# spent only while the app isn't serving yet) + SETTLE_TIMEOUT_MS + RENDER_GRACE_MS +
+# BLANK_RETRY_SETTLE_MS + RENDER_GRACE_MS = 60s of bounded waiting; tested in unit tests.
+
+
+def _settle(page, idle_timeout_ms: int) -> None:
+    """Best-effort bounded settle: network-idle up to the cap, then a short render grace.
+    Never raises (R7) — a timeout just means the page kept polling; we snap what's painted."""
+    # cosmetic path (R7): a timeout on a never-idle app is expected — the cap IS the wait
+    with contextlib.suppress(Exception):
+        page.wait_for_load_state("networkidle", timeout=idle_timeout_ms)
+    with contextlib.suppress(Exception):
+        page.wait_for_timeout(RENDER_GRACE_MS)
+
+
+def settle(page, idle_timeout_ms: int = SETTLE_TIMEOUT_MS) -> None:
+    """Public settle for recipe SCREENSHOT hooks: after the hook navigates to its safe view, call
+    this so the snap happens post-paint. Same bounded best-effort contract as the default path."""
+    _settle(page, idle_timeout_ms)
+
+
+def _snap_with_blank_retry(page, out_path: str) -> None:
+    """Screenshot the page; if the PNG is blank/spinner-sized, retry ONCE after a longer settle.
+    The retry is snapped to a temp path and kept only if it is >= the first frame's size — later
+    is usually more painted, but a page can also regress (redirect, error overlay) and a worse
+    frame must never overwrite a better one (adversary finding A1)."""
+    page.screenshot(path=out_path, full_page=False)
+    try:
+        first = os.path.getsize(out_path)
+    except OSError:
+        return
+    if first >= BLANK_SIZE_BYTES:
+        return
+    print(
+        f"  screenshot: frame looks blank/loading ({first} B < {BLANK_SIZE_BYTES} B) — "
+        "one retry after a longer settle",
+        flush=True,
+    )
+    _settle(page, BLANK_RETRY_SETTLE_MS)
+    retry_path = out_path + ".retry"
+    try:
+        page.screenshot(path=retry_path, full_page=False)
+        retry = os.path.getsize(retry_path)
+        if retry >= first:
+            os.replace(retry_path, out_path)
+            print(f"  screenshot: retry frame kept ({retry} B >= {first} B)", flush=True)
+        else:
+            os.remove(retry_path)
+            print(f"  screenshot: retry frame discarded ({retry} B < {first} B)", flush=True)
+    finally:
+        with contextlib.suppress(OSError):
+            os.remove(retry_path)
+

 def screenshot_path(run_artifact_dir: str) -> str:
    """Canonical on-disk path for a run's app screenshot (pure)."""
    return os.path.join(run_artifact_dir, "screenshot.png")


-def _load_screenshot_hook(recipe_meta: dict | None):
+def _load_screenshot_hook(recipe_meta):
    """Return the recipe's optional SCREENSHOT hook (a callable) if it declared one, else None.
-    The hook drives Playwright to a safe post-login view; default is the landing page."""
-    if not recipe_meta:
+    The hook drives Playwright to a safe post-login view; default is the landing page.
+
+    `recipe_meta` is the loaded RecipeMeta (rcust P1 — the single loader actually delivers
+    SCREENSHOT now; under the old L1 allowlist the key never arrived, spec §8 R2). A plain dict
+    is still accepted for direct/manual callers."""
+    if recipe_meta is None:
        return None
-    hook = recipe_meta.get("SCREENSHOT")
+    if isinstance(recipe_meta, dict):
+        hook = recipe_meta.get("SCREENSHOT")
+    else:
+        hook = getattr(recipe_meta, "SCREENSHOT", None)
    return hook if callable(hook) else None


@ -67,10 +143,11 @@ def capture(domain: str, out_path: str, *, recipe_meta: dict | None = None) -> s
                if hook is not None:
                    # Recipe-specific safe view (post-login etc.). The hook owns navigation +
                    # the no-secret-page guarantee; it should call page.screenshot itself, but if
-                    # it doesn't, we still snap the resulting page below.
-                    hook(page, domain, recipe_meta)
+                    # it doesn't, we still snap the resulting page below. SCREENSHOT(page, ctx) —
+                    # the uniform ctx convention (rcust P3).
+                    hook(page, meta_mod.hook_ctx(domain, recipe_meta))
                    if not os.path.exists(out_path):
-                        page.screenshot(path=out_path, full_page=False)
+                        _snap_with_blank_retry(page, out_path)
                else:
                    # Default: landing page. Accept any rendered status (200 or an auth redirect to a
                    # login form) — both are credential-free and representative of "the app is up".
@ -81,7 +158,9 @@ def capture(domain: str, out_path: str, *, recipe_meta: dict | None = None) -> s
                        deadline_seconds=NAV_DEADLINE_S,
                        wait_until="domcontentloaded",
                    )
-                    page.screenshot(path=out_path, full_page=False)
+                    # SPA paint race fix (phase-shot): settle before snapping, retry a blank frame.
+                    _settle(page, SETTLE_TIMEOUT_MS)
+                    _snap_with_blank_retry(page, out_path)
            finally:
                browser.close()
        if os.path.exists(out_path) and os.path.getsize(out_path) > 0:
--- a/runner/harness/warmsnap.py
+++ b/runner/harness/warmsnap.py
@ -113,7 +113,9 @@ def _assert_undeployed(domain: str) -> None:
        )


-def snapshot(recipe: str, domain: str, commit: str | None = None, version: str | None = None) -> dict:
+def snapshot(
+    recipe: str, domain: str, commit: str | None = None, version: str | None = None
+) -> dict:
    """Take a last-known-good snapshot of every data volume of <domain>'s stack. The app MUST be
    undeployed. Atomically replaces the prior last-good. Returns the written meta dict."""
    _assert_undeployed(domain)
@ -169,7 +171,9 @@ def restore(recipe: str, domain: str) -> dict:
    for vol in meta.get("volumes", []):
        tar_path = os.path.join(volumes_dir(recipe), f"{vol}.tar")
        if vol not in current:
-            raise SnapshotError(f"snapshot volume {vol} absent from current stack {sorted(current)}")
+            raise SnapshotError(
+                f"snapshot volume {vol} absent from current stack {sorted(current)}"
+            )
        mp = _volume_mountpoint(vol)
        # Clear the volume contents (incl. dotfiles) without removing the mountpoint itself.
        r = _run(["sh", "-c", f'rm -rf -- "{mp}"/* "{mp}"/.[!.]* "{mp}"/..?* 2>/dev/null; true'])
--- a/runner/nightly_sweep.py
+++ b/runner/nightly_sweep.py
@ -60,14 +60,17 @@ def sweep() -> int:
    for r in recipes:
        print(f"\n===== nightly: full-cold {r} (latest) =====", flush=True)
        env = dict(os.environ, RECIPE=r)
-        env.pop("REF", None)      # latest, not a PR head
+        env.pop("REF", None)  # latest, not a PR head
        env.pop("CCCI_QUICK", None)
        env.pop("MODE", None)
        rc = subprocess.run(
            [sys.executable, os.path.join(_here(), "run_recipe_ci.py")], env=env
        ).returncode
        results[r] = rc
-        print(f"nightly: {r} rc={rc} ({'green→canonical refreshed' if rc == 0 else 'red'})", flush=True)
+        print(
+            f"nightly: {r} rc={rc} ({'green→canonical refreshed' if rc == 0 else 'red'})",
+            flush=True,
+        )
    # WC8 disk hygiene: drop warm data for de-enrolled canonicals; log the disk budget.
    pruned = canonical.prune_stale()
    if pruned:
--- a/runner/run_recipe_ci.py
+++ b/runner/run_recipe_ci.py
@ -44,24 +44,42 @@ sys.path.insert(0, os.path.join(ROOT, "runner"))
 from harness import (  # noqa: E402
    abra,
    canonical,
-    card as card_mod,
-    deps as deps_mod,
    discovery,
    generic,
    lifecycle,
+    lifetime,
    naming,
-    results as results_mod,
-    screenshot as screenshot_mod,
    warm,
    warmsnap,
 )
+from harness import (  # noqa: E402
+    card as card_mod,
+)
+from harness import (  # noqa: E402
+    deps as deps_mod,
+)
+from harness import (  # noqa: E402
+    lint as lint_mod,
+)
+from harness import (  # noqa: E402
+    manifest as manifest_mod,
+)
+from harness import (  # noqa: E402
+    meta as meta_mod,
+)
+from harness import (  # noqa: E402
+    results as results_mod,
+)
+from harness import (  # noqa: E402
+    screenshot as screenshot_mod,
+)

 ALL_STAGES = ("install", "upgrade", "backup", "restore", "custom")


 def sso_dep_unverified(declared, deps_ready: bool, requires_deps_skipped: int) -> bool:
    """F2-11 gate predicate (pure, unit-tested). True when a recipe declares DEPS but its
-    setup_custom_tests failed (deps not ready) AND that caused ≥1 `requires_deps` (SSO/OIDC) test
+    dep provisioning failed (deps not ready) AND that caused ≥1 `requires_deps` (SSO/OIDC) test
    to SKIP. In that case the recipe's characteristic SSO claim was NOT verified, so the run must
    NOT report GREEN — even though a skip-only pytest file exits 0 and leaves every tier 'pass'.
    Generic-tier failure-isolation is preserved (those results stand); only the green SIGNAL is
@ -129,18 +147,73 @@ def _gitea_token() -> str | None:
    return tok or None


+def _run_state_path(name: str) -> str:
+    """Run-scoped state file in the tempdir, keyed by run id + harness pid — NEVER by app domain.
+    A second run of the SAME domain overlaps this process (its main() preamble executes before it
+    blocks at the app lock inside deploy_app), so domain-keyed files get reset/removed under the
+    live run: M2(c) double-!testme produced a false DG4.1 deploy-count=2 in run 1 and a countfile
+    FileNotFoundError crash in run 2. Children never re-derive these paths — they receive them
+    via the CCCI_*_FILE env vars, so the key only has to be unique per harness process."""
+    rid = results_mod.run_id()
+    return os.path.join(tempfile.gettempdir(), f"ccci-{name}-{rid}-{os.getpid()}")
+
+
+def setup_run_abra_dir() -> str:
+    """P3: build + export this run's PER-RUN ABRA_DIR — structural isolation of recipe trees.
+
+    `<runs_dir>/<run-id>/abra/` with:
+      servers/   -> symlink to the canonical ~/.abra/servers. App .env files land in the shared
+                    canonical path, so janitor discovery (`abra app ls`) and env-based teardown
+                    work unchanged from any process; per-domain filenames + the app-domain lock
+                    prevent write conflicts.
+      catalogue/ -> symlink to the canonical ~/.abra/catalogue (read-mostly).
+      recipes/   fresh + empty — THE isolation that matters: each run clones and git-checkouts
+                 its own recipe trees, so concurrent runs (same recipe included) can never
+                 corrupt each other's deploy tree. Replaces the per-recipe flock.
+    Exported as $ABRA_DIR — honored by the abra CLI and by every harness path helper
+    (abra.abra_dir()) — BEFORE any abra call. Rides along the existing run-dir retention."""
+    canonical = os.path.expanduser("~/.abra")
+    rid = results_mod.run_id()
+    if rid == "manual":
+        rid = f"manual-{os.getpid()}"  # two concurrent hand-runs must not share a tree
+    run_abra_dir = os.path.join(results_mod.runs_dir(), rid, "abra")
+    os.makedirs(os.path.join(run_abra_dir, "recipes"), exist_ok=True)
+    for shared in ("servers", "catalogue"):
+        link = os.path.join(run_abra_dir, shared)
+        if not os.path.islink(link):
+            os.symlink(os.path.join(canonical, shared), link)
+    os.environ["ABRA_DIR"] = run_abra_dir
+    print(
+        f"== per-run ABRA_DIR: {run_abra_dir} (servers/catalogue -> canonical; fresh recipes/) ==",
+        flush=True,
+    )
+    return run_abra_dir
+
+
 def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None:
-    """Make the recipe available at the code under test. If SRC+REF point at the mirror PR,
+    """Make the recipe available at the code under test in THIS RUN's recipe tree
+    ($ABRA_DIR/recipes/<recipe>): a plain clone — no locking needed, no rm-rf of any shared
+    state (the rm below only clears this run's own leftovers, e.g. a janitor-triggered
+    `abra app ls` auto-clone or a Drone build-number reuse). If SRC+REF point at the mirror PR,
    clone it at that ref; otherwise fetch the catalogue copy. Private mirror repos need the bot
    token — passed via a per-command http.extraHeader (not persisted in .git/config, not printed)."""
-    recipes_dir = os.path.expanduser("~/.abra/recipes")
-    os.makedirs(recipes_dir, exist_ok=True)
-    dest = os.path.join(recipes_dir, recipe)
-    # CCCI_SKIP_FETCH=1: use the local recipe clone as-is (lets a test/Adversary stage a fake/broken
-    # ref — e.g. a simulated broken PR head for the --quick rollback proof — without it being clobbered
-    # by a re-fetch). Never set in production CI.
+    dest = abra.recipe_dir(recipe)
+    os.makedirs(os.path.dirname(dest), exist_ok=True)
+    # CCCI_SKIP_FETCH=1: use the locally STAGED recipe clone as-is (lets a test/Adversary stage a
+    # fake/broken ref — e.g. a simulated broken PR head for the --quick rollback proof — without it
+    # being clobbered by a re-fetch). Staging happens in the canonical ~/.abra/recipes/<recipe>;
+    # copy it into the per-run tree so the rest of the run reads the staged state. Never set in
+    # production CI.
    if os.environ.get("CCCI_SKIP_FETCH") == "1":
-        print(f"[fetch] CCCI_SKIP_FETCH=1 — using local {recipe} recipe clone as-is", flush=True)
+        canonical = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+        subprocess.run(["rm", "-rf", dest], check=False)
+        if os.path.isdir(canonical):
+            shutil.copytree(canonical, dest, symlinks=True)
+        print(
+            f"[fetch] CCCI_SKIP_FETCH=1 — using staged {recipe} clone as-is "
+            f"(copied {canonical} -> per-run tree)",
+            flush=True,
+        )
        return
    if src and ref:
        url = f"https://git.autonomic.zone/{src}.git"
@ -169,7 +242,7 @@ def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None:
 def snapshot_recipe_tests(recipe: str) -> str | None:
    """Copy the recipe-shipped tests/ to a stable temp dir, immune to abra re-checking-out the
    recipe to a version tag during the run. Returns the snapshot path, or None if no tests/."""
-    src = os.path.expanduser(f"~/.abra/recipes/{recipe}/tests")
+    src = os.path.join(abra.recipe_dir(recipe), "tests")
    if not os.path.isdir(src):
        return None
    has_overlay = glob.glob(os.path.join(src, "test_*.py")) or os.path.isfile(
@ -183,52 +256,29 @@ def snapshot_recipe_tests(recipe: str) -> str | None:
    return dst


-def _load_meta(recipe: str) -> dict:
-    """Mirror tests/conftest._recipe_meta so the orchestrator's deploy/wait uses the same per-recipe
-    config the tiers see (timeouts, health path/codes)."""
-    meta = {
-        "HEALTH_PATH": "/",
-        "HEALTH_OK": (200, 301, 302),
-        "DEPLOY_TIMEOUT": 600,
-        "HTTP_TIMEOUT": 300,
-    }
-    path = os.path.join(ROOT, "tests", recipe, "recipe_meta.py")
-    if os.path.exists(path):
-        ns: dict = {}
-        with open(path) as fh:
-            exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-        for k in list(meta) + [
-            "BACKUP_CAPABLE",
-            "SKIP_GENERIC",
-            "EXPECTED_NA",
-            "OIDC_AT_INSTALL",
-            "READY_PROBE",
-            "UPGRADE_BASE_VERSION",
-            "BACKUP_VERIFY",
-            "UPGRADE_EXTRA_ENV",
-        ]:
-            if k in ns:
-                meta[k] = ns[k]
-    return meta
-
-
 def _tier_env(domain: str) -> dict:
    return dict(os.environ, CCCI_APP_DOMAIN=domain, CCCI_BASE_URL=f"https://{domain}")


-def _skip_generic(op: str, meta: dict) -> bool:
+def skip_generic_env_overrides() -> list[str]:
+    """Active CCCI_SKIP_GENERIC* env overrides (rcust P2c: the meta key is deleted; the env form
+    is a documented LOCAL-DEV-ONLY escape hatch). Surfaced loudly when set in a CI (drone) run —
+    it reduces generic-floor coverage and must never silently ride a CI verdict."""
+    return sorted(
+        k for k in os.environ if k.startswith("CCCI_SKIP_GENERIC") and _truthy(os.environ.get(k))
+    )
+
+
+def _skip_generic(op: str) -> bool:
    """Whether the generic assertion for `op` is opted out (Phase 1e HC3). Default: run (additive).
-    Opt-out, any of: env CCCI_SKIP_GENERIC (all ops), env CCCI_SKIP_GENERIC_<OP>, or the recipe's
-    declarative recipe_meta.SKIP_GENERIC list (op name, or "all"/"*")."""
+    Opt-out via env only (dev-only escape hatch, P2c): CCCI_SKIP_GENERIC (all ops) or
+    CCCI_SKIP_GENERIC_<OP>. The recipe_meta SKIP_GENERIC key is deleted (zero users)."""
    if _truthy(os.environ.get("CCCI_SKIP_GENERIC")):
        return True
-    if _truthy(os.environ.get(f"CCCI_SKIP_GENERIC_{op.upper()}")):
-        return True
-    sg = [str(s).lower() for s in (meta.get("SKIP_GENERIC") or [])]
-    return "all" in sg or "*" in sg or op in sg
+    return _truthy(os.environ.get(f"CCCI_SKIP_GENERIC_{op.upper()}"))


-def _run_pre_hook(recipe: str, op: str, repo_local: str | None, domain: str, meta: dict) -> None:
+def _run_pre_hook(recipe: str, op: str, repo_local: str | None, domain: str, meta) -> None:
    """Run the optional pre-op seed hook (recipe ops.py `pre_<op>`) BEFORE the harness performs the
    op (HC3 op/assertion split): overlays seed data-continuity markers / the backup→restore mutation
    here, then assert post-op in test_<op>.py. cc-ci's ops.py is trusted; a repo-local ops.py is
@ -245,7 +295,11 @@ def _run_pre_hook(recipe: str, op: str, repo_local: str | None, domain: str, met
        mod = importlib.util.module_from_spec(spec)
        spec.loader.exec_module(mod)
        print(f"  pre-op seed ({source}): {os.path.relpath(path, ROOT)}::pre_{op}", flush=True)
-        getattr(mod, f"pre_{op}")(domain, meta)
+        fn = getattr(mod, f"pre_{op}")
+        # Uniform ctx convention (rcust P3): pre_<op>(ctx). A legacy (domain, meta) hook fails
+        # HERE with a clear migration message, not a TypeError mid-call.
+        meta_mod.check_hook_signature(fn, ("ctx",), f"{os.path.relpath(path, ROOT)}::pre_{op}")
+        fn(meta_mod.hook_ctx(domain, meta, op=op))
    finally:
        if d in sys.path:
            sys.path.remove(d)
@ -258,7 +312,7 @@ def _perform_op(
    head_ref: str | None,
    op_state: dict,
    deploy_timeout: int = 900,
-    meta: dict | None = None,
+    meta=None,
 ) -> None:
    """Perform the single mutating op ONCE (the harness owns the op, HC3). install has no op. Records
    what the assertions need (pre-upgrade identity, backup snapshot_id) into op_state. None of these
@ -281,9 +335,10 @@ def _perform_op(
        # verify fails we re-run the WHOLE backup (fresh restic snapshot) with a re-stabilised DB, up to
        # 3 attempts. Recipes without BACKUP_VERIFY are unaffected (single backup, as before).
        snap = generic.perform_backup(domain)
-        verify = meta.get("BACKUP_VERIFY") if meta else None
+        verify = meta.BACKUP_VERIFY if meta else None
+        verify_ctx = meta_mod.hook_ctx(domain, meta, op="backup") if meta else None
        attempt = 1
-        while callable(verify) and not verify(domain) and attempt < 3:
+        while callable(verify) and not verify(verify_ctx) and attempt < 3:
            attempt += 1
            print(
                f"  backup-verify FAILED (attempt {attempt - 1}/3) — backup did not capture the "
@ -291,7 +346,7 @@ def _perform_op(
                flush=True,
            )
            snap = generic.perform_backup(domain)
-        if callable(verify) and not verify(domain):
+        if callable(verify) and not verify(verify_ctx):
            print(
                f"  !! backup-verify still FAILED after {attempt} attempts — backup is incomplete",
                flush=True,
@ -307,7 +362,7 @@ def run_lifecycle_tier(
    op: str,
    repo_local: str | None,
    domain: str,
-    meta: dict,
+    meta,
    head_ref: str | None,
    op_state: dict,
    records: list[dict] | None = None,
@ -322,7 +377,7 @@ def run_lifecycle_tier(
    a {tier,source,file,rc,junit} record appended, so the run can assemble per-stage/per-test
    results.json + the level afterwards. Purely additive — does not change the verdict."""
    overlay = discovery.resolve_overlay_op(recipe, op, repo_local)
-    skip_gen = _skip_generic(op, meta)
+    skip_gen = _skip_generic(op)
    files: list[tuple[str, str]] = []
    if not skip_gen:
        files.append(discovery.generic_op(op))
@ -347,7 +402,7 @@ def run_lifecycle_tier(
            recipe,
            head_ref,
            op_state,
-            deploy_timeout=int(meta.get("DEPLOY_TIMEOUT", 900)),
+            deploy_timeout=int(meta.DEPLOY_TIMEOUT),
            meta=meta,
        )
        with open(os.environ["CCCI_OP_STATE_FILE"], "w") as f:
@ -385,7 +440,7 @@ def run_lifecycle_tier(
 def _enrich_deps_with_sso(parent_recipe: str, parent_domain: str, deps_list) -> dict[str, dict]:
    """For each dep, set up a fresh realm/client + test user via the harness's provider-specific
    setup function, then return a recipe→entry dict carrying domain + admin + realm/client/user
-    info — the shape the `setup_custom_tests.sh` hook (and dependent tests) read.
+    info — the shape the `install_steps.sh` hook (and dependent tests) read.

    Provider routing: today only `keycloak` is supported. authentik will need a parallel
    `setup_authentik_realm` when an authentik-dep recipe enrolls (DEFERRED.md #9).
@ -399,7 +454,7 @@ def _enrich_deps_with_sso(parent_recipe: str, parent_domain: str, deps_list) ->
        if not dep_recipe or not dep_domain:
            continue
        if dep_recipe != "keycloak":
-            # Provider not yet supported — record bare entry; setup_custom_tests.sh / tests will
+            # Provider not yet supported — record bare entry; install_steps.sh / tests will
            # raise if they need realm/client info they don't see.
            out[dep_recipe] = entry
            continue
@ -443,12 +498,10 @@ def _provision_deps(

    Splits deps into live-warm (shared provider at a stable domain + a per-run realm) vs cold
    (co-deployed per run), provisions each dep's SSO realm/client/user, and persists the enriched
-    dict the `setup_custom_tests.sh`/`install_steps.sh` hooks + dependent tests read. Raises on any
-    failure (the caller marks deps-not-ready). Used by BOTH wiring paths:
-    - post-deploy (legacy): provision AFTER generic tiers, then `setup_custom_tests.sh` does an
-      in-place OIDC redeploy.
-    - install-time (`OIDC_AT_INSTALL`, Q3.2a): provision BEFORE the single deploy so the
-      install-tier `install_steps.sh` hook wires OIDC env into that one deploy — no reconverge.
+    dict the `install_steps.sh` hooks + dependent tests read. Raises on any failure (the caller
+    marks deps-not-ready). Install-time wiring is the ONLY mode (rcust P2b): provision BEFORE the
+    single deploy so the install-tier `install_steps.sh` hook wires OIDC env into that one deploy —
+    no reconverge, no post-deploy `setup_custom_tests.sh` machinery.
    """
    warm_deps, cold_deps = [], []
    for d in declared:
@ -459,7 +512,7 @@ def _provision_deps(
            if wd:
                print(f"  dep: {d} warm provider {wd} not up — cold fallback", flush=True)
            cold_deps.append(d)
-    dep_metas = {d: _load_meta(d) for d in cold_deps}
+    dep_metas = {d: meta_mod.load(d) for d in cold_deps}
    deps_list = (
        deps_mod.deploy_deps(recipe, os.environ.get("PR", "0"), ref, cold_deps, meta_for=dep_metas)
        if cold_deps
@ -477,32 +530,6 @@ def _provision_deps(
    return deps_state


-def _run_setup_custom_tests_hook(recipe: str, domain: str, deps_file: str) -> None:
-    """Run `tests/<recipe>/setup_custom_tests.sh` if present (operator-2026-05-28 SSO-dep plan
-    §3.2). The hook reads `$CCCI_DEPS_FILE`, sets OIDC env via `abra app config set` + secret
-    insert, and triggers an in-place `abra app deploy --force --chaos`. Failure here propagates
-    to mark deps-not-ready (caught in main())."""
-    path = os.path.join(ROOT, "tests", recipe, "setup_custom_tests.sh")
-    if not os.path.isfile(path):
-        # No hook = recipe doesn't need post-deps wiring; deps are deployed + creds available
-        # via deps_apps fixture as-is.
-        print(
-            f"  setup_custom_tests: no hook at {os.path.relpath(path, ROOT)} (deps creds ready in $CCCI_DEPS_FILE)",
-            flush=True,
-        )
-        return
-    print(f"  setup_custom_tests hook: {os.path.relpath(path, ROOT)}", flush=True)
-    rc = subprocess.run(
-        ["bash", path],
-        check=False,
-        env=dict(os.environ, CCCI_APP_DOMAIN=domain, CCCI_RECIPE=recipe, CCCI_DEPS_FILE=deps_file),
-    )
-    if rc.returncode != 0:
-        raise RuntimeError(
-            f"setup_custom_tests.sh exited {rc.returncode} (deps env not wired into parent)"
-        )
-
-
 def run_custom(
    recipe: str,
    repo_local: str | None,
@ -545,7 +572,7 @@ def _wait_undeployed(domain: str, timeout: int = 120) -> None:


 def run_quick(
-    recipe: str, ref: str | None, head_ref: str | None, repo_local: str | None, meta: dict
+    recipe: str, ref: str | None, head_ref: str | None, repo_local: str | None, meta
 ) -> int:
    """WC4 `--quick` opt-in fast lane (plan §2). Reattach the data-warm canonical (known-good volume)
    → upgrade IN PLACE to the PR head (chaos) → assert generic UPGRADE (reconverge+moved+serving) +
@ -566,22 +593,22 @@ def run_quick(
        flush=True,
    )

-    statefile = os.path.join(tempfile.gettempdir(), f"ccci-opstate-{domain}.json")
+    statefile = _run_state_path("opstate") + ".json"
    with open(statefile, "w") as f:
        json.dump({}, f)
    os.environ["CCCI_OP_STATE_FILE"] = statefile
-    depsfile = os.path.join(tempfile.gettempdir(), f"ccci-deps-{domain}.json")
+    depsfile = _run_state_path("deps") + ".json"
    with open(depsfile, "w") as f:
        json.dump({}, f)
    os.environ["CCCI_DEPS_FILE"] = depsfile
-    skipfile = os.path.join(tempfile.gettempdir(), f"ccci-depskip-{domain}.txt")
+    skipfile = _run_state_path("depskip") + ".txt"
    with contextlib.suppress(OSError):
        os.remove(skipfile)
    os.environ["CCCI_DEPS_SKIP_REPORT"] = skipfile

    op_state: dict = {}
    results: dict[str, str] = {}
-    declared = deps_mod.declared_deps(recipe)
+    declared = list(meta.DEPS)
    deps_state: dict = {}
    deps_ready = True
    deps_not_ready_reason = ""
@ -593,28 +620,32 @@ def run_quick(
    try:
        # 1) reattach the canonical (warm boot at the known-good version + retained volume)
        try:
-            canonical.deploy_canonical(recipe, timeout=int(meta.get("DEPLOY_TIMEOUT", 900)))
+            canonical.deploy_canonical(recipe, timeout=int(meta.DEPLOY_TIMEOUT))
            lifecycle.wait_healthy(
                domain,
-                ok_codes=tuple(meta["HEALTH_OK"]),
-                path=meta["HEALTH_PATH"],
-                deploy_timeout=meta["DEPLOY_TIMEOUT"],
-                http_timeout=meta["HTTP_TIMEOUT"],
+                ok_codes=tuple(meta.HEALTH_OK),
+                path=meta.HEALTH_PATH,
+                deploy_timeout=meta.DEPLOY_TIMEOUT,
+                http_timeout=meta.HTTP_TIMEOUT,
            )
            warm_ok = True
        except Exception as e:  # noqa: BLE001
            print(f"!! canonical reattach/readiness failed: {_scrub(str(e))}", flush=True)

        if warm_ok:
-            # 2) deps (warm keycloak + per-run realm) — mirrors main()'s warm/cold split
+            # 2) deps (warm keycloak + per-run realm) — mirrors main()'s warm/cold split. NB
+            # (rcust P2b): deps are provisioned (realm/creds in $CCCI_DEPS_FILE) but quick mode
+            # cannot do install-time OIDC env wiring — the canonical app pre-exists its per-run
+            # realm. No quick-enrolled recipe declares DEPS today; if one ever does, its
+            # requires_deps tests will exercise creds-only flows or skip (F2-11 keeps the signal).
            if declared:
-                print(f"\n===== setup_custom_tests (quick): deps {declared} =====", flush=True)
+                print(f"\n===== deps (quick): {declared} =====", flush=True)
                try:
                    warm_deps, cold_deps = [], []
                    for d in declared:
                        wd = warm.warm_domain(d)
                        (warm_deps if (wd and warm.is_warm_up(d, wd)) else cold_deps).append(d)
-                    dep_metas = {d: _load_meta(d) for d in cold_deps}
+                    dep_metas = {d: meta_mod.load(d) for d in cold_deps}
                    deps_list = (
                        deps_mod.deploy_deps(
                            recipe, os.environ.get("PR", "0"), ref, cold_deps, meta_for=dep_metas
@ -629,12 +660,11 @@ def run_quick(
                        print(f"  dep: using live-warm {d} @ {wd} (per-run realm)", flush=True)
                    deps_state = _enrich_deps_with_sso(recipe, domain, deps_list)
                    deps_mod.write_run_state(deps_state)
-                    _run_setup_custom_tests_hook(recipe, domain, depsfile)
                except Exception as e:  # noqa: BLE001
                    deps_ready = False
                    deps_not_ready_reason = _scrub(str(e))[:300]
                    print(
-                        f"!! setup_custom_tests failed (deps-not-ready): {deps_not_ready_reason}",
+                        f"!! dep provisioning failed (deps-not-ready): {deps_not_ready_reason}",
                        flush=True,
                    )

@ -650,6 +680,8 @@ def run_quick(
            results["upgrade"] = "fail"
            results["custom"] = "skip"
    finally:
+        # Teardown funnel running: further SIGTERM/SIGALRM are logged + ignored (lifetime.py).
+        lifetime.begin_teardown()
        # F2-11 skip count (read before deciding pass/fail)
        requires_deps_skipped = 0
        try:
@ -747,7 +779,7 @@ def run_quick(
        overall = 1
    if sso_unverified:
        print(
-            f"!! DEPS={declared} but setup_custom_tests failed and {requires_deps_skipped} "
+            f"!! DEPS={declared} but dep provisioning failed and {requires_deps_skipped} "
            "requires_deps SKIPPED — SSO NOT verified (F2-11)",
            file=sys.stderr,
        )
@ -782,7 +814,7 @@ def promote_canonical(recipe: str, head_ref: str | None) -> None:
    if not latest:
        print(f"WC5 promote: no version tags for {recipe} — skip", flush=True)
        return
-    meta = _load_meta(recipe)
+    meta = meta_mod.load(recipe)
    # The cold run's deploy-count was already asserted + the countfile removed; don't perturb it.
    os.environ.pop("CCCI_DEPLOY_COUNT_FILE", None)
    print(
@ -794,14 +826,15 @@ def promote_canonical(recipe: str, head_ref: str | None) -> None:
        domain,
        version=latest,
        secrets=True,
-        deploy_timeout=int(meta.get("DEPLOY_TIMEOUT", 900)),
+        deploy_timeout=int(meta.DEPLOY_TIMEOUT),
+        meta=meta,
    )
    lifecycle.wait_healthy(
        domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
+        ok_codes=tuple(meta.HEALTH_OK),
+        path=meta.HEALTH_PATH,
+        deploy_timeout=meta.DEPLOY_TIMEOUT,
+        http_timeout=meta.HTTP_TIMEOUT,
    )
    abra.undeploy(domain)
    _wait_undeployed(domain)
@ -813,6 +846,9 @@ def promote_canonical(recipe: str, head_ref: str | None) -> None:


 def main() -> int:
+    # P1 lock-lifetime hardening: PDEATHSIG + SIGTERM/SIGALRM teardown funnel + 60-min hard
+    # deadline, armed before ANY abra call or lock acquisition (see harness/lifetime.py).
+    lifetime.install_lifetime_guards()
    recipe = os.environ.get("RECIPE")
    if not recipe:
        print("RECIPE env is required", file=sys.stderr)
@ -827,13 +863,34 @@ def main() -> int:
    print(
        f"== cc-ci run: recipe={recipe} ref={ref} pr={os.environ.get('PR', '0')} stages={sorted(stages)}"
    )
+    # P2c: the CCCI_SKIP_GENERIC* env escape hatch is LOCAL-DEV-ONLY. If it rides a CI (drone)
+    # run, shout — generic-floor coverage is reduced and the verdict must not look routine.
+    for ov in skip_generic_env_overrides():
+        if os.environ.get("DRONE"):
+            print(
+                f"!! {ov}=1 — dev-only generic-floor override ACTIVE IN A CI RUN; generic "
+                "assertions are suppressed for the affected op(s). This must never gate a merge.",
+                flush=True,
+            )
+        else:
+            print(f"== {ov}=1 (dev-only generic-floor override active)", flush=True)
+    # Concurrent-run safety is structural: this run's recipe trees live in its own ABRA_DIR
+    # (exported here, before ANY abra call), so no recipe-tree lock exists; same-DOMAIN runs
+    # serialise on the app-domain flock taken in deploy_app (see docs/concurrency.md).
+    setup_run_abra_dir()
    fetch_recipe(recipe, ref, src)
    # The PR-head commit the upgrade tier re-checks out for the chaos redeploy to the code under test
    # (HC1). Prefer the explicit PR head sha ($REF) — robust + exact; fall back to the recipe checkout
    # HEAD (the catalogue current) for a non-PR `!testme`. Captured before any version-tag checkout.
    head_ref = ref or lifecycle.recipe_head_commit(recipe)
    repo_local = snapshot_recipe_tests(recipe)
-    meta = _load_meta(recipe)
+    meta = meta_mod.load(recipe)
+
+    # Customization manifest (rcust P5, R4): ONE block answering "what does this recipe
+    # customize?" across all surfaces — printed here and embedded verbatim in results.json under
+    # "customization". Pure presentation; never influences a verdict.
+    customization = manifest_mod.build(recipe, meta, repo_local)
+    print("\n" + manifest_mod.render(recipe, customization) + "\n", flush=True)

    # WC4/WC7: opt-in `--quick` fast lane. Requires an existing data-warm canonical; if none, fall
    # back cleanly to the full COLD run below so the PR is still tested (DECISIONS Phase-2w).
@ -856,16 +913,14 @@ def main() -> int:
    # override must be an exact published version tag (deployed as a pinned base). (Adversary §7.1.)
    want_upgrade = "upgrade" in stages
    prev = (
-        (meta.get("UPGRADE_BASE_VERSION") or lifecycle.previous_version(recipe))
-        if want_upgrade
-        else None
+        (meta.UPGRADE_BASE_VERSION or lifecycle.previous_version(recipe)) if want_upgrade else None
    )
    base = prev or target
    backup_cap = generic.backup_capable(recipe, meta)
    hook = discovery.install_steps(recipe, repo_local)

    # Deploy-count guard (DG4.1): exactly one deploy_app() per run.
-    countfile = os.path.join(tempfile.gettempdir(), f"ccci-deploys-{domain}")
+    countfile = _run_state_path("deploys")
    with open(countfile, "w") as f:
        f.write("0")
    os.environ["CCCI_DEPLOY_COUNT_FILE"] = countfile
@ -876,40 +931,50 @@ def main() -> int:
    run_artifact_dir = os.path.join(results_mod.runs_dir(), results_mod.run_id())
    junit_dir = os.path.join(run_artifact_dir, "junit")
    records: list[dict] = []
+
+    # L5 lint rung (phase lvl5): `abra recipe lint` against the EXACT tested ref, in a pristine
+    # scratch clone (harness.lint — the per-run tree is still at head_ref here, before any
+    # version-pinning checkout). Level rung only — NEVER the verdict: run_lint catches every
+    # failure mode into status "unver" (60s hard budget) and this belt-and-braces wrap makes a
+    # crashed executor identical to "could not verify".
+    lint_result = {"status": "unver", "detail": "lint executor crashed", "rules_failed": []}
+    try:
+        lint_result = lint_mod.run_lint(recipe, head_ref, run_artifact_dir)
+    except Exception as e:  # noqa: BLE001 — lint is a rung, not a gate; never touches the verdict
+        print(
+            f"!! lint rung executor crashed (non-fatal, rung=unver): {_scrub(str(e))}", flush=True
+        )
+    print(
+        f"lint rung: {lint_result['status']}"
+        f"{' — ' + lint_result['detail'] if lint_result.get('detail') else ''}",
+        flush=True,
+    )
    with contextlib.suppress(OSError):
        os.makedirs(junit_dir, exist_ok=True)

    # Run-scoped op state (HC3): the orchestrator records op results (pre-upgrade identity, backup
    # snapshot_id) here for the assertion tiers (generic + overlay) to read via generic.op_state().
-    statefile = os.path.join(tempfile.gettempdir(), f"ccci-opstate-{domain}.json")
+    statefile = _run_state_path("opstate") + ".json"
    with open(statefile, "w") as f:
        json.dump({}, f)
    os.environ["CCCI_OP_STATE_FILE"] = statefile
    op_state: dict = {}

-    # Run-scoped dep state (Phase 2 Q2.3, refined per operator-2026-05-28 SSO-dep plan §1):
-    # deps now deploy AFTER generic tiers (between RESTORE and CUSTOM) so a failed dep deploy
-    # cannot break the generic-tier signal. The `setup_custom_tests` step deploys each dep + runs
-    # `tests/<recipe>/setup_custom_tests.sh` to wire OIDC env via in-place redeploy.
+    # Run-scoped dep state (Phase 2 Q2.3; install-time-only since rcust P2b): deps are provisioned
+    # BEFORE the single deploy so install_steps.sh wires OIDC env into that one deploy.
    # `$CCCI_DEPS_FILE` is written with the full creds dict the hook script needs (jq-readable).
-    depsfile = os.path.join(tempfile.gettempdir(), f"ccci-deps-{domain}.json")
+    depsfile = _run_state_path("deps") + ".json"
    with open(depsfile, "w") as f:
        json.dump({}, f)
    os.environ["CCCI_DEPS_FILE"] = depsfile
    # F2-11: conftest appends the count of requires_deps tests it skips (deps-not-ready) here.
-    skipfile = os.path.join(tempfile.gettempdir(), f"ccci-depskip-{domain}.txt")
+    skipfile = _run_state_path("depskip") + ".txt"
    with contextlib.suppress(OSError):
        os.remove(skipfile)
    os.environ["CCCI_DEPS_SKIP_REPORT"] = skipfile
-    declared = deps_mod.declared_deps(recipe)
-    # Q3.2a: a recipe that tolerates OIDC env at first boot AND whose deps are live-warm wires OIDC
-    # at INSTALL time (provision the realm BEFORE the single deploy; install_steps.sh writes the env
-    # into it) instead of the post-deploy in-place `--chaos` redeploy — which is flaky on the heavy
-    # 12-service lasuite-drive stack (collabora WOPI race; see JOURNAL Step 0). Opt-in per recipe.
-    oidc_at_install = bool(meta.get("OIDC_AT_INSTALL")) and bool(declared)
+    declared = list(meta.DEPS)
    if declared:
-        when = "BEFORE deploy (install-time OIDC)" if oidc_at_install else "AFTER generic tiers"
-        print(f"\n===== DEPS declared (provision {when}): {declared} =====", flush=True)
+        print(f"\n===== DEPS declared (provision BEFORE deploy): {declared} =====", flush=True)
    deps_state: dict[str, dict] = {}  # new shape: recipe→entry dict (sso-dep plan §1)
    deps_ready = True
    deps_not_ready_reason: str = ""
@ -923,7 +988,7 @@ def main() -> int:
        # install_steps.sh can read $CCCI_DEPS_FILE and wire the OIDC env into that one deploy. On
        # failure we mark deps-not-ready but STILL deploy the recipe alone (install_steps.sh no-ops
        # on an empty deps file) so the generic tiers run; the OIDC custom test then skips → F2-11. ----
-        if oidc_at_install:
+        if declared:
            print(
                f"\n===== install-time OIDC: provisioning deps {declared} BEFORE deploy =====",
                flush=True,
@ -950,18 +1015,21 @@ def main() -> int:
                version=base,
                secrets=True,
                install_steps_hook=hook,
-                deploy_timeout=int(meta.get("DEPLOY_TIMEOUT", 900)),
+                deploy_timeout=int(meta.DEPLOY_TIMEOUT),
+                meta=meta,
            )
            lifecycle.wait_healthy(
                domain,
-                ok_codes=tuple(meta["HEALTH_OK"]),
-                path=meta["HEALTH_PATH"],
-                deploy_timeout=meta["DEPLOY_TIMEOUT"],
-                http_timeout=meta["HTTP_TIMEOUT"],
+                ok_codes=tuple(meta.HEALTH_OK),
+                path=meta.HEALTH_PATH,
+                deploy_timeout=meta.DEPLOY_TIMEOUT,
+                http_timeout=meta.HTTP_TIMEOUT,
            )
            # Recipe READY_PROBE (e.g. lasuite-drive collabora WOPI discovery) — readiness beyond
            # replica convergence + app HEALTH_PATH; no-op for recipes without one.
-            lifecycle.wait_ready_probes(meta, domain, timeout=int(meta.get("DEPLOY_TIMEOUT", 900)))
+            lifecycle.wait_ready_probes(
+                meta, domain, timeout=int(meta.DEPLOY_TIMEOUT), op="install"
+            )
            deploy_ok = True
        except Exception as e:  # noqa: BLE001 — a failed deploy is a reported INSTALL failure
            print(f"!! deploy/readiness failed: {e}", flush=True)
@ -1058,41 +1126,11 @@ def main() -> int:
                    if backup_cap
                    else "skip"
                )
-            # ---- setup_custom_tests step (NEW, operator-2026-05-28 SSO-dep plan §3.2) ----
-            # Deploy each declared dep + wire OIDC env into the parent app via the per-recipe
-            # setup_custom_tests.sh hook + in-place redeploy. Failure here marks deps-not-ready
-            # but does NOT abort the run — @pytest.mark.requires_deps tests skip with reason;
-            # non-deps custom tests still run normally.
-            if declared and not oidc_at_install:
-                # LEGACY post-deploy path: provision deps AFTER generic tiers, then wire OIDC env
-                # into the parent via the setup_custom_tests.sh hook + an in-place `--chaos` redeploy.
-                print("\n===== setup_custom_tests: deps + OIDC wiring =====", flush=True)
-                try:
-                    deps_state = _provision_deps(recipe, domain, ref, declared)
-                    # Run the per-recipe post-deps hook (jq-driven OIDC wiring + in-place redeploy)
-                    _run_setup_custom_tests_hook(recipe, domain, depsfile)
-                except Exception as e:  # noqa: BLE001 — setup failure is ISOLATED to dep-marked tests
-                    deps_ready = False
-                    deps_not_ready_reason = _scrub(str(e))[:300]
-                    print(
-                        f"!! setup_custom_tests failed (deps-not-ready): {deps_not_ready_reason}",
-                        flush=True,
-                    )
-            elif declared and oidc_at_install and deps_ready:
-                # INSTALL-TIME path (Q3.2a): deps were provisioned BEFORE the single deploy and the
-                # install-tier install_steps.sh hook already wired OIDC env into that one deploy —
-                # so NO re-provision, NO reconverge here. Run only the post-deploy setup hook
-                # (e.g. lasuite-drive's minio-createbuckets one-shot), which needs the live stack.
-                print("\n===== post-deploy setup (OIDC already wired at install) =====", flush=True)
-                try:
-                    _run_setup_custom_tests_hook(recipe, domain, depsfile)
-                except Exception as e:  # noqa: BLE001 — isolated to dep-marked / state-dependent tests
-                    deps_ready = False
-                    deps_not_ready_reason = _scrub(str(e))[:300]
-                    print(
-                        f"!! post-deploy setup failed: {deps_not_ready_reason}",
-                        flush=True,
-                    )
+            # (rcust P2b: install-time deps wiring is the ONLY mode — deps were provisioned BEFORE
+            # the single deploy and install_steps.sh wired the OIDC env into it. The legacy
+            # post-deploy provisioning + setup_custom_tests.sh redeploy machinery is deleted; a
+            # recipe's post-deploy seeding belongs in ops.py pre_install, e.g. lasuite-drive's
+            # MinIO bucket one-shot.)

            # ---- CUSTOM tier ----
            if "custom" in stages:
@ -1109,6 +1147,9 @@ def main() -> int:
                if op in stages:
                    results[op] = "skip"
    finally:
+        # From here the teardown funnel runs: a SIGTERM/SIGALRM landing now is logged + ignored
+        # (lifetime.py) so a second signal can't abort the cleanup the first one asked for.
+        lifetime.begin_teardown()
        # Teardown the recipe under test FIRST, then deps in reverse declaration order.
        # Parent verify=False (Phase 1d): keep as-is so a parent residual doesn't mask a tier
        # failure. Dep teardown uses verify=True via teardown_deps (F2-5 fix); failures are
@ -1164,8 +1205,7 @@ def main() -> int:

    # ---- per-op summary (DG6 feed) ----
    # SSO-dep plan §1: DG4.1 generalised — one `abra app new` per app in the run (recipe + each
-    # COLD dep). In-place reconfigure-and-redeploy (the setup_custom_tests step's
-    # `abra app deploy --force --chaos`) is NOT a fresh `app_new` and does NOT increment the count.
+    # COLD dep). Chaos redeploys are NOT a fresh `app_new` and do NOT increment the count.
    # WC1: a live-warm dep (keycloak) is NOT deployed by the run — it only gets a per-run realm — so
    # warm deps contribute 0. So expected = 1 + (number of COLD deps that actually got deployed).
    _dep_entries = deps_state.values() if isinstance(deps_state, dict) else (deps_state or [])
@ -1206,12 +1246,12 @@ def main() -> int:
        overall = 1
    if any(v == "fail" for v in results.values()):
        overall = 1
-    # F2-11: a deps-declaring recipe whose setup_custom_tests failed has NOT verified its SSO/OIDC
+    # F2-11: a deps-declaring recipe whose dep provisioning failed has NOT verified its SSO/OIDC
    # claim — its requires_deps tests SKIPPED (a skip-only file exits 0, so without this the run
    # would report GREEN). Fail the run for that recipe; generic-tier results above are untouched.
    if sso_dep_unverified(declared, deps_ready, requires_deps_skipped):
        print(
-            f"!! recipe declares DEPS={declared} but setup_custom_tests failed and "
+            f"!! recipe declares DEPS={declared} but dep provisioning failed and "
            f"{requires_deps_skipped} requires_deps (SSO) test(s) were SKIPPED — SSO claim NOT "
            f"verified; failing run (F2-11). deps-not-ready: {deps_not_ready_reason}",
            file=sys.stderr,
@ -1234,11 +1274,14 @@ def main() -> int:
            records=records,
            results=results,
            backup_capable=backup_cap,
+            has_upgrade_target=prev is not None,  # structural: a previous published version exists
+            lint=lint_result,  # L5 rung (phase lvl5)
            clean_teardown=clean_teardown,
            no_secret_leak=True,  # narrowed below by an actual scan of the serialised artifact
            screenshot=screenshot_rel,  # Phase 3 U1 (R4): relative PNG name iff capture succeeded
            finished_ts=time.time(),
-            expected_na=meta.get("EXPECTED_NA"),  # declared intentional-skip map (recipe_meta)
+            expected_na=meta.EXPECTED_NA,  # declared intentional-skip map (recipe_meta)
+            customization=customization,  # rcust P5: the run-start manifest, verbatim
        )
        # Real (if narrow) leak check: no known infra-secret value may appear in the artifact (R7).
        blob = json.dumps(data)
@ -1250,17 +1293,15 @@ def main() -> int:
                file=sys.stderr,
            )
        path = results_mod.write_results(data)
-        print(
-            f"results.json written: {path} (level={data['level']}"
-            f"{' — ' + data['level_cap_reason'] if data['level_cap_reason'] else ''})",
-            flush=True,
-        )
-        # Surface UNINTENTIONAL skips in the CI log (non-blocking, R7): a rung that was skipped (N/A)
-        # but is not in the recipe's intentional list — either add the missing coverage or declare it.
+        print(f"results.json written: {path} (level={data['level']} of 5)", flush=True)
+        # Surface UNVERIFIED rungs in the CI log (non-blocking, R7): a rung that should have run
+        # and wasn't verified blocks the level above it — fill the coverage, or (where a
+        # declared/structural reason genuinely applies) declare it in EXPECTED_NA.
        for rung in data.get("skips", {}).get("unintentional", []):
            print(
-                f"⚠ coverage: rung '{rung}' was skipped (N/A) but is not declared intentional — add "
-                f"the missing test/label, or list it in tests/{recipe}/recipe_meta.py "
+                f"⚠ coverage: rung '{rung}' is UNVERIFIED (did not run / could not be checked) — "
+                f"the level cannot rise above it. Add the missing test/coverage, or declare a "
+                f"genuine inapplicability in tests/{recipe}/recipe_meta.py "
                f"EXPECTED_NA = {{'{rung}': '<why>'}}.",
                flush=True,
            )
@ -1282,19 +1323,10 @@ def main() -> int:
            with open(html_path, "w", encoding="utf-8") as f:
                f.write(card_mod.render_card_html(data, screenshot_rel=data.get("screenshot")))
            png = card_mod.render_card_png(html_path, os.path.join(run_artifact_dir, "summary.png"))
-            capped = data.get("level_cap_rung")
-            sk = data.get("skips", {})
-            cap_skip = (
-                "intentional" if capped in (sk.get("intentional") or {})
-                else "unintentional" if capped in (sk.get("unintentional") or [])
-                else ""
-            )
+            # Badge = level only (number + colour) — the per-rung table on the card is the sole
+            # carrier of "why isn't this higher" (operator-specified, phase lvl5).
            with open(os.path.join(run_artifact_dir, "badge.svg"), "w", encoding="utf-8") as f:
-                f.write(
-                    card_mod.level_badge_svg(
-                        data["level"], data.get("level_cap_reason", ""), cap_skip
-                    )
-                )
+                f.write(card_mod.level_badge_svg(data["level"]))
            print(
                f"summary card {'rendered ' + png if png else '(PNG render unavailable)'} + "
                f"badge.svg written into {run_artifact_dir}",
--- a/runner/warm_reconcile.py
+++ b/runner/warm_reconcile.py
@ -43,11 +43,16 @@ def _traefik_setup(recipe: str, domain: str, version: str) -> None:
    ssl_cert/ssl_key swarm secrets; NO ACME). Uses the proven abra.env_set (newline-safe, unlike the
    bash set_env that bit keycloak)."""
    cert_dir = "/var/lib/ci-certs/live"
-    if not (os.path.isfile(f"{cert_dir}/fullchain.pem") and os.path.isfile(f"{cert_dir}/privkey.pem")):
+    if not (
+        os.path.isfile(f"{cert_dir}/fullchain.pem") and os.path.isfile(f"{cert_dir}/privkey.pem")
+    ):
        raise RuntimeError(f"FATAL: wildcard cert missing at {cert_dir} (sops decrypt broken?)")
    if not os.path.isfile(env_file(domain)):
-        _run(["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
-             timeout=120, check=True)
+        _run(
+            ["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
+            timeout=120,
+            check=True,
+        )
    abra.env_set(domain, "DOMAIN", domain)
    abra.env_set(domain, "LETS_ENCRYPT_ENV", "")
    abra.env_set(domain, "WILDCARDS_ENABLED", "1")
@ -61,11 +66,39 @@ def _traefik_setup(recipe: str, domain: str, version: str) -> None:
        return any(s.endswith(f"_{name}_v1") for s in have)

    if not _has("ssl_cert"):
-        _run(["abra", "app", "secret", "insert", domain, "ssl_cert", "v1",
-              f"{cert_dir}/fullchain.pem", "-f", "-n"], timeout=120, check=True)
+        _run(
+            [
+                "abra",
+                "app",
+                "secret",
+                "insert",
+                domain,
+                "ssl_cert",
+                "v1",
+                f"{cert_dir}/fullchain.pem",
+                "-f",
+                "-n",
+            ],
+            timeout=120,
+            check=True,
+        )
    if not _has("ssl_key"):
-        _run(["abra", "app", "secret", "insert", domain, "ssl_key", "v1",
-              f"{cert_dir}/privkey.pem", "-f", "-n"], timeout=120, check=True)
+        _run(
+            [
+                "abra",
+                "app",
+                "secret",
+                "insert",
+                domain,
+                "ssl_key",
+                "v1",
+                f"{cert_dir}/privkey.pem",
+                "-f",
+                "-n",
+            ],
+            timeout=120,
+            check=True,
+        )


 SPECS: dict[str, dict] = {
@ -166,7 +199,13 @@ def _run(cmd, timeout=120, check=False):


 def _recipe_dir(recipe: str) -> str:
-    return os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    # Resolve like the abra CLI does: $ABRA_DIR (the per-run tree when imported by a CI run,
+    # e.g. promote_canonical) else the canonical ~/.abra (this module's own systemd-timer runs,
+    # which set no ABRA_DIR). Keeps fetch_recipe (an `abra` subprocess) and the git readers
+    # below pointed at the SAME tree in both contexts.
+    return os.path.join(
+        os.environ.get("ABRA_DIR") or os.path.expanduser("~/.abra"), "recipes", recipe
+    )


 def recipe_tags(recipe: str) -> list[str]:
@ -218,8 +257,17 @@ def health_code(spec: dict) -> int:
    domain = spec.get("health_domain", spec["domain"])
    r = _run(
        [
-            "curl", "-sk", "-o", "/dev/null", "-w", "%{http_code}", "--max-time", "10",
-            "--resolve", f"{domain}:443:127.0.0.1", f"https://{domain}{spec['health_path']}",
+            "curl",
+            "-sk",
+            "-o",
+            "/dev/null",
+            "-w",
+            "%{http_code}",
+            "--max-time",
+            "10",
+            "--resolve",
+            f"{domain}:443:127.0.0.1",
+            f"https://{domain}{spec['health_path']}",
        ],
        timeout=20,
    )
@ -230,7 +278,6 @@ def health_code(spec: dict) -> int:


 def wait_healthy(spec: dict, timeout: int | None = None) -> bool:
-    domain = spec["domain"]
    deadline = time.time() + (timeout or spec["health_timeout"])
    while time.time() < deadline:
        if health_code(spec) in tuple(spec["health_ok"]):
@ -325,15 +372,18 @@ def ensure_server() -> None:

 def ensure_app_config(recipe: str, domain: str, version: str) -> None:
    if not os.path.isfile(env_file(domain)):
-        _run(["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
-             timeout=120, check=True)
+        _run(
+            ["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
+            timeout=120,
+            check=True,
+        )
    abra.env_set(domain, "DOMAIN", domain)
    abra.env_set(domain, "LETS_ENCRYPT_ENV", "")


 def ensure_secrets(domain: str) -> None:
    stack = lifecycle._stack_name(domain)  # noqa: SLF001
-    have = {n for n in lifecycle._docker_names("secret", stack)}  # noqa: SLF001
+    have = set(lifecycle._docker_names("secret", stack))  # noqa: SLF001
    if not any(n.endswith("_admin_password_v1") for n in have):
        abra.secret_generate(domain)

@ -393,8 +443,9 @@ def reconcile(app: str) -> str:
        write_alert(app, "held-major", current=current, latest=latest, release_notes=notes[:4000])
        return f"held-major:{current}->{latest}"
    if notes_flag_manual_migration(notes):
-        write_alert(app, "held-manual-migration", current=current, latest=latest,
-                    release_notes=notes[:4000])
+        write_alert(
+            app, "held-manual-migration", current=current, latest=latest, release_notes=notes[:4000]
+        )
        return f"held-manual-migration:{current}->{latest}"

    # WC1.1 health-gated upgrade with rollback.
@ -428,8 +479,14 @@ def reconcile(app: str) -> str:
        warmsnap.restore(recipe, domain)
    deploy_version(recipe, domain, last_good, dt)
    recovered = wait_healthy(spec)
-    write_alert(app, "rollback", last_good=last_good, attempted=latest, recovered=recovered,
-                release_notes=notes[:2000])
+    write_alert(
+        app,
+        "rollback",
+        last_good=last_good,
+        attempted=latest,
+        recovered=recovered,
+        release_notes=notes[:2000],
+    )
    if not recovered:
        raise RuntimeError(f"{app} rollback to {last_good} did not become healthy")
    return f"rolled-back:{latest}->{last_good}"
--- a/scripts/gen-meta-docs.py
+++ b/scripts/gen-meta-docs.py
@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+"""Render the harness.meta KEYS registry to the markdown key-reference table in
+docs/recipe-customization.md §4 (rcust P1.5; kills the R5 doc-drift class).
+
+Usage:
+  python3 scripts/gen-meta-docs.py            # rewrite the table in-place between the markers
+  python3 scripts/gen-meta-docs.py --print    # print the rendered table to stdout (used by the
+                                              # doc-sync unit test, tests/unit/test_meta.py)
+
+The table lives between `<!-- META-TABLE-START -->` / `<!-- META-TABLE-END -->` markers; a unit
+test asserts the committed table equals this rendering, so editing it by hand fails CI.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+sys.path.insert(0, os.path.join(ROOT, "runner"))
+from harness.meta import KEYS  # noqa: E402
+
+DOC = os.path.join(ROOT, "docs", "recipe-customization.md")
+START = "<!-- META-TABLE-START -->"
+END = "<!-- META-TABLE-END -->"
+
+
+def _default_repr(v) -> str:
+    if v is None:
+        return "`None`"
+    return f"`{v!r}`"
+
+
+def render() -> str:
+    lines = [
+        START,
+        "",
+        "_This table is GENERATED from the `runner/harness/meta.py` KEYS registry by"
+        " `scripts/gen-meta-docs.py` — do not edit by hand (a unit test pins the sync)._",
+        "",
+        "| Key | Type | Default | Meaning |",
+        "|---|---|---|---|",
+    ]
+    for k in KEYS:
+        doc = k.doc.replace("|", "\\|")
+        name = f"`{k.name}`" + (" **(deprecated)**" if k.deprecated else "")
+        lines.append(f"| {name} | `{k.type}` | {_default_repr(k.default)} | {doc} |")
+    lines += ["", END]
+    return "\n".join(lines)
+
+
+def main() -> int:
+    table = render()
+    if "--print" in sys.argv:
+        print(table)
+        return 0
+    with open(DOC) as f:
+        text = f.read()
+    if START not in text or END not in text:
+        print(f"{DOC}: missing {START}/{END} markers", file=sys.stderr)
+        return 1
+    head, _, rest = text.partition(START)
+    _, _, tail = rest.partition(END)
+    with open(DOC, "w") as f:
+        f.write(head + table + tail)
+    print(f"{DOC}: key table rewritten from the registry ({len(KEYS)} keys)")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
--- a/tests/bluesky-pds/_p4.py
+++ b/tests/bluesky-pds/_p4.py
@ -15,7 +15,8 @@ import shlex
 import sys

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import http as harness_http, lifecycle  # noqa: E402
+from harness import http as harness_http  # noqa: E402
+from harness import lifecycle

 PDS_HOST_LOCAL = "http://localhost:3000"
 _PW = "ccci-P4-marker-pw-2026"
--- a/tests/bluesky-pds/functional/test_account_and_post.py
+++ b/tests/bluesky-pds/functional/test_account_and_post.py
@ -27,6 +27,7 @@ CRUD). A wedged PDS subsystem fails AT its layer.

 from __future__ import annotations

+import contextlib
 import os
 import re
 import secrets
@ -35,7 +36,8 @@ import sys
 import uuid

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
-from harness import http as harness_http, lifecycle  # noqa: E402
+from harness import http as harness_http  # noqa: E402
+from harness import lifecycle

 PDS_HOST_LOCAL = "http://localhost:3000"

@ -58,14 +60,18 @@ def _goat_admin(domain: str, args: str) -> str:
    return _in_container(domain, cmd)


-def _xrpc_post(domain: str, nsid: str, data: dict, token: str | None = None) -> tuple[int, dict | None]:
+def _xrpc_post(
+    domain: str, nsid: str, data: dict, token: str | None = None
+) -> tuple[int, dict | None]:
    headers = {}
    if token:
        headers["Authorization"] = f"Bearer {token}"
    return harness_http.http_post(f"https://{domain}/xrpc/{nsid}", data=data, headers=headers)


-def _xrpc_get(domain: str, nsid: str, query: str, token: str | None = None) -> tuple[int, dict | None]:
+def _xrpc_get(
+    domain: str, nsid: str, query: str, token: str | None = None
+) -> tuple[int, dict | None]:
    headers = {}
    if token:
        headers["Authorization"] = f"Bearer {token}"
@ -82,9 +88,9 @@ def test_account_lifecycle_and_post_roundtrip(live_app):

    # Step 1: PDS describe via goat — recipe self-identifies as did:web:<domain>
    out = _in_container(domain, f"goat pds describe {PDS_HOST_LOCAL} 2>&1")
-    assert f"did:web:{domain}" in out, (
-        f"goat pds describe did not contain expected DID 'did:web:{domain}'. Output:\n{out[:500]!r}"
-    )
+    assert (
+        f"did:web:{domain}" in out
+    ), f"goat pds describe did not contain expected DID 'did:web:{domain}'. Output:\n{out[:500]!r}"

    # Step 2: Create account (UUID-suffixed handle = no run-to-run collision)
    out = _goat_admin(
@ -127,9 +133,9 @@ def test_account_lifecycle_and_post_roundtrip(live_app):
        assert s == 200, f"createRecord HTTP {s}: {body!r}"
        record_uri = (body or {}).get("uri", "")
        # URI format: at://<did>/app.bsky.feed.post/<rkey>
-        assert record_uri.startswith(f"at://{new_did}/app.bsky.feed.post/"), (
-            f"unexpected record uri: {record_uri!r}"
-        )
+        assert record_uri.startswith(
+            f"at://{new_did}/app.bsky.feed.post/"
+        ), f"unexpected record uri: {record_uri!r}"
        rkey = record_uri.rsplit("/", 1)[-1]
        assert rkey, f"no rkey in uri: {record_uri!r}"

@ -142,15 +148,13 @@ def test_account_lifecycle_and_post_roundtrip(live_app):
        )
        assert s == 200, f"getRecord HTTP {s}: {body!r}"
        record_value = (body or {}).get("value", {})
-        assert record_value.get("text") == marker, (
-            f"post text did not round-trip: created={marker!r}, fetched={record_value.get('text')!r}"
-        )
+        assert (
+            record_value.get("text") == marker
+        ), f"post text did not round-trip: created={marker!r}, fetched={record_value.get('text')!r}"
        assert record_value.get("$type") == "app.bsky.feed.post"
    finally:
        # Step 6: Best-effort cleanup. (The per-run domain teardown will discard the volume
        # too, but we exercise the delete-account path because it's part of §4.3.)
        if cleanup_did:
-            try:
+            with contextlib.suppress(Exception):
                _goat_admin(domain, f"account delete {cleanup_did}")
-            except Exception:  # noqa: BLE001
-                pass
--- a/tests/bluesky-pds/functional/test_describe_server.py
+++ b/tests/bluesky-pds/functional/test_describe_server.py
@ -26,6 +26,6 @@ def test_describe_server_returns_atproto_envelope(live_app):
    # At least one of these atproto-spec fields must be present
    expected_any = ("availableUserDomains", "inviteCodeRequired", "links", "did")
    present = [k for k in expected_any if k in body]
-    assert present, (
-        f"describe-server missing all of {expected_any}; got keys: {sorted(body.keys())[:20]}"
-    )
+    assert (
+        present
+    ), f"describe-server missing all of {expected_any}; got keys: {sorted(body.keys())[:20]}"
--- a/tests/bluesky-pds/functional/test_health_check.py
+++ b/tests/bluesky-pds/functional/test_health_check.py
@ -17,6 +17,6 @@ def test_pds_health_returns_version(live_app):
    url = f"https://{live_app}/xrpc/_health"
    status, body = harness_http.retry_http_get(url, expect_status=200, max_wait=60, interval=3)
    assert status == 200, f"GET {url} HTTP {status} (expected 200)"
-    assert isinstance(body, dict) and isinstance(body.get("version"), str) and body["version"], (
-        f"GET {url} response is not the expected health envelope: {body!r}"
-    )
+    assert (
+        isinstance(body, dict) and isinstance(body.get("version"), str) and body["version"]
+    ), f"GET {url} response is not the expected health envelope: {body!r}"
--- a/tests/bluesky-pds/functional/test_session_auth.py
+++ b/tests/bluesky-pds/functional/test_session_auth.py
@ -30,6 +30,6 @@ def test_get_session_requires_auth(live_app):
        f"body: {body!r}"
    )
    # The XRPC error envelope is JSON with an `error` field per the atproto spec.
-    assert isinstance(body, dict) and body.get("error"), (
-        f"expected XRPC JSON error envelope; got: {body!r}"
-    )
+    assert isinstance(body, dict) and body.get(
+        "error"
+    ), f"expected XRPC JSON error envelope; got: {body!r}"
--- a/tests/bluesky-pds/install_steps.sh
+++ b/tests/bluesky-pds/install_steps.sh
@ -22,12 +22,12 @@ echo "  bluesky-pds install_steps: generating secp256k1 PLC rotation key..."
 # same shape the PDS expects (32-byte hex). Equivalent for atproto PDS bootstrap.
 KEY_HEX=$(cc-ci-run -c 'import secrets; print(secrets.token_bytes(32).hex())')
 if [ -z "${KEY_HEX}" ] || [ "${#KEY_HEX}" != "64" ]; then
-    echo "  install_steps: failed to generate PLC rotation key (KEY_HEX length=${#KEY_HEX})" >&2
-    exit 1
+  echo "  install_steps: failed to generate PLC rotation key (KEY_HEX length=${#KEY_HEX})" >&2
+  exit 1
 fi

 # Insert via abra under TTY-wrap (`abra app secret insert` requires a TTY on this version).
 # We DON'T log the key value — abra also doesn't print it.
 script -qec "abra app secret insert ${CCCI_APP_DOMAIN} pds_plc_rotation_key v1 ${KEY_HEX} --no-input" /dev/null \
-    >/dev/null 2>&1
+  >/dev/null 2>&1
 echo "  bluesky-pds install_steps: PLC rotation key inserted (v1)."
--- a/tests/bluesky-pds/ops.py
+++ b/tests/bluesky-pds/ops.py
@ -9,14 +9,14 @@ sys.path.insert(0, os.path.dirname(__file__))
 import _p4  # noqa: E402


-def pre_upgrade(domain, meta):
-    _p4.create_account(domain)
+def pre_upgrade(ctx):
+    _p4.create_account(ctx.domain)


-def pre_backup(domain, meta):
-    _p4.create_account(domain)
+def pre_backup(ctx):
+    _p4.create_account(ctx.domain)


-def pre_restore(domain, meta):
-    _p4.delete_account(domain)
-    assert not _p4.account_exists(domain), "marker account delete did not take (pre_restore)"
+def pre_restore(ctx):
+    _p4.delete_account(ctx.domain)
+    assert not _p4.account_exists(ctx.domain), "marker account delete did not take (pre_restore)"
--- a/tests/bluesky-pds/test_restore.py
+++ b/tests/bluesky-pds/test_restore.py
@ -11,6 +11,6 @@ import _p4  # noqa: E402


 def test_restore_returns_state(live_app):
-    assert _p4.account_exists(live_app), (
-        "restore did not bring back the seeded marker account (PDS data did not survive restore)"
-    )
+    assert _p4.account_exists(
+        live_app
+    ), "restore did not bring back the seeded marker account (PDS data did not survive restore)"
--- a/tests/concurrency/concutil.py
+++ b/tests/concurrency/concutil.py
@ -0,0 +1,108 @@
+"""Shared utilities for the real-kernel concurrency suite (imported by the test modules; the
+fixtures in conftest.py wrap these). No flock mocking anywhere — probes use real LOCK_NB."""
+
+from __future__ import annotations
+
+import contextlib
+import fcntl
+import os
+import signal
+import subprocess
+import sys
+import time
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import lifecycle  # noqa: E402
+
+HELPERS = os.path.join(os.path.dirname(__file__), "helpers.py")
+DOMAIN = "test-abc123.ci.commoninternet.net"  # matches RUN_APP_RE
+
+
+class HelperPool:
+    """Spawns helpers.py subprocesses and GUARANTEES their cleanup (incl. recorded grandchild
+    pids from `hold-with-child`/`wrapper` markers) — no leaked children in the test VM."""
+
+    def __init__(self, out_dir: str):
+        self.out_dir = out_dir
+        self.procs: list[subprocess.Popen] = []
+        self.extra_pids: list[int] = []
+        self._n = 0
+
+    def spawn(self, *args: str, env_extra: dict | None = None) -> tuple[subprocess.Popen, str]:
+        """Start `helpers.py <args...>`; returns (proc, marker_file)."""
+        self._n += 1
+        out = os.path.join(self.out_dir, f"helper-{self._n}.out")
+        env = dict(os.environ, CCCI_HELPER_OUT=out, **(env_extra or {}))
+        p = subprocess.Popen(  # noqa: S603
+            [sys.executable, HELPERS, *args],
+            env=env,
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.STDOUT,
+        )
+        self.procs.append(p)
+        return p, out
+
+    def track_pid(self, pid: int) -> None:
+        self.extra_pids.append(pid)
+
+    def cleanup(self) -> None:
+        for p in self.procs:
+            if p.poll() is None:
+                p.kill()
+            with contextlib.suppress(subprocess.TimeoutExpired):
+                p.wait(timeout=10)
+        for pid in self.extra_pids:
+            with contextlib.suppress(OSError):
+                os.kill(pid, signal.SIGKILL)
+
+
+def wait_marker(out: str, token: str, timeout: float = 15.0) -> str | None:
+    """Poll a helper's marker file for a line containing `token`; returns the line or None."""
+    deadline = time.time() + timeout
+    while time.time() < deadline:
+        try:
+            with open(out) as f:
+                for line in f:
+                    if token in line:
+                        return line.strip()
+        except OSError:
+            pass
+        time.sleep(0.1)
+    return None
+
+
+def lock_state(domain: str) -> str:
+    """'held' | 'free' | 'absent' for the domain's lockfile, probed with a REAL LOCK_NB."""
+    path = lifecycle._app_lock_path(domain)  # noqa: SLF001
+    if not os.path.exists(path):
+        return "absent"
+    with open(path, "a") as f:
+        try:
+            fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
+            return "free"
+        except BlockingIOError:
+            return "held"
+
+
+def wait_lock_state(domain: str, want: str, timeout: float = 10.0) -> str:
+    """Poll until lock_state(domain) == want (kernel release on process death is fast, but give
+    the scheduler room). Returns the final observed state."""
+    deadline = time.time() + timeout
+    state = lock_state(domain)
+    while state != want and time.time() < deadline:
+        time.sleep(0.1)
+        state = lock_state(domain)
+    return state
+
+
+def pid_alive(pid: int) -> bool:
+    return os.path.exists(f"/proc/{pid}")
+
+
+def wait_pid_gone(pid: int, timeout: float = 15.0) -> bool:
+    deadline = time.time() + timeout
+    while time.time() < deadline:
+        if not pid_alive(pid):
+            return True
+        time.sleep(0.1)
+    return False
--- a/tests/concurrency/conftest.py
+++ b/tests/concurrency/conftest.py
@ -0,0 +1,34 @@
+"""Fixtures for the real-kernel concurrency suite (concurrency-restructure plan, 19 cases).
+
+NOT part of the default `pytest tests/unit` gate — run explicitly with `pytest tests/concurrency
+-q` (docs/concurrency.md). Locks live in a per-test tmp dir (CCCI_APP_LOCK_DIR); helper
+subprocesses hold REAL flocks / install the REAL prctl+signal guards and are always reaped in
+fixture finalizers (no leaked children in the test VM).
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+import pytest
+
+sys.path.insert(0, os.path.dirname(__file__))
+from concutil import HelperPool  # noqa: E402
+
+
+@pytest.fixture
+def lock_dir(tmp_path, monkeypatch):
+    """Sandbox lock dir, exported so BOTH this process's lifecycle calls and helper subprocesses
+    (which inherit os.environ) resolve their lockfiles here — never /run/lock."""
+    d = tmp_path / "locks"
+    d.mkdir()
+    monkeypatch.setenv("CCCI_APP_LOCK_DIR", str(d))
+    return str(d)
+
+
+@pytest.fixture
+def pool(tmp_path):
+    hp = HelperPool(str(tmp_path))
+    yield hp
+    hp.cleanup()
--- a/tests/concurrency/helpers.py
+++ b/tests/concurrency/helpers.py
@ -0,0 +1,149 @@
+#!/usr/bin/env python3
+"""Subprocess helpers for tests/concurrency — REAL kernel locks and the REAL lifetime guards in
+separate processes (flock/prctl are never mocked; tests assert on actual kernel behavior).
+
+Invoked as:  python3 helpers.py <command> <args...>
+
+Env contract (set by the spawning test):
+  CCCI_APP_LOCK_DIR  sandbox lock dir (never /run/lock in tests)
+  CCCI_HELPER_OUT    marker file this helper APPENDS progress lines to (ACQUIRED/READY/...)
+
+Commands:
+  hold <domain>                 acquire the app lock, mark `ACQUIRED <ts>`, sleep forever
+  hold-with-child <domain>      acquire the lock, spawn a plain sleeping subprocess child, mark
+                                `ACQUIRED <ts>` + `CHILD <pid>` (PEP 446: the child must NOT
+                                inherit the lock fd), sleep forever
+  guarded <domain> <deadline>   install the REAL lifetime guards (alarm=<deadline>s), acquire the
+                                lock, mark `READY`; when the teardown funnel runs (`finally:`),
+                                mark `TEARDOWN` before exiting
+  wrapper <domain>              spawn `guarded <domain> 3600` as MY child, mark `WRAPPED <pid>`,
+                                sleep — the test kills me to prove PDEATHSIG TERMs the child
+  orphan-probe                  wait (bounded) until reparented (ppid==1), then install the
+                                guards; mark `REFUSED` if they exit (expected) or `GUARDS_OK`
+  fetch-checkout <recipe> <ref> run run_recipe_ci.fetch_recipe (the test sets CCCI_SKIP_FETCH=1
+                                + a per-"run" ABRA_DIR), git-checkout <ref>, mark
+                                `RESULT <head> <data.txt content>`
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+import time
+
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.abspath(__file__)), "..", "..", "runner"))
+from harness import abra, lifecycle, lifetime  # noqa: E402
+
+OUT = os.environ.get("CCCI_HELPER_OUT")
+
+
+def mark(line: str) -> None:
+    if OUT:
+        with open(OUT, "a") as f:
+            f.write(line + "\n")
+            f.flush()
+    print(line, flush=True)
+
+
+def cmd_hold(domain: str) -> None:
+    lifecycle.acquire_app_lock(domain)
+    mark(f"ACQUIRED {time.time()}")
+    time.sleep(3600)
+
+
+def cmd_hold_with_child(domain: str) -> None:
+    lifecycle.acquire_app_lock(domain)
+    child = subprocess.Popen([sys.executable, "-c", "import time; time.sleep(3600)"])
+    mark(f"ACQUIRED {time.time()}")
+    mark(f"CHILD {child.pid}")
+    time.sleep(3600)
+
+
+def cmd_guarded(domain: str, deadline: str) -> None:
+    lifetime.install_lifetime_guards(deadline_seconds=int(deadline))
+    lifecycle.acquire_app_lock(domain)
+    mark("READY")
+    try:
+        time.sleep(3600)
+    finally:
+        mark("TEARDOWN")
+
+
+def cmd_wrapper(domain: str) -> None:
+    p = subprocess.Popen(  # noqa: S603
+        [sys.executable, os.path.abspath(__file__), "guarded", domain, "3600"],
+        env=os.environ.copy(),
+    )
+    mark(f"WRAPPED {p.pid}")
+    time.sleep(3600)
+
+
+def cmd_orphan_probe() -> None:
+    # Our spawner exits immediately after fork; wait (bounded) until we are reparented so the
+    # prctl is installed with the parent ALREADY dead — the exact race the ppid check closes.
+    for _ in range(200):
+        if os.getppid() == 1:
+            break
+        time.sleep(0.05)
+    else:
+        mark("NEVER_REPARENTED")  # e.g. a subreaper environment — test will fail visibly
+        return
+    try:
+        lifetime.install_lifetime_guards()
+    except SystemExit:
+        mark("REFUSED")
+        raise
+    mark("GUARDS_OK")
+
+
+def cmd_fetch_checkout(recipe: str, ref: str) -> None:
+    import run_recipe_ci
+
+    run_recipe_ci.fetch_recipe(recipe, None, None)
+    abra.recipe_checkout(recipe, ref)
+    head = abra.recipe_head_commit(recipe)
+    with open(os.path.join(abra.recipe_dir(recipe), "data.txt")) as f:
+        content = f.read().strip()
+    mark(f"RESULT {head} {content}")
+
+
+def cmd_deploy_count_run(domain: str, gate: str) -> None:
+    """Mirror the REAL run flow for the DG4.1 counter (CONC-A1 regression): countfile init
+    (main() preamble) → _record_deploy (deploy_app fires it BEFORE the app lock) → acquire
+    the app lock → wait for `gate` (file path; '' = no wait) → read + remove own countfile.
+    Two of these on the SAME domain must each see COUNT 1 and never lose their file."""
+    import run_recipe_ci
+
+    countfile = run_recipe_ci._run_state_path("deploys")
+    with open(countfile, "w") as f:
+        f.write("0")
+    os.environ["CCCI_DEPLOY_COUNT_FILE"] = countfile
+    lifecycle._record_deploy()  # pre-lock, exactly like lifecycle.deploy_app()
+    mark("PRELOCK")
+    lifecycle.acquire_app_lock(domain)
+    mark("ACQUIRED")
+    if gate:
+        deadline = time.time() + 15
+        while not os.path.exists(gate) and time.time() < deadline:
+            time.sleep(0.05)
+    try:
+        with open(countfile) as f:
+            n = int(f.read().strip() or "0")
+        os.remove(countfile)
+        mark(f"COUNT {n}")
+    except FileNotFoundError:
+        mark("COUNT_FILE_MISSING")
+
+
+if __name__ == "__main__":
+    cmd, *args = sys.argv[1:]
+    {
+        "hold": cmd_hold,
+        "hold-with-child": cmd_hold_with_child,
+        "guarded": cmd_guarded,
+        "wrapper": cmd_wrapper,
+        "orphan-probe": cmd_orphan_probe,
+        "fetch-checkout": cmd_fetch_checkout,
+        "deploy-count-run": cmd_deploy_count_run,
+    }[cmd](*args)
--- a/tests/concurrency/test_abra_dir.py
+++ b/tests/concurrency/test_abra_dir.py
@ -0,0 +1,175 @@
+"""Per-run ABRA_DIR isolation (concurrency-restructure plan, cases 17-19). Real directories,
+real symlinks, real git — abra itself is replaced by a recording stub where a CLI call is
+involved (case 17), because these cases test OUR dir/env plumbing, not abra."""
+
+from __future__ import annotations
+
+import os
+import stat
+import subprocess
+import sys
+
+sys.path.insert(0, os.path.dirname(__file__))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+import run_recipe_ci  # noqa: E402
+from concutil import wait_marker  # noqa: E402
+from harness import abra  # noqa: E402
+
+RECIPE = "fakerecipe"
+
+
+def _git(cwd, *args):
+    subprocess.run(
+        ["git", "-c", "user.email=t@t", "-c", "user.name=t", *args],
+        cwd=cwd,
+        check=True,
+        capture_output=True,
+    )
+
+
+def _make_fake_home(tmp_path):
+    """A fake $HOME with a canonical ~/.abra: servers/default + catalogue dirs, and a recipe git
+    repo with two tags whose data.txt differs (v1 -> 'one', v2 -> 'two', HEAD at v2)."""
+    home = tmp_path / "home"
+    (home / ".abra" / "servers" / "default").mkdir(parents=True)
+    (home / ".abra" / "catalogue").mkdir(parents=True)
+    repo = home / ".abra" / "recipes" / RECIPE
+    repo.mkdir(parents=True)
+    _git(repo, "init", "-q")
+    (repo / "data.txt").write_text("one\n")
+    _git(repo, "add", "data.txt")
+    _git(repo, "commit", "-qm", "v1")
+    _git(repo, "tag", "v1")
+    (repo / "data.txt").write_text("two\n")
+    _git(repo, "add", "data.txt")
+    _git(repo, "commit", "-qm", "v2")
+    _git(repo, "tag", "v2")
+    return home
+
+
+def test_17_per_run_dir_built_and_exported_before_abra(tmp_path, monkeypatch):
+    """Case 17: setup_run_abra_dir builds the per-run dir correctly (servers/catalogue symlinks
+    resolve to the canonical tree, recipes/ empty + writable) and $ABRA_DIR is exported before
+    the first abra call — proven by a stub `abra` on PATH that records the env it saw."""
+    home = _make_fake_home(tmp_path)
+    monkeypatch.setenv("HOME", str(home))
+    monkeypatch.setenv("CCCI_RUNS_DIR", str(tmp_path / "runs"))
+    monkeypatch.setenv("DRONE_BUILD_NUMBER", "777")
+    monkeypatch.setenv("ABRA_DIR", "sentinel-to-be-overwritten")  # so monkeypatch restores it
+
+    d = run_recipe_ci.setup_run_abra_dir()
+    assert d == str(tmp_path / "runs" / "777" / "abra")
+    assert os.environ["ABRA_DIR"] == d
+    assert os.readlink(os.path.join(d, "servers")) == str(home / ".abra" / "servers")
+    assert os.readlink(os.path.join(d, "catalogue")) == str(home / ".abra" / "catalogue")
+    # symlinks RESOLVE (targets exist) and recipes/ is empty + writable
+    assert os.path.isdir(os.path.join(d, "servers", "default"))
+    assert os.path.isdir(os.path.join(d, "catalogue"))
+    assert os.listdir(os.path.join(d, "recipes")) == []
+    probe = os.path.join(d, "recipes", ".write-probe")
+    open(probe, "w").close()
+    os.remove(probe)
+    # idempotent re-entry (Drone build-number retry): must not raise on existing symlinks
+    assert run_recipe_ci.setup_run_abra_dir() == d
+
+    # stub abra records $ABRA_DIR at call time; fetch_recipe's catalogue branch invokes it
+    stub_dir = tmp_path / "bin"
+    stub_dir.mkdir()
+    log = tmp_path / "abra-env.log"
+    stub = stub_dir / "abra"
+    stub.write_text(f'#!/bin/sh\necho "$ABRA_DIR" >> {log}\nexit 0\n')
+    stub.chmod(stub.stat().st_mode | stat.S_IEXEC)
+    monkeypatch.setenv("PATH", f"{stub_dir}{os.pathsep}{os.environ['PATH']}")
+    monkeypatch.delenv("CCCI_SKIP_FETCH", raising=False)
+    run_recipe_ci.fetch_recipe(RECIPE, None, None)
+    assert log.read_text().strip() == d, "abra was called without the per-run ABRA_DIR exported"
+
+
+def test_18_concurrent_same_recipe_fetch_no_cross_talk(tmp_path, monkeypatch, pool):
+    """Case 18: two CONCURRENT fetch+checkout flows of the SAME recipe into different ABRA_DIRs
+    produce two correct, divergent trees (v1 vs v2) — the old shared-tree corruption scenario,
+    now structurally safe with no lock. The canonical staged clone is untouched."""
+    home = _make_fake_home(tmp_path)
+    canonical_repo = home / ".abra" / "recipes" / RECIPE
+    head_before = subprocess.run(
+        ["git", "-C", canonical_repo, "rev-parse", "HEAD"], capture_output=True, text=True
+    ).stdout.strip()
+
+    runs = {}
+    for name, ref in (("runA", "v1"), ("runB", "v2")):
+        abra_dir = tmp_path / name / "abra"
+        abra_dir.mkdir(parents=True)
+        _, out = pool.spawn(
+            "fetch-checkout",
+            RECIPE,
+            ref,
+            env_extra={
+                "HOME": str(home),
+                "ABRA_DIR": str(abra_dir),
+                "CCCI_SKIP_FETCH": "1",
+            },
+        )
+        runs[name] = (out, ref, abra_dir)
+
+    expect = {"v1": "one", "v2": "two"}
+    for name, (out, ref, abra_dir) in runs.items():
+        line = wait_marker(out, "RESULT", timeout=30)
+        assert line, f"{name} never produced a RESULT"
+        _, head, content = line.split()
+        assert content == expect[ref], f"{name}@{ref}: tree content {content!r}"
+        tree = abra_dir / "recipes" / RECIPE
+        assert (tree / "data.txt").read_text().strip() == expect[ref]
+        assert (
+            head
+            == subprocess.run(
+                ["git", "-C", tree, "rev-parse", "HEAD"], capture_output=True, text=True
+            ).stdout.strip()
+        )
+
+    # the two trees genuinely diverge AND the canonical staged clone is untouched
+    a = (runs["runA"][2] / "recipes" / RECIPE / "data.txt").read_text()
+    b = (runs["runB"][2] / "recipes" / RECIPE / "data.txt").read_text()
+    assert a != b
+    head_after = subprocess.run(
+        ["git", "-C", canonical_repo, "rev-parse", "HEAD"], capture_output=True, text=True
+    ).stdout.strip()
+    assert head_after == head_before, "canonical clone must not be touched by per-run fetches"
+
+
+def test_19_env_written_through_servers_symlink_lands_canonical(tmp_path, monkeypatch):
+    """Case 19: an app .env written through the per-run servers/ symlink (what abra does under
+    $ABRA_DIR) lands in the CANONICAL shared path — so janitor discovery and every
+    expanduser('~/.abra/servers/...') reader keep working unchanged."""
+    home = _make_fake_home(tmp_path)
+    monkeypatch.setenv("HOME", str(home))
+    monkeypatch.setenv("CCCI_RUNS_DIR", str(tmp_path / "runs"))
+    monkeypatch.setenv("DRONE_BUILD_NUMBER", "778")
+    monkeypatch.setenv("ABRA_DIR", "sentinel-to-be-overwritten")
+    d = run_recipe_ci.setup_run_abra_dir()
+
+    domain = "test-abc123.ci.commoninternet.net"
+    via_symlink = os.path.join(d, "servers", "default", f"{domain}.env")
+    with open(via_symlink, "w") as f:
+        f.write("TYPE=fakerecipe:1.0.0\nDOMAIN=placeholder\n")
+
+    canonical = home / ".abra" / "servers" / "default" / f"{domain}.env"
+    assert canonical.is_file(), ".env written via the symlink must land in the canonical path"
+    # the canonical-path readers/writers (abra.env_get/env_set use ~/.abra) see the same file
+    assert abra.env_get(domain, "TYPE") == "fakerecipe:1.0.0"
+    abra.env_set(domain, "DOMAIN", domain)
+    with open(via_symlink) as f:
+        assert f"DOMAIN={domain}" in f.read()
+
+
+def test_18b_run_id_manual_fallback_is_per_process(tmp_path, monkeypatch):
+    """Companion to case 18: two concurrent MANUAL runs (no DRONE_BUILD_NUMBER) must not share an
+    abra dir either — the manual fallback is pid-suffixed."""
+    home = _make_fake_home(tmp_path)
+    monkeypatch.setenv("HOME", str(home))
+    monkeypatch.setenv("CCCI_RUNS_DIR", str(tmp_path / "runs"))
+    monkeypatch.delenv("DRONE_BUILD_NUMBER", raising=False)
+    monkeypatch.delenv("CCCI_APP_DOMAIN", raising=False)
+    monkeypatch.delenv("CCCI_RUN_ID", raising=False)
+    monkeypatch.setenv("ABRA_DIR", "sentinel-to-be-overwritten")
+    d = run_recipe_ci.setup_run_abra_dir()
+    assert f"manual-{os.getpid()}" in d
--- a/tests/concurrency/test_janitor.py
+++ b/tests/concurrency/test_janitor.py
@ -0,0 +1,189 @@
+"""Janitor / flock-probe semantics (concurrency-restructure plan, cases 5-12).
+
+The janitor runs IN-PROCESS with its discovery monkeypatched (candidates injected via a stubbed
+abra.app_ls + empty docker sweep) and teardown_app stubbed to record calls — but the LOCKS are
+real kernel flocks, held by real helper subprocesses where a live owner is needed."""
+
+from __future__ import annotations
+
+import os
+import sys
+import threading
+import time
+
+sys.path.insert(0, os.path.dirname(__file__))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from concutil import DOMAIN, lock_state, wait_marker  # noqa: E402
+from harness import lifecycle  # noqa: E402
+
+
+def _inject_candidates(monkeypatch, domains):
+    """Point janitor discovery at exactly `domains`: abra lists them, docker sweep is empty.
+    teardown_app is stubbed to a recorder; returns the calls list."""
+    calls = []
+    monkeypatch.setattr(lifecycle.abra, "app_ls", lambda: [{"appName": d} for d in domains])
+    monkeypatch.setattr(lifecycle, "_docker_names", lambda kind, stack: [])
+    monkeypatch.setattr(lifecycle, "teardown_app", lambda d, verify=True: calls.append(d))
+    return calls
+
+
+def test_5_orphan_reaped_lockfile_unlinked(lock_dir, pool, monkeypatch):
+    """Case 5: an orphan (lockfile exists, no holder — its run was SIGKILL'd) is reaped exactly
+    once and its lockfile unlinked."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    p.kill()
+    p.wait(timeout=10)
+    calls = _inject_candidates(monkeypatch, [DOMAIN])
+    lifecycle.janitor()
+    assert calls == [DOMAIN], f"teardown calls: {calls} (expected exactly one)"
+    assert lock_state(DOMAIN) == "absent", "reaped orphan's lockfile must be unlinked"
+
+
+def test_6_live_run_never_reaped(lock_dir, pool, monkeypatch, capsys):
+    """Case 6: a held lock (live helper) is never reaped and is logged as live."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    calls = _inject_candidates(monkeypatch, [DOMAIN])
+    lifecycle.janitor()
+    assert calls == []
+    assert "live concurrent run" in capsys.readouterr().out
+    assert lock_state(DOMAIN) == "held"
+
+
+def test_7_new_run_blocks_until_reap_finishes(lock_dir, pool, monkeypatch):
+    """Case 7: the janitor reaps WHILE HOLDING the probe lock, so a new run of the same domain
+    blocks in acquire_app_lock until the reap completes — no window where a fresh app coexists
+    with a half-reaped one."""
+    # Make an orphan.
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    p.kill()
+    p.wait(timeout=10)
+
+    state = {"teardown_end": None, "acquirer_out": None}
+
+    def slow_teardown(domain, verify=True):
+        # While the janitor holds the probe lock mid-reap, a new run starts acquiring.
+        _, aout = pool.spawn("hold", DOMAIN)
+        state["acquirer_out"] = aout
+        time.sleep(2.0)
+        state["teardown_end"] = time.time()
+
+    monkeypatch.setattr(lifecycle.abra, "app_ls", lambda: [{"appName": DOMAIN}])
+    monkeypatch.setattr(lifecycle, "_docker_names", lambda kind, stack: [])
+    monkeypatch.setattr(lifecycle, "teardown_app", slow_teardown)
+    lifecycle.janitor()
+
+    line = wait_marker(state["acquirer_out"], "ACQUIRED", timeout=15)
+    assert line, "new run never acquired after the reap"
+    acquired_ts = float(line.split()[1])
+    assert (
+        acquired_ts >= state["teardown_end"]
+    ), f"new run acquired at {acquired_ts} BEFORE the reap finished at {state['teardown_end']}"
+    # The new run must hold a lock the next probe can SEE (fresh inode at the path).
+    assert lock_state(DOMAIN) == "held"
+
+
+def test_8_two_janitors_exactly_one_reaps(lock_dir, pool, monkeypatch):
+    """Case 8: two concurrent janitors arbitrate on the probe flock — exactly one reaps (the
+    other sees 'held' and leaves). Teardown is slowed so the runs genuinely overlap."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    p.kill()
+    p.wait(timeout=10)
+
+    calls = []
+    calls_lock = threading.Lock()
+
+    def slow_teardown(domain, verify=True):
+        with calls_lock:
+            calls.append(domain)
+        time.sleep(2.0)
+
+    monkeypatch.setattr(lifecycle.abra, "app_ls", lambda: [{"appName": DOMAIN}])
+    monkeypatch.setattr(lifecycle, "_docker_names", lambda kind, stack: [])
+    monkeypatch.setattr(lifecycle, "teardown_app", slow_teardown)
+
+    barrier = threading.Barrier(2)
+
+    def run_janitor():
+        barrier.wait()
+        lifecycle.janitor()
+
+    t1, t2 = threading.Thread(target=run_janitor), threading.Thread(target=run_janitor)
+    t1.start(), t2.start()
+    t1.join(timeout=30), t2.join(timeout=30)
+    assert calls == [DOMAIN], f"expected exactly one reap, got {calls}"
+    assert lock_state(DOMAIN) == "absent"
+
+
+def test_9_reboot_lockfile_absent_reaped_immediately(lock_dir, monkeypatch):
+    """Case 9: post-reboot simulation — the app exists but its lockfile is gone (/run/lock is
+    tmpfs). The probe trivially acquires -> immediate reap, NO age threshold (improvement over
+    the old 2h fallback)."""
+    assert lock_state(DOMAIN) == "absent"
+    calls = _inject_candidates(monkeypatch, [DOMAIN])
+    t0 = time.time()
+    lifecycle.janitor()
+    assert calls == [DOMAIN]
+    assert time.time() - t0 < 5, "reap must be immediate (no age wait)"
+
+
+def test_10_long_held_lock_flagged_never_stolen(lock_dir, pool, monkeypatch, capsys):
+    """Case 10: a lock held with mtime older than 120min is flagged as a possible leaked run —
+    and NOT reaped (never steal a held lock)."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    path = lifecycle._app_lock_path(DOMAIN)  # noqa: SLF001
+    backdate = time.time() - (130 * 60)
+    os.utime(path, (backdate, backdate))
+    calls = _inject_candidates(monkeypatch, [DOMAIN])
+    lifecycle.janitor()
+    assert calls == []
+    out_text = capsys.readouterr().out
+    assert "possible leaked run" in out_text and "lslocks" in out_text
+    assert lock_state(DOMAIN) == "held"
+
+
+def test_11_warm_canonical_names_never_probed(lock_dir, monkeypatch):
+    """Case 11: RUN_APP_RE allowlist — warm/canonical-shaped names never become candidates, so
+    they are never probed (no lockfile is even created for them) and never reaped."""
+    warmish = [
+        "warm-keycloak.ci.commoninternet.net",
+        "keycloak.ci.commoninternet.net",
+        "warm-hedgedoc.ci.commoninternet.net",
+        "drone.ci.commoninternet.net",
+    ]
+    calls = []
+    monkeypatch.setattr(lifecycle.abra, "app_ls", lambda: [{"appName": d} for d in warmish])
+    monkeypatch.setattr(
+        lifecycle,
+        "_docker_names",
+        lambda kind, stack: ["warm-keycloak_ci_commoninternet_net_app"]
+        if kind == "service"
+        else [],
+    )
+    monkeypatch.setattr(lifecycle, "teardown_app", lambda d, verify=True: calls.append(d))
+    lifecycle.janitor()
+    assert calls == []
+    lockdir = os.environ["CCCI_APP_LOCK_DIR"]
+    assert [
+        f for f in os.listdir(lockdir) if f.startswith("cc-ci-app-")
+    ] == [], "janitor must not create lockfiles for non-run-app names"
+
+
+def test_12_degrades_safely_on_bad_lockfile_and_missing_dir(lock_dir, monkeypatch, capsys):
+    """Case 12: a garbled/unopenable lockfile (here: a DIRECTORY at the lockfile path) is skipped
+    with a log line; a missing lock dir doesn't crash the janitor either. Never a crash."""
+    path = lifecycle._app_lock_path(DOMAIN)  # noqa: SLF001
+    os.makedirs(path)  # open(path, "a") -> IsADirectoryError (an OSError)
+    calls = _inject_candidates(monkeypatch, [DOMAIN])
+    lifecycle.janitor()  # must not raise
+    assert calls == []
+    assert "skipping" in capsys.readouterr().out
+
+    os.rmdir(path)
+    monkeypatch.setenv("CCCI_APP_LOCK_DIR", os.path.join(os.environ["CCCI_APP_LOCK_DIR"], "gone"))
+    lifecycle.janitor()  # missing dir: probe open fails -> skip; tidy glob -> empty. No crash.
+    assert calls == []
--- a/tests/concurrency/test_lifetime.py
+++ b/tests/concurrency/test_lifetime.py
@ -0,0 +1,82 @@
+"""Lifetime hardening (concurrency-restructure plan, cases 13-16): the REAL prctl/signal/alarm
+guards installed by helper subprocesses; tests assert teardown ran, exit was non-zero, and the
+lock was released."""
+
+from __future__ import annotations
+
+import os
+import signal
+import sys
+
+sys.path.insert(0, os.path.dirname(__file__))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from concutil import (  # noqa: E402
+    DOMAIN,
+    wait_lock_state,
+    wait_marker,
+    wait_pid_gone,
+)
+
+
+def test_13_pdeathsig_parent_kill_terms_harness(lock_dir, pool):
+    """Case 13: wrapper-parent spawns a guarded harness-child; the parent is SIGKILL'd (the
+    harness gets no courtesy signal) -> the kernel's PDEATHSIG TERMs the child, its teardown
+    funnel runs, it exits, and the lock is released."""
+    p, out = pool.spawn("wrapper", DOMAIN)
+    line = wait_marker(out, "WRAPPED")
+    assert line, "wrapper never spawned its child"
+    child_pid = int(line.split()[1])
+    pool.track_pid(child_pid)
+    assert wait_marker(out, "READY"), "guarded child never got ready"
+
+    p.kill()  # parent dies WITHOUT signalling the child — only PDEATHSIG can save us
+    p.wait(timeout=10)
+    assert wait_pid_gone(child_pid), "guarded child must exit on parent death (PDEATHSIG)"
+    assert wait_marker(out, "TEARDOWN", timeout=5), "teardown funnel did not run"
+    assert wait_lock_state(DOMAIN, "free") == "free"
+
+
+def test_14_already_orphaned_helper_refuses_to_run(lock_dir, pool):
+    """Case 14 (ppid race): a helper whose parent died BEFORE the prctl was armed (it starts
+    already reparented to pid 1) must refuse to run — PDEATHSIG would never fire for it."""
+    # Spawn an intermediate parent that forks orphan-probe and exits immediately.
+    import subprocess
+
+    out = os.path.join(pool.out_dir, "orphan.out")
+    intermediate = (
+        "import subprocess, sys, os; "
+        "subprocess.Popen([sys.executable, os.environ['CCCI_HELPERS'], 'orphan-probe']); "
+    )
+    env = dict(
+        os.environ,
+        CCCI_HELPER_OUT=out,
+        CCCI_HELPERS=os.path.join(os.path.dirname(__file__), "helpers.py"),
+    )
+    subprocess.run([sys.executable, "-c", intermediate], env=env, timeout=15, check=True)
+    line = wait_marker(out, "REFUSED", timeout=20)
+    assert line, "orphaned helper did not refuse to run (or never reparented to pid 1)"
+
+
+def test_15_deadline_alarm_fires_teardown_and_releases(lock_dir, pool):
+    """Case 15: the self-deadline (alarm). A guarded helper with a 2s deadline tears down via
+    the funnel (finally: ran), exits NON-zero, and its lock is released."""
+    p, out = pool.spawn("guarded", DOMAIN, "2")
+    assert wait_marker(out, "READY")
+    rc = p.wait(timeout=20)
+    assert rc != 0, f"deadline exit must be non-zero (got {rc})"
+    assert rc == 128 + signal.SIGALRM, f"expected 142 (128+SIGALRM), got {rc}"
+    assert wait_marker(out, "TEARDOWN", timeout=5), "teardown funnel did not run on deadline"
+    assert wait_lock_state(DOMAIN, "free") == "free"
+
+
+def test_16_sigterm_runs_teardown_funnel_and_releases(lock_dir, pool):
+    """Case 16: SIGTERM (drone cancel path) -> the finally: teardown funnel runs, exit is
+    non-zero, lock released."""
+    p, out = pool.spawn("guarded", DOMAIN, "3600")
+    assert wait_marker(out, "READY")
+    p.send_signal(signal.SIGTERM)
+    rc = p.wait(timeout=20)
+    assert rc != 0, f"SIGTERM exit must be non-zero (got {rc})"
+    assert rc == 128 + signal.SIGTERM, f"expected 143 (128+SIGTERM), got {rc}"
+    assert wait_marker(out, "TEARDOWN", timeout=5), "teardown funnel did not run on SIGTERM"
+    assert wait_lock_state(DOMAIN, "free") == "free"
--- a/tests/concurrency/test_locks.py
+++ b/tests/concurrency/test_locks.py
@ -0,0 +1,85 @@
+"""Lock fundamentals (concurrency-restructure plan, cases 1-4). Real kernel flocks held by real
+subprocesses — nothing mocked."""
+
+from __future__ import annotations
+
+import fcntl
+import os
+import sys
+import time
+
+sys.path.insert(0, os.path.dirname(__file__))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from concutil import (  # noqa: E402
+    DOMAIN,
+    lock_state,
+    wait_lock_state,
+    wait_marker,
+)
+from harness import lifecycle  # noqa: E402
+
+
+def test_1_sigkill_releases_lock(lock_dir, pool):
+    """Case 1: acquire -> holder SIGKILL'd -> lock immediately acquirable (kernel auto-release).
+    The exact property the old pidfile registry approximated with /proc checks."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED"), "holder never acquired"
+    assert lock_state(DOMAIN) == "held"
+    p.kill()
+    p.wait(timeout=10)
+    assert wait_lock_state(DOMAIN, "free") == "free"
+
+
+def test_2_nb_probe_held_vs_unheld(lock_dir, pool):
+    """Case 2: LOCK_NB probe raises BlockingIOError against a held lock; succeeds when unheld."""
+    p, out = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    path = lifecycle._app_lock_path(DOMAIN)  # noqa: SLF001
+    with open(path, "a") as f:
+        try:
+            fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
+            raise AssertionError("LOCK_NB succeeded against a held lock")
+        except BlockingIOError:
+            pass
+    p.kill()
+    p.wait(timeout=10)
+    assert wait_lock_state(DOMAIN, "free") == "free"
+    with open(path, "a") as f:
+        fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)  # must not raise now
+
+
+def test_3_lock_fd_not_inherited_by_children(lock_dir, pool):
+    """Case 3 (PEP 446): the holder spawns a subprocess child, the holder dies, the child lives —
+    and the lock is STILL released (the child never inherited the lock fd). This is what makes
+    'held lock == live HARNESS owner' sound even though runs spawn abra/docker/pytest children."""
+    p, out = pool.spawn("hold-with-child", DOMAIN)
+    assert wait_marker(out, "ACQUIRED")
+    child_line = wait_marker(out, "CHILD")
+    assert child_line, "holder never reported its child pid"
+    child_pid = int(child_line.split()[1])
+    pool.track_pid(child_pid)
+    p.kill()
+    p.wait(timeout=10)
+    assert os.path.exists(f"/proc/{child_pid}"), "child should outlive the holder"
+    assert (
+        wait_lock_state(DOMAIN, "free") == "free"
+    ), "lock must release on holder death even with a live child (PEP 446 non-inheritable fd)"
+
+
+def test_4_second_acquire_blocks_until_first_exits(lock_dir, pool):
+    """Case 4: a second same-domain acquire blocks until the first holder exits — the
+    double-!testme serialisation property."""
+    p1, out1 = pool.spawn("hold", DOMAIN)
+    assert wait_marker(out1, "ACQUIRED")
+    p2, out2 = pool.spawn("hold", DOMAIN)
+    # p2 must NOT acquire while p1 holds.
+    time.sleep(1.5)
+    assert wait_marker(out2, "ACQUIRED", timeout=0.1) is None, "second acquire did not block"
+    t_kill = time.time()
+    p1.kill()
+    p1.wait(timeout=10)
+    line = wait_marker(out2, "ACQUIRED", timeout=15)
+    assert line, "second acquire never completed after first holder exited"
+    acquired_ts = float(line.split()[1])
+    assert acquired_ts >= t_kill - 0.05, "second holder acquired before the first exited"
+    assert lock_state(DOMAIN) == "held"
--- a/tests/concurrency/test_run_state.py
+++ b/tests/concurrency/test_run_state.py
@ -0,0 +1,79 @@
+"""Run-scoped state files — M2(c) live-verify regression (not one of the 19 plan cases).
+
+The four CCCI state files (deploys countfile, opstate, deps, depskip) must be keyed by
+run id + harness pid, NEVER by app domain: a second run of the SAME domain executes its
+main() preamble (state-file init, deploy_app's _record_deploy) BEFORE it blocks at the
+app lock, so domain-keyed files in the shared tempdir get reset/removed underneath the
+live first run. Observed live (builds 279/281): false DG4.1 deploy-count=2 in run 1,
+countfile FileNotFoundError crash in run 2. Children never re-derive these paths — they
+receive them via the CCCI_*_FILE env vars, so per-process uniqueness is sufficient.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import tempfile
+
+sys.path.insert(0, os.path.dirname(__file__))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+import run_recipe_ci  # noqa: E402
+from concutil import wait_marker  # noqa: E402
+
+DOMAIN = "fake-abc123.ci.commoninternet.net"
+
+
+def test_20_state_paths_keyed_by_run_and_pid_never_by_domain(monkeypatch):
+    domain = "immi-ad3e33.ci.commoninternet.net"
+    monkeypatch.setenv("CCCI_APP_DOMAIN", domain)
+
+    monkeypatch.setenv("DRONE_BUILD_NUMBER", "279")
+    p279 = run_recipe_ci._run_state_path("deploys")
+    monkeypatch.setenv("DRONE_BUILD_NUMBER", "281")
+    p281 = run_recipe_ci._run_state_path("deploys")
+
+    # the double-!testme invariant: two runs (same domain) share NO state file
+    assert p279 != p281
+    # keyed by run id + pid, under the tempdir
+    base = os.path.basename(p279)
+    assert base == f"ccci-deploys-279-{os.getpid()}"
+    assert os.path.dirname(p279) == tempfile.gettempdir()
+    # the app domain must not appear in the path at all
+    assert domain not in p279 and domain not in p281
+
+
+def test_20c_same_domain_runs_each_keep_their_own_count(tmp_path, lock_dir, pool):
+    """The live CONC-A1 interleaving, with REAL processes + the REAL lock and counter code:
+    run A holds the app lock; run B (same domain) fires its pre-lock _record_deploy and
+    blocks; A then reads its counter — must still be 1 (not polluted by B) — and removes
+    its own file; B acquires and must find ITS file intact (no FileNotFoundError)."""
+    gate = tmp_path / "gate"
+    env_a = {"TMPDIR": str(tmp_path), "DRONE_BUILD_NUMBER": "9001"}
+    env_b = {"TMPDIR": str(tmp_path), "DRONE_BUILD_NUMBER": "9002"}
+
+    pa, out_a = pool.spawn("deploy-count-run", DOMAIN, str(gate), env_extra=env_a)
+    assert wait_marker(out_a, "ACQUIRED")
+    pb, out_b = pool.spawn("deploy-count-run", DOMAIN, "", env_extra=env_b)
+    # B's main()-preamble + pre-lock increment have fired; B is now blocked on the app lock
+    assert wait_marker(out_b, "PRELOCK")
+    assert wait_marker(out_b, "ACQUIRED", timeout=1.0) is None  # still serialised behind A
+
+    gate.touch()  # let A read its counter only AFTER B's pre-lock work landed
+    line_a = wait_marker(out_a, "COUNT")
+    assert line_a is not None and line_a.strip() == "COUNT 1", line_a  # not 2: B didn't pollute A
+    pa.wait(timeout=15)
+
+    line_b = wait_marker(out_b, "COUNT")
+    assert (
+        line_b is not None and line_b.strip() == "COUNT 1"
+    ), line_b  # B's file survived A's remove
+    pb.wait(timeout=15)
+
+
+def test_20b_manual_runs_distinct_via_pid(monkeypatch):
+    # no DRONE_BUILD_NUMBER and no domain/run-id env → run_id() falls back to "manual";
+    # the pid suffix still separates two concurrent hand-runs of the same domain.
+    for var in ("DRONE_BUILD_NUMBER", "CCCI_APP_DOMAIN", "CCCI_RUN_ID"):
+        monkeypatch.delenv(var, raising=False)
+    p = run_recipe_ci._run_state_path("opstate")
+    assert os.path.basename(p) == f"ccci-opstate-manual-{os.getpid()}"
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -13,32 +13,8 @@ import sys
 import pytest

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "runner"))
-from harness import deps as deps_mod, lifecycle, naming  # noqa: E402
-
-
-def _short(s: str, n: int = 8) -> str:
-    return "".join(c for c in s if c.isalnum())[:n] or "local"
-
-
-def _recipe_meta(recipe: str) -> dict:
-    """Optional per-recipe config so enrolling a recipe needs NO shared-harness change (D5).
-    A recipe may ship tests/<recipe>/recipe_meta.py with any of: HEALTH_PATH (str),
-    HEALTH_OK (tuple of status codes), DEPLOY_TIMEOUT (int), HTTP_TIMEOUT (int)."""
-    path = os.path.join(os.path.dirname(__file__), recipe, "recipe_meta.py")
-    meta = {
-        "HEALTH_PATH": "/",
-        "HEALTH_OK": (200, 301, 302),
-        "DEPLOY_TIMEOUT": 600,
-        "HTTP_TIMEOUT": 300,
-    }
-    if os.path.exists(path):
-        ns: dict = {}
-        with open(path) as fh:
-            exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
-        for k in meta:
-            if k in ns:
-                meta[k] = ns[k]
-    return meta
+from harness import deps as deps_mod  # noqa: E402
+from harness import meta as meta_mod  # noqa: E402


@pytest.fixture(scope="session")
@ -47,18 +23,10 @@ def recipe() -> str:


@pytest.fixture(scope="session")
-def app_domain(recipe) -> str:
-    # Docker swarm config/secret names = <stackname>_<res>_<ver> must be <= 64 chars, and
-    # stackname is the sanitized domain. ".ci.commoninternet.net" alone is 22 chars, so the
-    # subdomain label must stay short. Use <recipe[:4]>-<6hex(recipe|pr|ref)> — unique per run,
-    # collision-safe across recipes (full recipe in the hash), readable context lives in the
-    # Drone build params + PR comment. (Deviation from plan §4.0 long name; see DECISIONS.md.)
-    return naming.app_domain(recipe, os.environ.get("PR", "0"), os.environ.get("REF"))
-
-
-@pytest.fixture(scope="session")
-def meta(recipe) -> dict:
-    return _recipe_meta(recipe)
+def meta(recipe):
+    """The recipe's FULL validated customization (RecipeMeta, attribute access) via the single
+    loader (rcust P1 — previously this fixture saw only the 4 base keys, spec §8 R3)."""
+    return meta_mod.load(recipe)


@pytest.fixture(scope="session")
@ -72,32 +40,55 @@ def live_app() -> str:
    return domain


-@pytest.fixture(scope="session")
-def deps_apps() -> dict[str, str]:
-    """Phase 2 Q2.3 dependency-resolver contract (refined operator-2026-05-28 SSO-dep plan §1):
-    when a recipe declares `DEPS = [...]` in its `recipe_meta.py`, the orchestrator deploys each
-    dep AFTER the generic tiers (between RESTORE and CUSTOM) and persists their per-run identity
-    + SSO creds to `$CCCI_DEPS_FILE`. Tests access the dep's per-run domain via this fixture.
-    For full SSO creds (realm/client/secret/admin) use the `deps_creds` fixture instead.
+@pytest.fixture
+def op_state() -> dict:
+    """The orchestrator's run-scoped op context (rcust P4): versions, artifact paths — written to
+    `$CCCI_OP_STATE_FILE` after each lifecycle op (e.g. `{"upgrade": {"before": {...},
+    "head_ref": ...}, "backup": {"snapshot_id": ...}}`). Overlay tests read op facts from here
+    instead of hand-parsing env/JSON. Skips with a clear reason outside an orchestrator run."""
+    import json

-    Returns `{dep_recipe: domain}` (str→str). Empty when no deps declared OR deps-not-ready."""
+    path = os.environ.get("CCCI_OP_STATE_FILE")
+    if not path:
+        pytest.skip(
+            "CCCI_OP_STATE_FILE not set — op_state is only available under the orchestrator"
+        )
+    if not os.path.exists(path):
+        pytest.skip(f"op-state file missing ({path}) — orchestrator has not performed an op yet")
+    try:
+        with open(path) as f:
+            return json.load(f)
+    except ValueError:
+        pytest.skip(f"op-state file unreadable/not JSON ({path})")
+
+
+class _DepEntry(dict):
+    """One provisioned dep (full creds dict) with attribute sugar: `entry.domain`, `entry.realm`,
+    `entry.client_secret`, ... — dict-style access works too (rcust P2d)."""
+
+    def __getattr__(self, name):
+        try:
+            return self[name]
+        except KeyError as e:
+            raise AttributeError(name) from e
+
+
+@pytest.fixture(scope="session")
+def deps() -> dict[str, _DepEntry]:
+    """The recipe's provisioned deps (rcust P2d — consolidates the old `deps_apps`+`deps_creds`
+    pair). When a recipe declares `DEPS = [...]` in its `recipe_meta.py`, the orchestrator
+    provisions each dep BEFORE the single deploy and persists per-run identity + SSO creds to
+    `$CCCI_DEPS_FILE`. `deps["keycloak"]` carries domain/realm/client_id/client_secret/user/
+    password/email/admin_user/admin_password/discovery_url/token_url/... (`.domain` etc. work as
+    attributes). Empty when no deps declared OR deps-not-ready — pair with
+    `@pytest.mark.requires_deps` so the F2-11 skip-report keeps the green signal honest."""
    state = deps_mod.deps_as_dict(deps_mod.load_run_state())
-    return {r: e["domain"] for r, e in state.items() if e.get("domain")}
-
-
-@pytest.fixture(scope="session")
-def deps_creds() -> dict[str, dict]:
-    """Full SSO-creds dict for each declared dep (operator-2026-05-28 SSO-dep plan §1).
-    `deps_creds["keycloak"]` returns the entry written by setup_custom_tests with keys
-    domain/realm/client_id/client_secret/user/password/email/admin_user/admin_password/
-    discovery_url/token_url/.... Use this in `@pytest.mark.requires_deps` tests that need to
-    authenticate via OIDC."""
-    return deps_mod.deps_as_dict(deps_mod.load_run_state())
+    return {r: _DepEntry(e) for r, e in state.items()}


 def pytest_collection_modifyitems(config, items):
    """SSO-dep plan §4: tests marked `@pytest.mark.requires_deps` are skipped with reason
-    `deps-not-ready: <captured-err>` when the orchestrator's setup_custom_tests step failed
+    `deps-not-ready: <captured-err>` when the orchestrator's dep provisioning failed
    (orchestrator sets CCCI_DEPS_READY=0 in env). Non-deps custom tests are unaffected.

    This is failure-isolation per plan §1 — generic tiers cannot break the SSO-marked tests'
@ -130,40 +121,5 @@ def pytest_configure(config):
    """Register the `requires_deps` marker so pytest doesn't warn about it."""
    config.addinivalue_line(
        "markers",
-        "requires_deps: test requires DEPS-declared services + setup_custom_tests success.",
+        "requires_deps: test requires DEPS-declared services + dep provisioning success.",
    )
-
-
-def _wait_healthy(domain, meta):
-    lifecycle.wait_healthy(
-        domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
-
-
-@pytest.fixture
-def deployed(recipe, app_domain, meta, request):
-    """Function-scoped: deploy the current/$REF version healthy, guaranteed teardown after.
-    Used by stages that start from current (install/backup)."""
-    version = os.environ.get("VERSION") or None
-    lifecycle.janitor()
-    request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
-    lifecycle.deploy_app(recipe, app_domain, version=version)
-    _wait_healthy(app_domain, meta)
-    return app_domain
-
-
-@pytest.fixture(scope="session")
-def deployed_app(recipe, app_domain, meta):
-    """Install stage: deploy the recipe and wait until healthy; tear down at session end."""
-    version = os.environ.get("VERSION") or None
-    lifecycle.janitor()  # sweep orphans from crashed runs first
-    try:
-        lifecycle.deploy_app(recipe, app_domain, version=version, secrets=True)
-        _wait_healthy(app_domain, meta)
-        yield app_domain
-    finally:
-        lifecycle.teardown_app(app_domain)
--- a/tests/cryptpad/ops.py
+++ b/tests/cryptpad/ops.py
@ -15,13 +15,13 @@ def _write(domain, val):
    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo {val} > {MARKER}"])


-def pre_upgrade(domain, meta):
-    _write(domain, "upgrade-survives")
+def pre_upgrade(ctx):
+    _write(ctx.domain, "upgrade-survives")


-def pre_backup(domain, meta):
-    _write(domain, "original")
+def pre_backup(ctx):
+    _write(ctx.domain, "original")


-def pre_restore(domain, meta):
-    _write(domain, "mutated")  # diverge so a successful restore is observable
+def pre_restore(ctx):
+    _write(ctx.domain, "mutated")  # diverge so a successful restore is observable
--- a/tests/cryptpad/playwright/test_pad_content_roundtrip.py
+++ b/tests/cryptpad/playwright/test_pad_content_roundtrip.py
@ -26,6 +26,7 @@ Transient `net::ERR_NETWORK_CHANGED` is handled by the shared `goto_with_retry`

 from __future__ import annotations

+import contextlib
 import os
 import sys
 import uuid
@ -39,7 +40,11 @@ def _open_pad(ctx, url):
    bar once CryptPad has created/loaded the fragment-keyed pad (`#/2/pad/edit/<key>/`)."""
    page = ctx.new_page()
    harness_browser.goto_with_retry(
-        page, url, accept_statuses=(200,), goto_timeout_ms=60_000, wait_until="load",
+        page,
+        url,
+        accept_statuses=(200,),
+        goto_timeout_ms=60_000,
+        wait_until="load",
        deadline_seconds=150,
    )
    pad_url = url
@ -53,13 +58,15 @@ def _open_pad(ctx, url):
            pad_url = page.url
            break
        if i == 40:
-            try:
+            with contextlib.suppress(Exception):  # best-effort unstick
                harness_browser.goto_with_retry(
-                    page, url, accept_statuses=(200,), goto_timeout_ms=60_000,
-                    wait_until="load", deadline_seconds=120,
+                    page,
+                    url,
+                    accept_statuses=(200,),
+                    goto_timeout_ms=60_000,
+                    wait_until="load",
+                    deadline_seconds=120,
                )
-            except Exception:  # noqa: BLE001 — best-effort unstick
-                pass
    return page, pad_url


@ -74,18 +81,22 @@ def _ckeditor_frame(page, deadline_polls=90, reload_at=22, reload_url=None):
            if "ckeditor-inner" in f.url:
                return f
        if i == reload_at and reload_url is not None:
-            try:
+            with contextlib.suppress(Exception):  # reload is a best-effort unstick
                harness_browser.goto_with_retry(
-                    page, reload_url, accept_statuses=(200,), goto_timeout_ms=60_000,
-                    wait_until="load", deadline_seconds=120,
+                    page,
+                    reload_url,
+                    accept_statuses=(200,),
+                    goto_timeout_ms=60_000,
+                    wait_until="load",
+                    deadline_seconds=120,
                )
-            except Exception:  # noqa: BLE001 — reload is a best-effort unstick
-                pass
        page.wait_for_timeout(2000)
    return None


-def _poll_any_frame_for_text(page, needle, deadline_polls=120, reload_at=(20, 45, 75, 100), reload_url=None):
+def _poll_any_frame_for_text(
+    page, needle, deadline_polls=120, reload_at=(20, 45, 75, 100), reload_url=None
+):
    """Robust read-back (F2-13): poll EVERY frame's body text for `needle`, returning True as soon as
    it appears. The fresh cold-cache read-back context's deeply-nested CKEditor frame is slow/flaky to
    *attach* by URL (the prior `_ckeditor_frame` wait timed out on the Adversary's cold run), but the
@ -101,13 +112,15 @@ def _poll_any_frame_for_text(page, needle, deadline_polls=120, reload_at=(20, 45
            except Exception:  # noqa: BLE001 — frame not ready / detached; keep polling
                pass
        if reload_url and i in reload_at:
-            try:
+            with contextlib.suppress(Exception):  # best-effort unstick
                harness_browser.goto_with_retry(
-                    page, reload_url, accept_statuses=(200,), goto_timeout_ms=60_000,
-                    wait_until="load", deadline_seconds=120,
+                    page,
+                    reload_url,
+                    accept_statuses=(200,),
+                    goto_timeout_ms=60_000,
+                    wait_until="load",
+                    deadline_seconds=120,
                )
-            except Exception:  # noqa: BLE001 — best-effort unstick
-                pass
        page.wait_for_timeout(2000)
    return False

@ -137,9 +150,9 @@ def test_cryptpad_pad_content_survives_fresh_session(live_app):
            # --- session 1: create the pad + write the marker ---
            ctx1 = browser.new_context(ignore_https_errors=True)
            page, pad_url = _open_pad(ctx1, f"https://{live_app}/pad/")
-            assert "#/2/pad/edit/" in pad_url, (
-                f"CryptPad did not create a fragment-keyed pad URL; got {pad_url!r}"
-            )
+            assert (
+                "#/2/pad/edit/" in pad_url
+            ), f"CryptPad did not create a fragment-keyed pad URL; got {pad_url!r}"
            ck = _ckeditor_frame(page, reload_url=pad_url)
            assert ck is not None, "CKEditor content frame never attached (pad editor not ready)"
            _dismiss_store_modal(page)
@ -148,9 +161,9 @@ def test_cryptpad_pad_content_survives_fresh_session(live_app):
            page.wait_for_timeout(1000)
            body.type(marker, delay=40)
            page.wait_for_timeout(12000)  # let CryptPad encrypt + sync the update to the server
-            assert marker in ck.locator("body").inner_text(), (
-                "marker not present in the editor after typing — type did not land"
-            )
+            assert (
+                marker in ck.locator("body").inner_text()
+            ), "marker not present in the editor after typing — type did not land"
            ctx1.close()

            # --- session 2: FRESH context (no shared storage/localStorage) reads the pad back by URL.
--- a/tests/cryptpad/playwright/test_pad_create.py
+++ b/tests/cryptpad/playwright/test_pad_create.py
@ -51,9 +51,9 @@ def test_cryptpad_spa_renders_with_no_console_errors(live_app):
            title = (page.title() or "").lower()
            body = page.content()
            blower = body.lower()
-            assert "cryptpad" in title or "cryptpad" in blower, (
-                f"CryptPad SPA does not carry brand. title={title!r}, body excerpt: {body[:200]!r}"
-            )
+            assert (
+                "cryptpad" in title or "cryptpad" in blower
+            ), f"CryptPad SPA does not carry brand. title={title!r}, body excerpt: {body[:200]!r}"

            # Canonical CryptPad asset references in the rendered DOM
            canonical = ("/customize/", "/components/", "main.js", "/api/broadcast")
--- a/tests/cryptpad/recipe_meta.py
+++ b/tests/cryptpad/recipe_meta.py
@ -7,9 +7,9 @@ DEPLOY_TIMEOUT = 600
 HTTP_TIMEOUT = 600


-def EXTRA_ENV(domain):
+def EXTRA_ENV(ctx):
    """cryptpad needs a SANDBOX_DOMAIN distinct from the main DOMAIN (it serves user content from a
    separate origin; the web router routes both). Derive a sibling subdomain under the same wildcard
    (covered by the wildcard cert, so no cert work)."""
-    label, _, rest = domain.partition(".")
+    label, _, rest = ctx.domain.partition(".")
    return {"SANDBOX_DOMAIN": f"{label}-sb.{rest}"}
--- a/tests/cryptpad/test_install.py
+++ b/tests/cryptpad/test_install.py
@ -8,7 +8,8 @@ import os
 import sys

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import browser as harness_browser, generic, lifecycle  # noqa: E402
+from harness import browser as harness_browser  # noqa: E402
+from harness import generic, lifecycle


 def test_serving_and_content(live_app, meta):
--- a/tests/custom-html-bkp-bad/ops.py
+++ b/tests/custom-html-bkp-bad/ops.py
@ -12,8 +12,8 @@ from harness import lifecycle
 MARKER_PATH = "/usr/share/nginx/html/ci-marker.txt"


-def pre_restore(domain: str, meta: dict) -> None:
+def pre_restore(ctx) -> None:
    """Write 'mutated' to the marker before restore runs. If restore brings back the
    snapshot (which has no marker — never seeded by pre_backup), the marker ends up
    MISSING or 'mutated' after restore → test_restore_returns_state FAILS → restore=RED."""
-    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo mutated > {MARKER_PATH}"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", f"echo mutated > {MARKER_PATH}"])
--- a/tests/custom-html-bkp-bad/test_backup.py
+++ b/tests/custom-html-bkp-bad/test_backup.py
@ -20,7 +20,9 @@ def test_backup_captures_state(live_app):
    Since custom-html-bkp-bad has no ops.py::pre_backup to seed the marker, this file does NOT
    exist at backup time — exec_in_app returns empty or raises → assertion fails → backup tier RED.
    This models a recipe that declares backup capability but omits the data-seeding hook."""
-    result = lifecycle.exec_in_app(live_app, ["sh", "-c", f"cat {MARKER_PATH} 2>/dev/null || echo MISSING"]).strip()
+    result = lifecycle.exec_in_app(
+        live_app, ["sh", "-c", f"cat {MARKER_PATH} 2>/dev/null || echo MISSING"]
+    ).strip()
    assert result == "original", (
        f"backup did not capture the expected marker at {MARKER_PATH}: got {result!r}. "
        "Expected 'original' (seeded by pre_backup). If the marker is 'MISSING', the pre_backup "
--- a/tests/custom-html-rst-bad/ops.py
+++ b/tests/custom-html-rst-bad/ops.py
@ -11,5 +11,5 @@ from harness import lifecycle
 MARKER_PATH = "/usr/share/nginx/html/ci-marker.txt"


-def pre_restore(domain: str, meta: dict) -> None:
-    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo mutated > {MARKER_PATH}"])
+def pre_restore(ctx) -> None:
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", f"echo mutated > {MARKER_PATH}"])
--- a/tests/custom-html-tiny/functional/test_serves_content.py
+++ b/tests/custom-html-tiny/functional/test_serves_content.py
@ -79,9 +79,9 @@ def test_static_file_roundtrip_and_404(live_app):
        # A random non-existent path must 404 — proves real static-file semantics, distinguishing a
        # working server from a 200-everything stub or a mis-routed Traefik fallback.
        miss_status, _ = _get(f"https://{live_app}/ccci-missing-{uuid.uuid4().hex}.txt")
-        assert miss_status == 404, (
-            f"missing path returned {miss_status} (expected 404 — generic 200-returner / mis-route?)"
-        )
+        assert (
+            miss_status == 404
+        ), f"missing path returned {miss_status} (expected 404 — generic 200-returner / mis-route?)"
    finally:
        with contextlib.suppress(OSError):
            os.remove(path)
--- a/tests/custom-html/functional/test_content_roundtrip.py
+++ b/tests/custom-html/functional/test_content_roundtrip.py
@ -15,7 +15,8 @@ import sys
 import uuid

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
-from harness import http as harness_http, lifecycle  # noqa: E402
+from harness import http as harness_http  # noqa: E402
+from harness import lifecycle


 def test_content_roundtrip(live_app):
--- a/tests/custom-html/functional/test_content_type_header.py
+++ b/tests/custom-html/functional/test_content_type_header.py
@ -53,9 +53,9 @@ def test_content_type_html_and_txt(live_app):
    ct_txt = h_txt.get("content-type", "")

    # nginx default: "text/html" for .html and "text/plain" for .txt (may include "; charset=utf-8")
-    assert ct_html.startswith("text/html"), (
-        f"{html_name} Content-Type={ct_html!r}, expected text/html (nginx MIME config broken?)"
-    )
-    assert ct_txt.startswith("text/plain"), (
-        f"{txt_name} Content-Type={ct_txt!r}, expected text/plain (nginx MIME config broken?)"
-    )
+    assert ct_html.startswith(
+        "text/html"
+    ), f"{html_name} Content-Type={ct_html!r}, expected text/html (nginx MIME config broken?)"
+    assert ct_txt.startswith(
+        "text/plain"
+    ), f"{txt_name} Content-Type={ct_txt!r}, expected text/plain (nginx MIME config broken?)"
--- a/tests/custom-html/ops.py
+++ b/tests/custom-html/ops.py
@ -1,4 +1,4 @@
-"""custom-html — pre-op seed hooks (Phase 1e HC3). The orchestrator runs `pre_<op>(domain, meta)`
+"""custom-html — pre-op seed hooks (Phase 1e HC3). The orchestrator runs `pre_<op>(ctx)`
 BEFORE it performs the op; the matching test_<op>.py asserts the post-op state (assertion-only).

 nginx serves the volume at /usr/share/nginx/html, so the marker file survives an upgrade / a
@ -17,16 +17,16 @@ def _write(domain: str, val: str) -> None:
    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo {val} > {MARKER_PATH}"])


-def pre_upgrade(domain, meta):
+def pre_upgrade(ctx):
    # seed a marker before the upgrade so the overlay can prove the data survives it
-    _write(domain, "upgrade-survives")
+    _write(ctx.domain, "upgrade-survives")


-def pre_backup(domain, meta):
+def pre_backup(ctx):
    # establish a known original state before the backup op captures it
-    _write(domain, "original")
+    _write(ctx.domain, "original")


-def pre_restore(domain, meta):
+def pre_restore(ctx):
    # diverge from the backed-up state so a successful restore (back to "original") is observable
-    _write(domain, "mutated")
+    _write(ctx.domain, "mutated")
--- a/tests/custom-html/test_install.py
+++ b/tests/custom-html/test_install.py
@ -9,7 +9,8 @@ import os
 import sys

 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import browser as harness_browser, generic  # noqa: E402
+from harness import browser as harness_browser  # noqa: E402
+from harness import generic


 def test_serving_and_content(live_app, meta):
--- a/tests/discourse/functional/_discourse.py
+++ b/tests/discourse/functional/_discourse.py
@ -53,7 +53,7 @@ def mint_admin(domain: str) -> tuple[str, str]:
    cmd = (
        "cd /opt/bitnami/discourse && "
        "RUBY=$(command -v ruby || echo /opt/bitnami/ruby/bin/ruby) && "
-        f"RAILS_ENV=production \"$RUBY\" bin/rails runner \"{_BOOTSTRAP_RB}\""
+        f'RAILS_ENV=production "$RUBY" bin/rails runner "{_BOOTSTRAP_RB}"'
    )
    out = lifecycle.exec_in_app(domain, ["bash", "-c", cmd], service="app", timeout=240)
    key = user = None
@ -63,9 +63,9 @@ def mint_admin(domain: str) -> tuple[str, str]:
            key = line.split("=", 1)[1].strip()
        elif line.startswith("CCCI_API_USER="):
            user = line.split("=", 1)[1].strip()
-    assert key and user, (
-        f"could not bootstrap discourse admin/API key; rails output tail:\n{out[-1000:]}"
-    )
+    assert (
+        key and user
+    ), f"could not bootstrap discourse admin/API key; rails output tail:\n{out[-1000:]}"
    return key, user


--- a/tests/discourse/functional/test_create_topic.py
+++ b/tests/discourse/functional/test_create_topic.py
@ -48,21 +48,23 @@ def test_create_topic_roundtrip(live_app):
        headers=hdrs,
        timeout=60,
    )
-    assert status in (200, 201) and isinstance(body, dict), (
-        f"create topic failed: HTTP {status}, body={body!r}"
-    )
+    assert status in (200, 201) and isinstance(
+        body, dict
+    ), f"create topic failed: HTTP {status}, body={body!r}"
    topic_id = body.get("topic_id")
    assert topic_id, f"create topic returned no topic_id: {body!r}"

    # 4) Read the topic back and assert title + first-post body round-trip.
    status, got = harness_http.http_get(f"{base}/t/{topic_id}.json", headers=hdrs, timeout=30)
-    assert status == 200 and isinstance(got, dict), f"read topic failed: HTTP {status}, body={got!r}"
-    assert got.get("title") == title, (
-        f"topic title did not round-trip: sent {title!r}, got {got.get('title')!r}"
-    )
+    assert status == 200 and isinstance(
+        got, dict
+    ), f"read topic failed: HTTP {status}, body={got!r}"
+    assert (
+        got.get("title") == title
+    ), f"topic title did not round-trip: sent {title!r}, got {got.get('title')!r}"
    posts = (got.get("post_stream") or {}).get("posts") or []
    assert posts, f"topic has no posts on read-back: {got!r}"
    first_cooked = posts[0].get("cooked", "")
-    assert marker in first_cooked, (
-        f"topic body did not round-trip: marker {marker!r} not in first post {first_cooked!r}"
-    )
+    assert (
+        marker in first_cooked
+    ), f"topic body did not round-trip: marker {marker!r} not in first post {first_cooked!r}"
--- a/tests/discourse/functional/test_site_basic.py
+++ b/tests/discourse/functional/test_site_basic.py
@ -20,12 +20,12 @@ def test_site_json_has_discourse_config(live_app):
    status, body = harness_http.retry_http_get(
        f"https://{live_app}/site.json", expect_status=200, max_wait=120, interval=5
    )
-    assert status == 200 and isinstance(body, dict), (
-        f"GET /site.json failed: HTTP {status}, body type={type(body).__name__}"
-    )
+    assert status == 200 and isinstance(
+        body, dict
+    ), f"GET /site.json failed: HTTP {status}, body type={type(body).__name__}"
    # /site.json carries Discourse-specific structure — `categories` (a list) and `groups` are always
    # present in a booted Discourse. A non-Discourse 200 (placeholder page) would not parse to this.
    assert "categories" in body, f"/site.json missing 'categories' key: keys={list(body)[:20]}"
-    assert isinstance(body["categories"], list), (
-        f"/site.json 'categories' not a list: {type(body['categories']).__name__}"
-    )
+    assert isinstance(
+        body["categories"], list
+    ), f"/site.json 'categories' not a list: {type(body['categories']).__name__}"
--- a/tests/discourse/install_steps.sh
+++ b/tests/discourse/install_steps.sh
@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-# discourse — INSTALL-TIME hook (Phase 2 Q4.6). Runs during the install tier AFTER `abra app new` +
-# EXTRA_ENV + `abra app secret generate` and BEFORE the single `abra app deploy`
-# (lifecycle.py::_run_install_steps), with CCCI_RECIPE / CCCI_APP_DOMAIN in env.
-#
-# Purpose: provide the cc-ci re-pin+grace overlay (compose.ccci.yml) to the recipe checkout so the
-# UPGRADE-tier BASE deploy (published 0.7.0+3.3.1, whose compose pins the Docker-Hub-removed
-# `bitnami/discourse:3.3.1` and ships a too-tight 5m start_period) is deployable and can survive the
-# 15-25min Rails cold boot — so upgrade-to-latest can run. See compose.ccci.yml's header for the full
-# rationale. The overlay is referenced by recipe_meta COMPOSE_FILE; it is a cc-ci file (not part of the
-# recipe), so copying it here makes it resolvable. It persists across the later `git checkout <head>`
-# (untracked) so the head deploy also merges it (idempotent — the PR head already re-pins + ships 20m).
-# CHAOS_BASE_DEPLOY=True is set so abra's pinned-deploy clean-tree check doesn't FATA on the overlay.
-set -euo pipefail
-
-: "${CCCI_RECIPE:?missing CCCI_RECIPE}"
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-RECIPE_DIR="${HOME}/.abra/recipes/${CCCI_RECIPE}"
-
-if [ ! -d "$RECIPE_DIR" ]; then
-  echo "  discourse install_steps: recipe dir $RECIPE_DIR missing — cannot provide compose.ccci.yml" >&2
-  exit 1
-fi
-
-cp "$SCRIPT_DIR/compose.ccci.yml" "$RECIPE_DIR/compose.ccci.yml"
-echo "  discourse install_steps: provided compose.ccci.yml (bitnamilegacy re-pin + 20m start_period grace) to recipe checkout (${CCCI_RECIPE})"
--- a/tests/discourse/ops.py
+++ b/tests/discourse/ops.py
@ -15,8 +15,7 @@ from harness import lifecycle  # noqa: E402

 def _psql(domain, sql):
    cmd = (
-        'PGPASSWORD=$(cat /run/secrets/db_password) '
-        f'psql -U discourse -d discourse -tAc "{sql}"'
+        "PGPASSWORD=$(cat /run/secrets/db_password) " f'psql -U discourse -d discourse -tAc "{sql}"'
    )
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()

@ -31,17 +30,18 @@ def _seed(domain, value):
    assert got == value, f"seed did not commit (read back {got!r}, expected {value!r})"


-def pre_upgrade(domain, meta):
-    _seed(domain, "upgrade-survives")
+def pre_upgrade(ctx):
+    _seed(ctx.domain, "upgrade-survives")


-def pre_backup(domain, meta):
-    _seed(domain, "original")
+def pre_backup(ctx):
+    _seed(ctx.domain, "original")


-def pre_restore(domain, meta):
+def pre_restore(ctx):
    # diverge from the backup so a successful restore is observable
-    _psql(domain, "DROP TABLE IF EXISTS ci_marker;")
-    assert _psql(domain, "SELECT to_regclass('public.ci_marker');") in ("", "NULL"), (
-        "drop did not take"
-    )
+    _psql(ctx.domain, "DROP TABLE IF EXISTS ci_marker;")
+    assert _psql(ctx.domain, "SELECT to_regclass('public.ci_marker');") in (
+        "",
+        "NULL",
+    ), "drop did not take"
--- a/tests/discourse/recipe_meta.py
+++ b/tests/discourse/recipe_meta.py
@ -6,7 +6,9 @@
 # app is actually serving (the canonical "is discourse up" signal — NOT "/", which may redirect to setup).
 HEALTH_PATH = "/srv/status"
 HEALTH_OK = (200,)
-DEPLOY_TIMEOUT = 3600  # slow Rails cold boot (15-25min) on the 7-GiB single node; bumped 2400→3600 for
+DEPLOY_TIMEOUT = (
+    3600  # slow Rails cold boot (15-25min) on the 7-GiB single node; bumped 2400→3600 for
+)
 # headroom after full4's base deploy timed out at 2400s (RAM/CPU-constrained boot + image re-pull).
 HTTP_TIMEOUT = 1200

@ -27,11 +29,11 @@ HTTP_TIMEOUT = 1200
 #   (1) it pins the Docker-Hub-removed `bitnami/discourse:3.3.1` (404) → overlay re-pins app+sidekiq to
 #       `bitnamilegacy/discourse:3.3.1` (namespace-only, identical image), the same re-pin the PR makes;
 #   (2) its 5m start_period is too tight for the 15-25min Rails boot → overlay widens it to 20m (grace).
-# install_steps.sh provides the overlay; CHAOS_BASE_DEPLOY skips the clean-tree gate on the untracked
-# overlay; it persists across the head checkout (idempotent — the PR head already re-pins + ships 20m).
+# The harness auto-provides the overlay to the checkout and auto-chaoses the base deploy
+# (first-class compose.ccci.yml, rcust P2a); it persists across the head checkout (idempotent — the
+# PR head already re-pins + ships 20m).
 # Upgrade crossover: 0.7.0 (re-pinned base) → PR head; full assertions run on the HEAD. The 0.7.0
 # *custom* tests are not separately run (custom tier runs once, on the head — policy §1 allows skip+record).
-CHAOS_BASE_DEPLOY = True
 UPGRADE_BASE_VERSION = "0.7.0+3.3.1"
 EXTRA_ENV = {
    "TIMEOUT": "3600",  # abra's internal convergence wait; matches DEPLOY_TIMEOUT (slow Rails boot headroom)
@ -39,7 +41,7 @@ EXTRA_ENV = {
 }


-def BACKUP_VERIFY(domain):
+def BACKUP_VERIFY(ctx):
    """Post-backup integrity check (Q4.6, same race ghost F2-14b hit). The recipe's backupbot db
    pre-hook (`/pg_backup.sh backup`) dumps the discourse postgres DB to `/var/lib/postgresql/data/
    backup.sql` (gzip), then restic captures that path. On the loaded single CI node the db container
@ -58,8 +60,12 @@ def BACKUP_VERIFY(domain):

    try:
        out = lifecycle.exec_in_app(
-            domain,
-            ["sh", "-c", "gzip -t /var/lib/postgresql/data/backup.sql && wc -c < /var/lib/postgresql/data/backup.sql"],
+            ctx.domain,
+            [
+                "sh",
+                "-c",
+                "gzip -t /var/lib/postgresql/data/backup.sql && wc -c < /var/lib/postgresql/data/backup.sql",
+            ],
            service="db",
            timeout=60,
        ).strip()
--- a/tests/discourse/test_backup.py
+++ b/tests/discourse/test_backup.py
@ -14,13 +14,12 @@ from harness import lifecycle  # noqa: E402

 def _psql(domain, sql):
    cmd = (
-        'PGPASSWORD=$(cat /run/secrets/db_password) '
-        f'psql -U discourse -d discourse -tAc "{sql}"'
+        "PGPASSWORD=$(cat /run/secrets/db_password) " f'psql -U discourse -d discourse -tAc "{sql}"'
    )
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


 def test_backup_captures_state(live_app):
-    assert _psql(live_app, "SELECT v FROM ci_marker;") == "original", (
-        "the seeded discourse postgres state was not present at backup time"
-    )
+    assert (
+        _psql(live_app, "SELECT v FROM ci_marker;") == "original"
+    ), "the seeded discourse postgres state was not present at backup time"
--- a/tests/discourse/test_restore.py
+++ b/tests/discourse/test_restore.py
@ -14,13 +14,12 @@ from harness import lifecycle  # noqa: E402

 def _psql(domain, sql):
    cmd = (
-        'PGPASSWORD=$(cat /run/secrets/db_password) '
-        f'psql -U discourse -d discourse -tAc "{sql}"'
+        "PGPASSWORD=$(cat /run/secrets/db_password) " f'psql -U discourse -d discourse -tAc "{sql}"'
    )
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


 def test_restore_returns_state(live_app):
-    assert _psql(live_app, "SELECT v FROM ci_marker;") == "original", (
-        "restore did not return the pre-mutation discourse postgres state (data-integrity failure)"
-    )
+    assert (
+        _psql(live_app, "SELECT v FROM ci_marker;") == "original"
+    ), "restore did not return the pre-mutation discourse postgres state (data-integrity failure)"
--- a/tests/ghost/functional/_ghost.py
+++ b/tests/ghost/functional/_ghost.py
@ -93,9 +93,10 @@ class GhostAdmin:
        status, body = self.req(
            "POST", "/session/", {"username": ADMIN_EMAIL, "password": ADMIN_PW}
        )
-        assert status in (200, 201), (
-            f"ghost admin session login failed: HTTP {status}, body={body!r}"
-        )
+        assert status in (
+            200,
+            201,
+        ), f"ghost admin session login failed: HTTP {status}, body={body!r}"

    def create_post(self, title: str, html: str) -> dict:
        status, body = self.req(
--- a/tests/ghost/functional/test_admin_redirect.py
+++ b/tests/ghost/functional/test_admin_redirect.py
@ -53,13 +53,15 @@ def test_ghost_admin_route_is_wired(live_app):
        return None

    status_body = harness_http.assert_converges(
-        _ready, f"GET {url} returns Ghost admin (200) or setup redirect (302)",
-        max_wait=60, interval=3,
+        _ready,
+        f"GET {url} returns Ghost admin (200) or setup redirect (302)",
+        max_wait=60,
+        interval=3,
    )
    status, body = status_body
    assert status in (200, 302), f"unexpected status: {status}"
    if status == 200:
        # The admin SPA references /ghost-assets/ or contains "ghost" in title/body
-        assert "ghost" in body.lower(), (
-            f"GET {url} 200 but body has no Ghost markers: {body[:200]!r}"
-        )
+        assert (
+            "ghost" in body.lower()
+        ), f"GET {url} 200 but body has no Ghost markers: {body[:200]!r}"
--- a/tests/ghost/functional/test_content_api.py
+++ b/tests/ghost/functional/test_content_api.py
@ -35,10 +35,10 @@ def test_content_api_settings_endpoint(live_app):
    assert body is not None, f"GET {url} returned non-JSON body"
    # On success: {"settings": {...}}. On error: {"errors": [...]}. Either shape is valid.
    if status == 200:
-        assert isinstance(body, dict) and "settings" in body, (
-            f"200 response missing 'settings' envelope: {body!r}"
-        )
+        assert (
+            isinstance(body, dict) and "settings" in body
+        ), f"200 response missing 'settings' envelope: {body!r}"
    else:
-        assert isinstance(body, dict) and ("errors" in body or "message" in body or body), (
-            f"error response not a proper Ghost error envelope: {body!r}"
-        )
+        assert isinstance(body, dict) and (
+            "errors" in body or "message" in body or body
+        ), f"error response not a proper Ghost error envelope: {body!r}"
--- a/tests/ghost/functional/test_post_roundtrip.py
+++ b/tests/ghost/functional/test_post_roundtrip.py
@ -43,17 +43,17 @@ def test_create_post_roundtrip(live_app):
    title = f"ccci-marker-{uniq}"
    marker = f"ccci-body-marker-{uniq}-roundtrip"
    created = admin.create_post(title, f"<p>{marker}</p>")
-    assert created.get("title") == title, (
-        f"created post title mismatch: sent {title!r}, got {created.get('title')!r}"
-    )
+    assert (
+        created.get("title") == title
+    ), f"created post title mismatch: sent {title!r}, got {created.get('title')!r}"

    # 4) Read it back by id and assert the post survived the round-trip (title always returned;
    #    html returned because we requested ?formats=html).
    got = admin.get_post(created["id"])
-    assert got.get("title") == title, (
-        f"post title did not round-trip: sent {title!r}, got {got.get('title')!r}"
-    )
+    assert (
+        got.get("title") == title
+    ), f"post title did not round-trip: sent {title!r}, got {got.get('title')!r}"
    html = got.get("html") or ""
-    assert marker in html, (
-        f"post body did not round-trip: marker {marker!r} not in read-back html {html!r}"
-    )
+    assert (
+        marker in html
+    ), f"post body did not round-trip: marker {marker!r} not in read-back html {html!r}"
--- a/tests/ghost/install_steps.sh
+++ b/tests/ghost/install_steps.sh
@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-# ghost — INSTALL-TIME hook (Phase 2 F2-14b). Runs during the install tier AFTER `abra app new` +
-# EXTRA_ENV + `abra app secret generate` and BEFORE the single `abra app deploy`
-# (lifecycle.py::_run_install_steps), with CCCI_RECIPE / CCCI_APP_DOMAIN in env.
-#
-# Purpose: provide the cc-ci start_period-grace overlay (compose.ccci.yml) to the recipe checkout so
-# the UPGRADE-tier BASE deploy (a previous published version whose app healthcheck still ships the
-# too-tight 1m start_period) can survive ghost's ~6-9min fresh-DB migration and converge. See
-# compose.ccci.yml's header for the full rationale. The overlay is referenced by recipe_meta
-# COMPOSE_FILE; copying it here (it is a cc-ci file, not part of the recipe) makes it resolvable.
-# It persists across the later `git checkout <head>` (untracked) so the head deploy also merges it
-# (idempotent — the PR head already ships 15m). CHAOS_BASE_DEPLOY=True is set so abra's pinned-deploy
-# clean-tree check doesn't FATA on the untracked overlay.
-set -euo pipefail
-
-: "${CCCI_RECIPE:?missing CCCI_RECIPE}"
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-RECIPE_DIR="${HOME}/.abra/recipes/${CCCI_RECIPE}"
-
-if [ ! -d "$RECIPE_DIR" ]; then
-  echo "  ghost install_steps: recipe dir $RECIPE_DIR missing — cannot provide compose.ccci.yml" >&2
-  exit 1
-fi
-
-cp "$SCRIPT_DIR/compose.ccci.yml" "$RECIPE_DIR/compose.ccci.yml"
-echo "  ghost install_steps: provided compose.ccci.yml (app start_period grace) to recipe checkout (${CCCI_RECIPE})"
--- a/tests/ghost/ops.py
+++ b/tests/ghost/ops.py
@ -22,10 +22,7 @@ from harness import lifecycle  # noqa: E402


 def _mysql(domain, sql):
-    cmd = (
-        'MYSQL_PWD="$(cat /run/secrets/db_password)" '
-        f'mysql -u root -N -s ghost -e "{sql}"'
-    )
+    cmd = 'MYSQL_PWD="$(cat /run/secrets/db_password)" ' f'mysql -u root -N -s ghost -e "{sql}"'
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


@ -39,19 +36,19 @@ def _seed(domain, value):
    assert got == value, f"seed did not commit (read back {got!r}, expected {value!r})"


-def pre_upgrade(domain, meta):
-    _seed(domain, "upgrade-survives")
+def pre_upgrade(ctx):
+    _seed(ctx.domain, "upgrade-survives")


-def pre_backup(domain, meta):
-    _seed(domain, "original")
+def pre_backup(ctx):
+    _seed(ctx.domain, "original")


-def pre_restore(domain, meta):
+def pre_restore(ctx):
    # diverge from the backup so a successful restore is observable: drop the marker table.
-    _mysql(domain, "DROP TABLE IF EXISTS ci_marker;")
+    _mysql(ctx.domain, "DROP TABLE IF EXISTS ci_marker;")
    got = _mysql(
-        domain,
+        ctx.domain,
        "SELECT COUNT(*) FROM information_schema.tables "
        "WHERE table_schema='ghost' AND table_name='ci_marker';",
    )
--- a/tests/ghost/recipe_meta.py
+++ b/tests/ghost/recipe_meta.py
@ -31,23 +31,22 @@ HTTP_TIMEOUT = 900
 # (plan-ccci-compose-overlay-policy.md §1), so the harness base-deploys the previous PUBLISHED version
 # (1.1.1+6-alpine) — which predates the PR and still ships the too-tight 1m start_period → it would
 # deadlock on the same migration kill. compose.ccci.yml re-applies the 15m grace to the BASE so the
-# from-version is deployable; install_steps.sh provides it to the checkout; CHAOS_BASE_DEPLOY skips the
-# clean-tree gate on that untracked overlay. It persists across the head checkout (idempotent — the PR
-# head already ships 15m). This is the policy-blessed "minimal overlay on the from-version so
+# from-version is deployable; the harness auto-provides it to the checkout and auto-chaoses the base
+# deploy (first-class compose.ccci.yml, rcust P2a). It persists across the head checkout (idempotent —
+# the PR head already ships 15m). This is the policy-blessed "minimal overlay on the from-version so
 # upgrade-to-latest can run" — grace-only, masks no defect, weakens no test.
 # TIMEOUT/DEPLOY_TIMEOUT 2400s: the BASE cold boot's wall-time is mysql fresh-dir init (~6min, during
 # which the app crash-loops harmlessly on `ECONNREFUSED 3306` until mysql accepts connections — no
 # migration progress lost, it hasn't started) PLUS the ~9-15min schema migration (round-trip-bound,
 # slower under host load). 1200s was too tight (full4 killed at the near-final `email_recipients`
 # tables while still 0/1); 2400s gives headroom while still bounding a genuine hang (matches discourse).
-CHAOS_BASE_DEPLOY = True
 EXTRA_ENV = {
    "TIMEOUT": "2400",
    "COMPOSE_FILE": "compose.yml:compose.ccci.yml",
 }


-def BACKUP_VERIFY(domain):
+def BACKUP_VERIFY(ctx):
    """Post-backup integrity check (F2-14b). The recipe's backupbot db pre-hook dumps the ghost MySQL
    DB to `/var/lib/mysql/backup.sql.gz` (then restic captures that path). On the loaded single CI node
    the db container intermittently CYCLES mid-dump (observed: full5/6/7 RED, full8 green — pure race;
@ -62,8 +61,12 @@ def BACKUP_VERIFY(domain):

    try:
        out = lifecycle.exec_in_app(
-            domain,
-            ["sh", "-c", "gzip -t /var/lib/mysql/backup.sql.gz && wc -c < /var/lib/mysql/backup.sql.gz"],
+            ctx.domain,
+            [
+                "sh",
+                "-c",
+                "gzip -t /var/lib/mysql/backup.sql.gz && wc -c < /var/lib/mysql/backup.sql.gz",
+            ],
            service="db",
            timeout=60,
        ).strip()
--- a/tests/ghost/test_backup.py
+++ b/tests/ghost/test_backup.py
@ -15,14 +15,11 @@ from harness import lifecycle  # noqa: E402


 def _mysql(domain, sql):
-    cmd = (
-        'MYSQL_PWD="$(cat /run/secrets/db_password)" '
-        f'mysql -u root -N -s ghost -e "{sql}"'
-    )
+    cmd = 'MYSQL_PWD="$(cat /run/secrets/db_password)" ' f'mysql -u root -N -s ghost -e "{sql}"'
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


 def test_backup_captures_state(live_app):
-    assert _mysql(live_app, "SELECT v FROM ci_marker;") == "original", (
-        "the seeded ghost MySQL marker was not present at backup time"
-    )
+    assert (
+        _mysql(live_app, "SELECT v FROM ci_marker;") == "original"
+    ), "the seeded ghost MySQL marker was not present at backup time"
--- a/tests/ghost/test_restore.py
+++ b/tests/ghost/test_restore.py
@ -22,10 +22,7 @@ from harness import lifecycle  # noqa: E402


 def _mysql(domain, sql):
-    cmd = (
-        'MYSQL_PWD="$(cat /run/secrets/db_password)" '
-        f'mysql -u root -N -s ghost -e "{sql}"'
-    )
+    cmd = 'MYSQL_PWD="$(cat /run/secrets/db_password)" ' f'mysql -u root -N -s ghost -e "{sql}"'
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


--- a/tests/ghost/test_upgrade.py
+++ b/tests/ghost/test_upgrade.py
@ -14,14 +14,11 @@ from harness import lifecycle  # noqa: E402


 def _mysql(domain, sql):
-    cmd = (
-        'MYSQL_PWD="$(cat /run/secrets/db_password)" '
-        f'mysql -u root -N -s ghost -e "{sql}"'
-    )
+    cmd = 'MYSQL_PWD="$(cat /run/secrets/db_password)" ' f'mysql -u root -N -s ghost -e "{sql}"'
    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()


 def test_upgrade_preserves_state(live_app):
-    assert _mysql(live_app, "SELECT v FROM ci_marker;") == "upgrade-survives", (
-        "the seeded ghost MySQL marker did not survive the upgrade redeploy (data loss on upgrade)"
-    )
+    assert (
+        _mysql(live_app, "SELECT v FROM ci_marker;") == "upgrade-survives"
+    ), "the seeded ghost MySQL marker did not survive the upgrade redeploy (data loss on upgrade)"
--- a/tests/hedgedoc/functional/test_branding.py
+++ b/tests/hedgedoc/functional/test_branding.py
@ -14,7 +14,6 @@ import urllib.request
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
 from harness import http as harness_http  # noqa: E402

-
 _CTX = ssl.create_default_context()
 _CTX.check_hostname = False
 _CTX.verify_mode = ssl.CERT_NONE
--- a/Show More
+++ b/Show More