fix(bluesky-pds): exec into renamed 'pds' service (pairs with recipe rename app->pds)

The recipe renames its main service app->pds so caddy resolves THIS stack's PDS on the shared proxy
(abra drops compose network aliases, so a rename is the robust fix). Update the two exec_in_app calls
to service=pds to match. Same assertions.

.drone.yml

@@ -35,12 +35,12 @@ steps:
 # the comment-bridge). Deploys the recipe at the PR head, runs install/upgrade/backup + any
 # recipe-local tests via the shared harness, then guarantees teardown (plan §4.2/§4.3).
 #
-# Resource safety (plan §4.2/§4.3): DRONE_RUNNER_CAPACITY=2 (nix/modules/drone-runner.nix) +
-# concurrency.limit=2 below allow two recipe runs in parallel. Concurrent-run safety is enforced by
-# the harness, not by serialisation: same-recipe runs serialise on a per-recipe flock
-# (lifecycle.acquire_recipe_lock — the shared ~/.abra/recipes/<recipe> checkout is the conflict),
-# and every run registers its app domain + pid in /run/cc-ci-active so the run-start janitor only
-# reaps orphans whose owning run is DEAD (alive → never touched; unknown → age fallback, default 2h).
+# Resource safety (plan §4.2/§4.3): DRONE_RUNNER_CAPACITY=2 (nix/modules/drone-runner.nix, the
+# single concurrency knob) allows two recipe runs in parallel. Concurrent-run safety is enforced by
+# the harness, not by serialisation: every run holds an exclusive flock on its app domain
+# (/run/lock/cc-ci-app-<domain>.lock) for its whole process lifetime, the run-start janitor probes
+# that lock to reap only orphans (held lock = live run, never touched), and recipe working trees
+# are per-run ($ABRA_DIR/recipes — no shared checkout, no recipe lock). See docs/concurrency.md.
 kind: pipeline
 type: exec
 name: recipe-ci
@@ -53,21 +53,37 @@ trigger:
   event:
     - custom
 
-concurrency:
-  limit: 2
+# NB deliberately NO `concurrency.limit` here: DRONE_RUNNER_CAPACITY (nix/modules/drone-runner.nix
+# maxTests) is the single concurrency knob (P4 — two knobs in two files drifted).
 
 steps:
   - name: ci
     environment:
       STAGES: install,upgrade,backup,restore,custom
-      # The exec runner points HOME at a per-build workspace; force it to /root so abra finds its
-      # server config + recipes under /root/.abra (as the manual M4/M5 runs did). Safe with
-      # capacity=2: app names are unique per (recipe,pr,ref) and same-recipe runs serialise on the
-      # per-recipe flock, so concurrent builds never touch the same recipe checkout or app.
+      # The exec runner points HOME at a per-build workspace; force it to /root so abra's server
+      # config is found via the per-run ABRA_DIR's servers/ symlink -> /root/.abra/servers.
+      # Recipe trees are PER-RUN ($ABRA_DIR/recipes, exported by run_recipe_ci before any abra
+      # call), so concurrent builds never share a recipe checkout; app .env files are per-domain
+      # in the shared canonical servers/ path, guarded by the app-domain flock.
       HOME: /root
     commands:
       # RECIPE/REF/PR/SRC (+ CCCI_QUICK for `!testme --quick`) are injected as env vars from the
       # build's custom params. CCCI_QUICK=1 makes run_recipe_ci take the opt-in fast lane (WC7);
       # absent => full cold (default). run_quick ignores STAGES (always upgrade+custom).
       - 'echo "recipe-ci: RECIPE=$RECIPE REF=$REF PR=$PR SRC=$SRC stages=$STAGES quick=${CCCI_QUICK:-0}"'
-      - cc-ci-run runner/run_recipe_ci.py
+      # P1 lock-lifetime hardening: run the harness in its own session/process group (setsid) and
+      # forward a drone cancel (TERM to this step shell) to the WHOLE group, so the harness's
+      # SIGTERM handler runs its teardown funnel instead of being leaked (the exec runner kills
+      # only the step shell, not the tree). PDEATHSIG inside the harness backstops the case where
+      # this shell dies without the trap firing. The harness exit code is captured explicitly and
+      # the traps cleared before exiting: the runner shell is `set -e`, and an EXIT-trap kill of
+      # the already-gone process group returns ESRCH, which otherwise poisons a GREEN run's exit
+      # status to 1 (observed live, build 269: all tiers pass, step exit 1).
+      - |
+        setsid cc-ci-run runner/run_recipe_ci.py &
+        PID=$!
+        trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
+        rc=0
+        wait "$PID" || rc=$?
+        trap - TERM EXIT
+        exit "$rc"

AGENTS.md

@@ -3,6 +3,14 @@
 Working notes for agents (and humans) modifying the cc-ci server. See `README.md` for what the server
 does and `machine-docs/` for the build's living state (`DECISIONS.md`, `DEFERRED.md`, `STATUS-*.md`).
 
+## File-location rule (mandatory)
+
+ALL coordination / loop-state files live under **`machine-docs/`**, NEVER the repo root. That means
+the phase-namespaced `STATUS-*.md`, `BACKLOG-*.md`, `REVIEW-*.md`, `JOURNAL-*.md`, the shared
+`DECISIONS.md` / `DEFERRED.md`, and the `ADVERSARY-INBOX.md` / `BUILDER-INBOX.md` side-channels.
+Create `machine-docs/` if missing; if you ever find one of these at the root, `git mv` it into
+`machine-docs/`. (The repo root is for actual server code/config — `runner/`, `tests/`, `nix/`, etc.)
+
 ## Testing cadence
 
 Two kinds of tests live here — run them on **different** cadences:

README.md

@@ -22,7 +22,7 @@ secrets/               sops-encrypted infra secrets (cc-ci-secrets submodule)
 bridge/                !testme webhook listener source
 runner/                run_recipe_ci.py + shared pytest harness
 dashboard/             results overview generator
-tests/<recipe>/        per-recipe install/upgrade/backup tests + playwright/
+tests/<recipe>/        per-recipe install/upgrade/backup tests + custom/
 docs/                  install, enroll-recipe, secrets, architecture, runbook, baseline
 ```
 

bridge/bridge.py

@@ -37,6 +37,7 @@ import time
 import urllib.error
 import urllib.parse
 import urllib.request
+from datetime import UTC, datetime
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 
 GITEA_API = os.environ.get("GITEA_API", "https://git.autonomic.zone/api/v1")
@@ -81,6 +82,7 @@ GITEA_TOKEN = _read(os.environ["GITEA_TOKEN_FILE"])
 # Shared dedup across the poll + webhook paths: a comment id triggers at most one run.
 _PROCESSED: set = set()
 _PROCESSED_LOCK = threading.Lock()
+_PROCESS_STARTED_AT = datetime.now(UTC)
 
 
 def log(*a):
@@ -277,6 +279,23 @@ def _claim(comment_id) -> bool:
         return True
 
 
+def _is_preexisting_comment(comment) -> bool:
+    """Treat trigger comments older than this bridge process as already-seen.
+
+    This closes the reopened-PR hole where a PR was CLOSED during bridge startup, so its old
+    `!testme` comments were never marked seen by the first poll pass; when that PR is later reopened,
+    the poller must not replay those historical comments as fresh triggers.
+    """
+    created = (comment or {}).get("created_at")
+    if not created:
+        return False
+    try:
+        created_at = datetime.fromisoformat(created.replace("Z", "+00:00"))
+    except ValueError:
+        return False
+    return created_at <= _PROCESS_STARTED_AT
+
+
 def process_testme(full_name, owner, name, number, user, comment_id, source, quick=False):
     """Shared by both paths. Dedupes by comment id, checks authorization, resolves the PR head,
     triggers the build, comments the run link. Returns (run_url|None, reason)."""
@@ -389,7 +408,7 @@ def poll_loop():
                     if not is_trigger:
                         continue
                     cid = c.get("id")
-                    if first:
+                    if first or _is_preexisting_comment(c):
                         _claim(cid)  # mark pre-existing comments seen; don't fire on startup
                         continue
                     user = (c.get("user") or {}).get("login", "")

dashboard/dashboard.py

@@ -25,6 +25,9 @@ from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 DRONE_URL = os.environ.get("DRONE_URL", "https://drone.ci.commoninternet.net")
 CI_REPO = os.environ.get("CI_REPO", "recipe-maintainers/cc-ci")
 CACHE_TTL = int(os.environ.get("CACHE_TTL", "30"))
+# Per-recipe history display cap (phase dash): a long-lived recipe (plausible/custom-html have 30+
+# runs) stays bounded; newest runs are kept (the list is sorted newest-first before the slice).
+HISTORY_CAP = int(os.environ.get("HISTORY_CAP", "30"))
 
 # Phase 3 (R3/R6/U2.3): per-run artifacts (results.json, summary card PNG, app screenshot, level
 # badge) written by run_recipe_ci.py under this host dir, bind-mounted read-only into the dashboard
@@ -38,6 +41,7 @@ _RUN_FILES = {
     "screenshot.png": "image/png",
     "badge.svg": "image/svg+xml",
     "summary.html": "text/html; charset=utf-8",
+    "lint.txt": "text/plain; charset=utf-8",
 }
 _RUN_ID_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")
 
@@ -50,9 +54,14 @@ def _read(path):
 DRONE_TOKEN = _read(os.environ["DRONE_TOKEN_FILE"])
 
 _CACHE = {"ts": 0.0, "recipes": []}
-# Raw custom builds (newest-first), cached so the overview AND the per-recipe history page share one
-# Drone fetch within CACHE_TTL (U4 history reads the same list latest_per_recipe groups from).
+# Raw custom builds (newest-first), cached within CACHE_TTL. Feeds the OVERVIEW (latest-per-recipe).
+# The per-recipe HISTORY page no longer reads this slice — it sources the full history from the local
+# run artifacts instead (see _local_history / phase dash), because this Drone slice is capped at the
+# latest 100 builds and drops a recipe's older runs out of view.
 _BUILDS = {"ts": 0.0, "builds": []}
+# Per-recipe history sourced from the LOCAL run artifacts under CCCI_RUNS_DIR (complete: 300+ runs,
+# durable, independent of Drone's 100-build window). Whole-dir scan grouped by recipe, cached CACHE_TTL.
+_LOCAL = {"ts": 0.0, "by_recipe": {}}
 
 _COLORS = {
     "success": "#3fb950",
@@ -71,8 +80,7 @@ _LEVEL_COLOR = {
     2: "#e0823d",
     3: "#d9b343",
     4: "#a0b93f",
-    5: "#57ab5a",
-    6: "#3fb950",
+    5: "#3fb950",  # bright green — full 5-rung climb incl. lint (phase lvl5)
 }
 
 
@@ -152,7 +160,6 @@ def _build_row(b):
         "ref": ref[:8],
         "version": res.get("version") or ref[:12] or "—",
         "level": res.get("level"),
-        "level_cap_reason": res.get("level_cap_reason") or "",
         "has_screenshot": bool(res.get("screenshot")),
         "flags": res.get("flags") or {},
         "finished": b.get("finished") or 0,
@@ -173,13 +180,80 @@ def latest_per_recipe():
     return [_build_row(latest[r]) for r in sorted(latest)]
 
 
+def _numeric_id(n):
+    """run dir name as int for sort tiebreak; -1 for named ids (m2r-*, ab-*) so the PRIMARY sort key
+    (finished timestamp) decides their position, never int() on a non-numeric id (would crash)."""
+    try:
+        return int(n)
+    except (TypeError, ValueError):
+        return -1
+
+
+def _run_status(res):
+    """Overall pass/fail for a finished run, derived from its per-stage results map (results.json has
+    no single top-level status field). Any failed/errored stage → failure; all pass/skip → success;
+    empty/unknown → unknown. A skip alone is not a failure."""
+    vals = list((res.get("results") or {}).values())
+    if any(v in ("fail", "error") for v in vals):
+        return "failure"
+    if vals and all(v in ("pass", "skip") for v in vals):
+        return "success"
+    return "unknown"
+
+
+def _local_history_row(run_id, res):
+    """Project a local run artifact (results.json) into the same display-row shape _build_row emits,
+    so render_history is unchanged. `number` is the run dir name (the /runs/<id>/ path + _results_for
+    key); link to the Drone build when the id is numeric, else to the local summary card."""
+    ref = res.get("ref") or ""
+    url = f"{DRONE_URL}/{CI_REPO}/{run_id}" if str(run_id).isdigit() else f"/runs/{run_id}/summary.html"
+    return {
+        "recipe": res.get("recipe"),
+        "status": _run_status(res),
+        "number": run_id,
+        "ref": ref[:8],
+        "version": res.get("version") or ref[:12] or "—",
+        "level": res.get("level"),
+        "has_screenshot": bool(res.get("screenshot")),
+        "flags": res.get("flags") or {},
+        "finished": res.get("finished") or 0,
+        "url": url,
+    }
+
+
+def _local_history():
+    """Scan CCCI_RUNS_DIR once (cached CACHE_TTL), group runs by recipe sorted newest-first by the
+    `finished` timestamp. Run dirs with no/malformed results.json (in-flight / failed-early) are
+    skipped via _results_for ({} on miss) — never raises, never emits a garbage row. {recipe: [row]}."""
+    now = time.time()
+    if now - _LOCAL["ts"] <= CACHE_TTL and _LOCAL["by_recipe"]:
+        return _LOCAL["by_recipe"]
+    by_recipe = {}
+    try:
+        names = os.listdir(CCCI_RUNS_DIR)
+    except OSError as e:
+        log("local runs scan failed", e)
+        return _LOCAL["by_recipe"]
+    for name in names:
+        res = _results_for(name)  # traversal-guarded read; {} on miss / malformed / non-dir
+        recipe = res.get("recipe")
+        if not recipe:
+            continue
+        by_recipe.setdefault(recipe, []).append(_local_history_row(name, res))
+    # Sort newest-first by finished timestamp (ids are MIXED numeric + named, so a numeric/lexical id
+    # sort would misorder — timestamp is the only correct key); numeric id is a stable tiebreak only.
+    for rows in by_recipe.values():
+        rows.sort(key=lambda r: (r["finished"], _numeric_id(r["number"])), reverse=True)
+    _LOCAL["by_recipe"] = by_recipe
+    _LOCAL["ts"] = now
+    return by_recipe
+
+
 def history_for(recipe):
-    """All runs for one recipe (newest first), augmented from results.json — the per-recipe history
-    page (R5 'link to history'). [] if none / None on fetch error."""
-    builds = _custom_recipe_builds()
-    if builds is None:
-        return None
-    return [_build_row(b) for b in builds if (b.get("params") or {}).get("RECIPE") == recipe]
+    """All runs for one recipe (newest first, display-capped at HISTORY_CAP), sourced from the LOCAL
+    run artifacts under CCCI_RUNS_DIR — complete + durable, independent of Drone's 100-build window
+    (phase dash root cause). [] when the recipe has no local runs."""
+    return _local_history().get(recipe, [])[:HISTORY_CAP]
 
 
 def recipes_cached():
@@ -220,7 +294,6 @@ a{color:#58a6ff;text-decoration:none} a:hover{text-decoration:underline}
 .name{font-weight:700;font-size:1.05rem;color:#e6edf3}
 .row{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap;font-size:.82rem}
 .pill{color:#fff;padding:.08rem .5rem;border-radius:.5rem;font-size:.75rem;font-weight:600}
-.cap{color:#8b949e;font-size:.75rem}
 code{background:#0d1117;border:1px solid #21262d;border-radius:.3rem;padding:0 .3rem;font-size:.78rem;color:#c9d1d9}
 .flags{display:flex;gap:.4rem;font-size:.72rem;color:#8b949e}
 .foot{margin-top:auto;display:flex;justify-content:space-between;font-size:.8rem;padding-top:.3rem;border-top:1px solid #21262d}
@@ -274,17 +347,12 @@ def _card(r):
             f'<a class="shot" href="{run_url}" title="open run">'
             f'<span class="ph">no screenshot</span>{_level_pill(r["level"])}</a>'
         )
-    cap = (
-        f'<div class="cap">{html.escape(r["level_cap_reason"])}</div>'
-        if r["level_cap_reason"]
-        else ""
-    )
     return (
         f'<div class="card">{shot}<div class="body">'
         f'<div class="name">{html.escape(r["recipe"])}</div>'
         f'<div class="row"><span class="pill" style="background:{color}">{html.escape(r["status"])}</span>'
         f'<code>{html.escape(r["version"])}</code></div>'
-        f"{cap}{_flags_html(r['flags'])}"
+        f"{_flags_html(r['flags'])}"
         f'<div class="foot"><a href="{run_url}">run #{num} · {_ago(r["finished"])}</a>'
         f'<a href="/recipe/{html.escape(r["recipe"])}">history →</a></div>'
         f"</div></div>"

docs/concurrency.md

@@ -0,0 +1,236 @@
+# Concurrency: how parallel recipe CI runs stay safe
+
+Spec of the concurrent-run system after the 2026-06-10 restructure (branch
+`restructure/concurrency`; plan: cc-ci-plan `concurrency-restructure-full-plan.md`). The previous
+registry + per-recipe-flock model is documented in this file's git history (`5b65c6c`).
+
+## 1. Goal and design summary
+
+Two recipe CI builds may run **at the same time** on the single cc-ci host. Safety is enforced by
+the **harness**, not by serialising everything, and rests on ONE locking mechanism plus ONE
+structural isolation:
+
+| Rule | Mechanism |
+|---|---|
+| Different recipes run in parallel | nothing blocks them (isolation, §3) |
+| Same-RECIPE runs run in parallel too | per-run `ABRA_DIR` recipe trees (§4) — no shared tree, no lock |
+| Same-DOMAIN runs (double-`!testme` of one PR) serialise | per-app-domain `flock` (§5) |
+| A starting run never reaps a live concurrent run's app | janitor probes the app lock; held = live (§6) |
+| A crashed/canceled/rebooted run's leftovers get reaped | lock auto-released by the kernel → probe acquires → reap (§6) |
+
+The invariant chain that makes "held lock = live owner" sound:
+
+```
+lock lifetime ⊆ harness process lifetime ⊆ drone step lifetime ⊆ 60-min hard deadline
+```
+
+- **lock ⊆ process**: locks are kernel flocks on fds the process holds (and PEP 446 makes those
+  fds non-inheritable, so abra/docker/pytest children never carry them). The kernel releases them
+  on process death, however it dies. There is no unlock code path and no stale-lock failure mode.
+- **process ⊆ step**: `PR_SET_PDEATHSIG(SIGTERM)` + the `.drone.yml` setsid/trap wrap (§2) — a
+  dead or canceled build cannot leak a running harness.
+- **step ⊆ 60 min**: `signal.alarm(3600)` self-deadline (§2).
+
+Never steal a held lock; manage the holder's lifetime. There is **no daemon and no shared state
+service** — everything is kernel/file primitives under `/run/lock` and per-run directories.
+
+## 2. Mechanism 0: run-lifetime hardening (`runner/harness/lifetime.py`)
+
+`run_recipe_ci.main()` calls `lifetime.install_lifetime_guards()` before ANY abra call or lock
+acquisition:
+
+1. **`PR_SET_PDEATHSIG(SIGTERM)`** (ctypes prctl, return code checked): if the parent — the drone
+   step shell — dies, the kernel TERMs the harness. A post-prctl `ppid == 1` re-check closes the
+   start race: a harness whose parent died *before* the prctl armed would never get the signal,
+   so it refuses to run orphaned.
+2. **SIGTERM handler**: logs, then raises `SystemExit(143)` so the run's `finally:` teardown
+   funnel executes and the process exits non-zero. Re-entrant signals during teardown are logged
+   and IGNORED (`lifetime.begin_teardown()`, also set at the top of the run's `finally:` blocks)
+   so a second signal can't abort the cleanup the first one asked for.
+3. **`signal.alarm(3600)` hard deadline**: SIGALRM funnels into the same teardown path with a
+   distinct log line (`== run exceeded 60-minute hard deadline — tearing down ==`), exit 142.
+   Recipes keep their own smaller per-tier timeouts; this bounds the whole run. Teardown time
+   after the deadline is deliberately not alarm-bounded — the janitor is the backstop if a
+   teardown wedges and the process is killed harder.
+
+The `.drone.yml` recipe-ci step runs the harness as `setsid cc-ci-run … &` with a
+`trap 'kill -TERM -- "-$PID"' TERM EXIT; wait "$PID"` — a drone **cancel** (TERM to the step
+shell) is forwarded to the harness's whole process group instead of leaking it (the exec runner
+only kills the step shell). PDEATHSIG backstops the no-trap paths.
+
+## 3. Isolation model: what is shared, what is per-run
+
+Per-run (no conflict possible):
+
+- **App + stack + volumes + secrets.** Run app domain = `naming.app_domain()` →
+  `<recipe[:4]>-<sha1(recipe|pr|ref)[:6]>.ci.commoninternet.net`, unique per (recipe, pr, ref);
+  everything abra creates is namespaced by it. Run apps are recognised by
+  `RUN_APP_RE = ^[a-z0-9]{1,4}-[0-9a-f]{6}\.ci\.commoninternet\.net$`; warm/canonical apps
+  (e.g. `warm-keycloak...`) deliberately do NOT match → the janitor never probes them.
+- **Recipe working trees** — `$ABRA_DIR/recipes/<recipe>`, per run (§4). NEW in the restructure.
+- **Drone build workspace** (`/var/lib/drone-runner/drone-<id>/`) and **run artifacts**
+  (`/var/lib/cc-ci-runs/<run-id>/`).
+- **Run-scoped state files** (`/tmp/ccci-{deploys,opstate,deps,depskip}-<run-id>-<pid>…`) —
+  keyed by run id + harness pid via `run_recipe_ci._run_state_path()`, NEVER by app domain.
+  A second run of the same domain executes its `main()` preamble before blocking at the app
+  lock (§5), so domain-keyed files would be reset/removed underneath the live first run
+  (live finding, M2(c) double-`!testme`: false DG4.1 deploy-count in run 1, countfile
+  `FileNotFoundError` in run 2). Tier/hook children get the exact paths via the
+  `CCCI_*_FILE` env vars; removed on normal run exit.
+
+Shared (by design, conflict-free):
+
+- **`/root/.abra/servers`** — app `.env` files, one per domain. The per-run `ABRA_DIR` symlinks
+  `servers/` here, so .env files land in the canonical path: janitor discovery (`abra app ls`)
+  and out-of-run tooling see every app. Per-domain filenames + the app-domain lock prevent write
+  conflicts.
+- **`/root/.abra/catalogue`** — read-mostly, symlinked into each per-run dir.
+- **`HOME=/root`** (forced in `.drone.yml`) — safe: nothing recipe-mutable lives under `~/.abra`
+  for a run anymore except through the two symlinks above.
+
+## 4. Mechanism 1: per-run `ABRA_DIR` (replaces the per-recipe flock)
+
+`run_recipe_ci.setup_run_abra_dir()` — called first thing in `main()`, before any abra call —
+builds `<runs_dir>/<run-id>/abra/` (run-id = Drone build number; `manual-<pid>` for hand runs):
+
+```
+abra/
+  servers/    -> /root/.abra/servers     (symlink; canonical shared .env path)
+  catalogue/  -> /root/.abra/catalogue   (symlink; read-mostly)
+  recipes/    fresh, empty               (THE isolation that matters)
+```
+
+and exports it as `$ABRA_DIR` — honored by the abra CLI itself and by every harness path helper
+(`abra.abra_dir()` / `abra.recipe_dir()`; `generic._recipe_dir`, `prepull_images`,
+`snapshot_recipe_tests`, `warm_reconcile._recipe_dir` all route through the same rule:
+`$ABRA_DIR` if set, else `~/.abra`).
+
+- `fetch_recipe()` is now a plain clone into `$ABRA_DIR/recipes/<recipe>` (PR-head clone+checkout
+  or `abra recipe fetch`); the upgrade tier's mid-run `git checkout`s happen in the run's own
+  tree. Two same-recipe runs can no longer corrupt each other — structurally, with no lock. The
+  old observed failure (immich builds 229/230 deploying a tree missing its config) is impossible.
+- `CCCI_SKIP_FETCH=1` (test/Adversary staging) copies the canonically-staged
+  `~/.abra/recipes/<recipe>` clone into the per-run tree.
+- Out-of-run flows (warm_reconcile's systemd timer, manual abra) set no `ABRA_DIR` and keep using
+  the canonical `/root/.abra` unchanged. In-run flows that touch canonical state on purpose
+  (warm/canonical .env files) go through `servers/` and are unaffected.
+- The per-run dir rides along the existing `/var/lib/cc-ci-runs/<run-id>/` retention. abra
+  auto-clones any recipe it needs to resolve (e.g. during `app ls`) into the per-run `recipes/` —
+  a few seconds of git per run, gone with the run dir.
+
+## 5. Mechanism 2: per-app-domain flock (`lifecycle.acquire_app_lock`)
+
+- Lock file: `/run/lock/cc-ci-app-<domain>.lock` (dir overridable via `CCCI_APP_LOCK_DIR` for the
+  test suite), exclusive `fcntl.flock`, taken in `deploy_app()` **before the app is created** — a
+  concurrent janitor can never see a run app without its held lock.
+- Blocks (with a log line: `== app lock: another run of <domain> is in flight — waiting ==`) when
+  another run of the SAME domain is in flight — the double-`!testme` serialisation point; the
+  waiting run is visibly parked at that line in its drone log, by design.
+- The returned file object is ALSO retained in module-level `_held_app_locks` — if a caller
+  dropped it, GC would close the fd and silently release the lock.
+- mtime is touched at acquisition: lock age feeds the janitor's long-held flag (§6).
+- **Unlink/recreate race guard**: the janitor unlinks reaped lockfiles, so after EVERY
+  acquisition the locked fd is verified to still be the inode the path names
+  (`fstat().st_ino == stat().st_ino`); a waiter that won a just-unlinked inode closes it and
+  retries on the live path. (A lock on an unlinked inode protects nothing: a later opener gets a
+  fresh inode and would acquire "the same" lock.)
+- Release is implicit: process exit (any kind). `teardown_app()` does NOT release or unlink —
+  a clean run's leftover lockfile is unheld and is unlinked on sight by the next janitor sweep.
+
+## 6. The flock-probe janitor (`lifecycle.janitor`)
+
+Runs at every run start (cold + quick paths) and in the warm/upgrade sweeps. Candidate discovery
+is unchanged from the old model: `abra app ls` + a docker-service sweep (catches stacks whose
+`.env` is already gone), both matched against `RUN_APP_RE` — warm/canonical apps never match and
+are never probed.
+
+Decision table (per candidate domain, `_probe_and_reap`):
+
+| Probe (`LOCK_EX\|LOCK_NB`) | Meaning | Action |
+|---|---|---|
+| acquires (+ inode identity OK) | nobody holds it → owner died (kernel-guaranteed) | **reap**: `teardown_app(verify=False)` WHILE HOLDING the probe lock, then unlink the lockfile, then release |
+| acquires, inode stale | another janitor reaped + unlinked while we raced | skip (reap already done; unlinking now would hit a newer run's file) |
+| `BlockingIOError` (held) | live concurrent run | leave it; if lockfile mtime > 120 min (2× the hard deadline): `!! lock for <domain> held >120min — possible leaked run; inspect with lslocks` — flag, **never steal** |
+| `open()` fails (`OSError`) | garbled/unopenable lockfile | skip + log, never crash |
+
+- Reaping under the probe lock closes the janitor-vs-new-run race: a new run of that domain
+  blocks in `acquire_app_lock` until the reap finishes — no window where a fresh app coexists
+  with a half-reaped one.
+- Two racing janitors arbitrate on the flock: one reaps, the other sees "held" and leaves; reaps
+  are idempotent (`teardown_app(verify=False)` tolerates half-gone stacks).
+- After the candidates, a tidy sweep unlinks stale **unheld** `cc-ci-app-*.lock` files with no
+  app behind them (under their own probe lock + identity check), keeping `/run/lock` clean.
+- **Post-reboot**: `/run/lock` is tmpfs → lockfiles gone → every surviving app probes as an
+  orphan → reaped immediately. (Improvement over the old 2-hour age fallback; there IS no age
+  logic anymore.)
+
+## 7. Failure-mode guarantees
+
+| Event | Outcome |
+|---|---|
+| Run crashes / SIGKILL mid-run | flock auto-released by kernel → next janitor probe reaps app + lockfile |
+| Drone build canceled via API | step trap TERMs the harness process group → SIGTERM funnel runs the run's own teardown (exit 143); if anything still leaks, PDEATHSIG + janitor reap (the old "cancel leaks the harness" gap is CLOSED) |
+| Run exceeds 60 min | SIGALRM → distinct log line → own teardown → exit 142 |
+| Host reboot | locks and lockfiles vanish (tmpfs, correct: no owners survived) → all surviving run apps reaped at the next run start, immediately |
+| Two same-recipe `!testme`s (different PRs) | run in parallel — separate domains, separate per-run recipe trees |
+| Double-`!testme` (same PR → same domain) | second blocks on the app lock before creating anything, visibly in its drone log, runs after the first finishes |
+| Janitor vs. app being created | impossible to mis-reap: the lock is held before `app new`, and a held lock is never touched |
+| Janitor unlink vs. blocked waiter | inode identity re-check on every acquisition → waiter retries on the live path |
+| Lock held implausibly long (>120 min) | flagged loudly for a human (`lslocks`), never stolen |
+
+## 8. Where convergence fits (adjacent; unchanged by the restructure)
+
+Two swarm-convergence behaviors in `services_converged()` look like concurrency bugs but aren't —
+any future work must keep them fixed:
+
+- **N/N replicas ≠ converged** during a stop-first rolling update — `UpdateStatus.State` is also
+  inspected (build 238: backupbot exec'd into a container killed seconds later).
+- **`paused` persists forever** (swarm's default `update-failure-action`) — only `updating` and
+  `rollback_started` block convergence; `paused`/`rollback_paused` are settled (build 241).
+- `backup_app()` additionally waits (bounded 300s) for convergence before `backup create`.
+
+## 9. Configuration knobs
+
+| Knob | Where | Current | Meaning |
+|---|---|---|---|
+| `DRONE_RUNNER_CAPACITY` (aka `MAX_TESTS`) | `nix/modules/drone-runner.nix` (`maxTests`) | `2` | **THE single concurrency knob.** Max builds the exec runner executes at once; Drone queues the rest. (The `.drone.yml` `concurrency.limit` duplicate was removed.) Change requires `nixos-rebuild switch`. |
+| `CCCI_APP_LOCK_DIR` | env, read at call time | unset → `/run/lock` | App-domain lockfile dir override — used by `tests/concurrency` to sandbox locks. Never set in production. |
+| hard deadline | `lifetime.HARD_DEADLINE_SECONDS` | 3600 s | the whole-run alarm; long-held flag threshold is 2× this (`LONG_HELD_LOCK_SECONDS`) |
+
+## 10. Testing: `tests/concurrency/`
+
+Real-kernel suite (19 planned cases + companions): helper subprocesses hold REAL flocks and
+install the REAL prctl/signal/alarm guards — flock itself is never mocked; the janitor runs with
+injected candidates + stubbed teardown but probes real locks. **Not part of the default
+`pytest tests/unit` gate** (it spawns processes and sleeps); run it explicitly:
+
+```
+cc-ci-run -m pytest tests/concurrency -q
+```
+
+Covers: kernel auto-release on SIGKILL; LOCK_NB probe semantics; PEP 446 fd non-inheritance;
+same-domain serialisation; orphan reap + unlink; live-run protection; reap-under-probe-lock
+blocking; two-janitor arbitration; reboot-immediate reap; long-held flag; RUN_APP_RE allowlist;
+degrade-on-garbage; PDEATHSIG; ppid start race; deadline + SIGTERM funnels; per-run ABRA_DIR
+construction/export; concurrent same-recipe fetch isolation; symlinked-servers .env canonicality;
+run-keyed (never domain-keyed) run-scoped state files (M2(c) regression, `test_run_state.py`).
+
+## 11. File / symbol index
+
+| What | Where |
+|---|---|
+| lifetime guards (PDEATHSIG, signal funnels, deadline) | `runner/harness/lifetime.py`; installed in `run_recipe_ci.main()` |
+| setsid/trap cancel forwarding | `.drone.yml` (`recipe-ci` step) |
+| `acquire_app_lock`, `_held_app_locks`, `_app_lock_path` | `runner/harness/lifecycle.py` |
+| `acquire_app_lock` call site | `lifecycle.deploy_app()` (before app creation) |
+| janitor + probe (`janitor`, `_probe_and_reap`, `LONG_HELD_LOCK_SECONDS`) | `runner/harness/lifecycle.py` |
+| per-run ABRA_DIR (`setup_run_abra_dir`, `fetch_recipe`) | `runner/run_recipe_ci.py` |
+| path resolution (`abra_dir`, `recipe_dir`) | `runner/harness/abra.py` (used by `generic`, `lifecycle.prepull_images`, `warm_reconcile`) |
+| run-app naming | `runner/harness/naming.py` (`app_domain`), `RUN_APP_RE` in `lifecycle.py` |
+| capacity knob | `nix/modules/drone-runner.nix` (`maxTests`) |
+| convergence (adjacent) | `lifecycle.services_converged()`, `lifecycle.backup_app()` |
+| the test suite | `tests/concurrency/` (`helpers.py` subprocess entrypoints, `concutil.py` probes) |
+
+Deleted in the restructure (grep should find NOTHING): `register_run_app`, `unregister_run_app`,
+`_run_owner_state`, `ACTIVE_RUN_DIR`, `CCCI_JANITOR_MAX_AGE`, `_stack_age_seconds`,
+`acquire_recipe_lock`, `RECIPE_LOCK_DIR`.

docs/enroll-recipe.md

@@ -14,19 +14,19 @@ those are discovered and run against the live app (D4 — see below).
 ```
 tests/<recipe>/
 ├── recipe_meta.py      # optional per-recipe harness config (see below)
-├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup)
-├── ops.py              # optional pre-op seed hooks (pre_install/pre_upgrade/pre_backup/pre_restore)
+├── install_steps.sh    # optional custom install-steps hook (pre-deploy setup + deps env wiring)
+├── compose.ccci.yml    # optional CI-only compose overlay (harness-copied, auto-chaos base deploy)
+├── ops.py              # optional pre_<op>(ctx) seed hooks (install/upgrade/backup/restore)
 ├── test_install.py     # optional install overlay  (runs ADDITIVELY alongside generic)
 ├── test_upgrade.py     # optional upgrade overlay   (runs ADDITIVELY alongside generic)
 ├── test_backup.py      # optional backup overlay    (runs ADDITIVELY alongside generic)
 ├── test_restore.py     # optional restore overlay   (runs ADDITIVELY alongside generic)
 ├── PARITY.md           # Phase 2 P2: mapping table (recipe-maintainer tests → cc-ci tests)
-├── functional/         # Phase 2 P3: parity ports + ≥2 NEW recipe-specific tests
-│   ├── test_health_check.py    # parity port of recipe-info/<recipe>/tests/health_check.py
-│   ├── test_<behavior>.py      # ≥2 NEW recipe-specific functional tests
-│   └── …
-└── playwright/         # Phase 2 P6: browser flows where the app's core UX is a UI
-    └── test_<flow>.py
+└── custom/             # custom tier: parity ports + recipe-specific tests + browser flows
+    ├── test_health_check.py    # parity port of recipe-info/<recipe>/tests/health_check.py
+    ├── test_<behavior>.py      # ≥2 NEW recipe-specific tests
+    ├── test_<flow>.py          # browser/UI flows where relevant
+    └── …
 ```
 
 **A recipe is testable with ZERO config:** with no overlay files, the **generic lifecycle suite**
@@ -39,11 +39,14 @@ To add recipe-specific coverage, drop a `tests/<recipe>/test_<op>.py` **overlay*
 **ALONGSIDE** the generic for that op (HC3 additive, Phase 1e); the generic floor is never silently
 dropped. Overlays are **assertion-only** against the shared live deployment (the `live_app` fixture;
 they never perform the op or deploy/teardown — the orchestrator owns those). If the overlay needs to
-SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(domain,
-meta)` callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op. Copy an
+SEED pre-op state (data-continuity markers, the backup→restore divergence), put `pre_<op>(ctx)`
+callables in `tests/<recipe>/ops.py` — the orchestrator runs them BEFORE the op (`ctx` is the
+uniform `HookCtx` every hook receives — `docs/recipe-customization.md` §4.1). Copy an
 existing recipe (`tests/custom-html/` simple/volume marker; `tests/keycloak/` admin-API; `tests/
 matrix-synapse/` `db`-service psql marker). **Do not edit the shared `tests/conftest.py` /
-`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py`:
+`runner/harness/` to add a recipe** — set per-recipe knobs in `recipe_meta.py` (the COMPLETE key
+reference is the generated table in `docs/recipe-customization.md` §4; unknown ALL-CAPS keys are
+hard errors, recipe-private constants are underscore-prefixed `_FOO`):
 
 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@@ -51,9 +54,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detect (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
-SKIP_GENERIC = ["upgrade"]       # per-recipe opt-out from the generic floor for the listed ops
-                                 #  ("all"/"*" = every op); rarely needed — generic is the floor
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 ```
 
 Useful `harness.lifecycle` helpers for overlays: `http_get`, `http_fetch`, `http_body`,
@@ -66,19 +67,20 @@ ops themselves are orchestrator-owned (you never call them from an overlay). The
 Beyond the lifecycle overlays, each recipe carries (plan §4.1):
 
 - **`PARITY.md`** — a mapping table from every `references/recipe-maintainer/recipe-info/<recipe>/
-  tests/*.py` to a comparable cc-ci test under `tests/<recipe>/functional/`, asserting the
+  tests/*.py` to a comparable cc-ci test under `tests/<recipe>/custom/`, asserting the
   *same thing* (not a renamed file). A deliberate non-port is documented in `DECISIONS.md` with
   a technical reason — never a silent omission.
-- **`functional/`** — parity-port tests + **≥2 NEW recipe-specific functional tests** that
-  exercise the app's characteristic behavior (per plan §4.3 — e.g. "create-an-object +
-  read-it-back, and one more that touches a distinctive feature"). Each parity-port file carries
-  a `SOURCE = "recipe-info/<recipe>/tests/<file>"` comment near the top so audit is in-file.
-- **`playwright/`** — browser flows where the recipe's core UX is a UI (P6).
+- **`custom/`** — parity-port tests + **≥2 NEW recipe-specific tests** that exercise the app's
+  characteristic behavior (per plan §4.3 — e.g. "create-an-object + read-it-back, and one more
+  that touches a distinctive feature"). Browser/UI flows live in the same folder too. Each
+  parity-port file carries a `SOURCE = "recipe-info/<recipe>/tests/<file>"` comment near the top
+  so audit is in-file.
 
-The orchestrator's **custom** tier discovers `test_*.py` in `tests/<recipe>/{functional,playwright}/`
-(recursive, via `runner/harness/discovery.custom_tests`) and runs each as its own pytest against
-the same `live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are
-**excluded** from the custom tier — they live at the top level and run as lifecycle overlays.
+The orchestrator's **custom** tier discovers `test_*.py` in canonical `tests/<recipe>/custom/`
+(plus deprecated `functional/` / `playwright/` aliases during migration; discovery warns when it
+uses them) and runs each as its own pytest against the same
+`live_app` shared deployment. Lifecycle-named files (`test_install.py`/etc.) are **excluded**
+from the custom tier even inside those subdirs (safety net against double-running).
 
 ### 2.2 Recipe-test dependencies — DEPS = [...] (Phase 2 Q2.3)
 
@@ -89,23 +91,28 @@ them in `recipe_meta.py`:
 DEPS = ["keycloak"]  # one entry per dep recipe name (cc-ci tests/<dep>/ must exist + work)
 ```
 
-The orchestrator (plan §4.2):
-1. Reads `DEPS` BEFORE deploying the recipe under test.
-2. Deploys each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is
-   hashed from `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do
-   not collide on a single node).
-3. Waits each dep healthy using its own `recipe_meta.py` (HEALTH_PATH/HEALTH_OK/timeouts).
-4. Persists `[{"recipe": "<dep>", "domain": "<dep-domain>"}, ...]` to `$CCCI_DEPS_FILE`.
-5. Deploys + tests the recipe under test as usual.
-6. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
+The orchestrator (plan §4.2; install-time provisioning is the ONLY mode):
+1. Reads `DEPS` and provisions every dep **BEFORE the single deploy** of the recipe under test —
+   each dep at a per-run domain `<dep[:4]>-<6hex>.ci.commoninternet.net` (the 6hex is hashed from
+   `parent_recipe + pr + ref + dep_recipe` so two recipes' deps of the same kind do not collide on
+   a single node), waited healthy using the dep's own `recipe_meta.py`.
+2. Persists the full per-dep identity + SSO creds dict to `$CCCI_DEPS_FILE` (jq-readable JSON,
+   `{"<dep>": {"domain": ..., "realm": ..., "client_secret": ..., ...}}`).
+3. Deploys the recipe under test — its `install_steps.sh` reads `$CCCI_DEPS_FILE` and wires
+   OIDC env into that ONE deploy (no post-deploy redeploy). A dep-provisioning failure does NOT
+   block the run: the recipe deploys alone, generic tiers run, and `requires_deps` tests skip
+   with a counted reason (F2-11).
+4. Tears down the dep LAST in `finally` (reverse declaration order, with `verify=True` — leaked
    deps fail the run loudly per §9 teardown sacred / F2-5 fix).
 
-Tests access dep domains via the **`deps_apps` pytest fixture** (`tests/conftest.py`):
+Tests access deps via the **`deps` pytest fixture** (`tests/conftest.py`) — entries expose
+`.domain` plus the full creds dict (attribute or dict-style):
 
 ```python
-def test_my_recipe_uses_keycloak(live_app, deps_apps):
-    assert "keycloak" in deps_apps, f"keycloak dep not deployed; {deps_apps}"
-    kc_domain = deps_apps["keycloak"]
+@pytest.mark.requires_deps
+def test_my_recipe_uses_keycloak(live_app, deps):
+    assert "keycloak" in deps, f"keycloak dep not deployed; {deps}"
+    kc_domain = deps["keycloak"].domain
     …
 ```
 
@@ -120,7 +127,7 @@ For OIDC-dependent recipes, the shared `runner/harness/sso.py` provides:
 from harness import sso
 
 creds = sso.setup_keycloak_realm(
-    kc_domain,                   # = deps_apps["keycloak"]
+    kc_domain,                   # = deps["keycloak"].domain
     realm="my-realm",
     client_id="my-client",
     redirect_uris=[f"https://{live_app}/*"],
@@ -144,10 +151,10 @@ ARE provider-pluggable.
 Not every recipe is a single HTTP app. `recipe_meta.py` + a few harness mechanisms cover the harder
 shapes (proven on mumble, mailu, and the SSO-dependent suite):
 
-- **`EXTRA_ENV`** — a dict **or** a `callable(domain) -> dict`. The callable form derives values from
-  the per-run domain (e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for cryptpad). Applied
-  at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
-- **`READY_PROBE(domain) -> [...]`** — readiness signals beyond replica-convergence + the app's
+- **`EXTRA_ENV`** — a dict **or** a `callable(ctx) -> dict`. The callable form derives values from
+  the per-run domain (`ctx.domain` — e.g. `MAIL_DOMAIN`/`HOSTNAMES` for mailu, `SANDBOX_DOMAIN` for
+  cryptpad). Applied at every deploy (`abra.env_set`), so a recipe enrolls with NO shared-harness change.
+- **`READY_PROBE(ctx) -> [...]`** — readiness signals beyond replica-convergence + the app's
   `HEALTH_PATH`. Two probe shapes:
   - HTTP: `{"host": "...", "path": "/...", "ok": (200,)}` (e.g. lasuite-drive collabora WOPI discovery).
   - **TCP**: `{"tcp_host": "127.0.0.1", "tcp_port": 64738, "stable": 3}` — polls a socket connect N
@@ -155,20 +162,20 @@ shapes (proven on mumble, mailu, and the SSO-dependent suite):
     service (mumble: the mumble-web sidecar serves HTTP 200 while the voice server on 64738 is still
     rebinding after an upgrade redeploy — the TCP probe gates the backup tier until the voice server is
     actually up). Runs after install AND after the upgrade chaos redeploy.
-- **`CHAOS_BASE_DEPLOY = True`** — make the pinned base deploy use `--chaos` (skips abra's clean-tree +
-  lint gates, still deploys the explicitly-checked-out pinned version, NOT latest). Needed when an
-  `install_steps.sh` adds an UNTRACKED file to the recipe checkout (e.g. mumble copies a
-  `compose.host-ports.yml` into versions that predate it) — abra's pinned-deploy clean-tree check would
-  otherwise FATA. `abra.recipe_checkout` force-checks-out (`-f`) so the upgrade tier's re-checkout to
-  PR-head overwrites such overlays cleanly.
+- **`compose.ccci.yml`** (first-class at `tests/<recipe>/compose.ccci.yml`) — a CI-only compose
+  overlay the harness itself copies into the recipe checkout before the base deploy, automatically
+  using `--chaos` for that deploy (the untracked file would otherwise trip abra's pinned-deploy
+  clean-tree check). Reference it from `EXTRA_ENV`'s `COMPOSE_FILE`. Minimal, justified fallback
+  only (e.g. ghost's 15m `start_period` grace). `abra.recipe_checkout` force-checks-out (`-f`) so
+  the upgrade tier's re-checkout to PR-head overwrites such overlays cleanly.
 - **`install_steps.sh`** (auto-discovered at `tests/<recipe>/install_steps.sh`) — runs after
   `abra app new` + EXTRA_ENV + secret-generate, BEFORE the single deploy, with `CCCI_APP_DOMAIN` /
-  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when DEPS are provisioned at install). Use it to
-  drop a cc-ci-owned compose overlay into the checkout, wire dep-derived env/secrets, etc.
+  `CCCI_APP_ENV` / `CCCI_RECIPE` (and `CCCI_DEPS_FILE` when the recipe declares DEPS — deps are
+  always provisioned before the deploy). Use it to wire dep-derived env/secrets, seed config, etc.
 
 **Non-HTTP protocol tests (mumble).** Reach a TCP service published `mode: host` (via a host-ports
 overlay) at `127.0.0.1:<port>` — cc-ci runs tests on-host (cc-ci-run). mumble ships a stdlib protocol
-client (`tests/mumble/functional/_mumble_proto.py`) doing the real TLS handshake → ServerSync; the
+client (`tests/mumble/custom/_mumble_proto.py`) doing the real TLS handshake → ServerSync; the
 recipe-specific tests assert channel presence and config round-trips (a deploy-set `WELCOME_TEXT`/
 `USERS` value surfaces over the protocol — version-independent, non-vacuous).
 
@@ -227,26 +234,29 @@ RECIPE=<recipe> PR=<n> REF=<sha-or-branch> SRC=recipe-maintainers/<recipe> \
 
 ```
 tests/lasuite-docs/
-├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(domain) for cold-pull,
+├── recipe_meta.py            # HEALTH_PATH="/", DEPLOY_TIMEOUT=900, EXTRA_ENV(ctx) for cold-pull,
 │                             # DEPS=["keycloak"]  ← Phase 2 dep declaration
-├── ops.py                    # pre_<op> seed hooks (volume marker for backup/restore data-integrity)
+├── install_steps.sh          # wires OIDC env from $CCCI_DEPS_FILE into the single deploy
+├── ops.py                    # pre_<op>(ctx) seed hooks (volume marker for backup/restore data-integrity)
 ├── test_install.py           # lifecycle install overlay (Playwright frontend SPA load)
 ├── test_upgrade.py           # lifecycle upgrade overlay (marker survives chaos redeploy)
 ├── test_backup.py            # lifecycle backup overlay (marker captured)
 ├── test_restore.py           # lifecycle restore overlay (marker restored to pre-mutation)
 ├── PARITY.md                 # parity-port mapping (P2)
-└── functional/
+└── custom/
     ├── test_health_check.py        # parity port (SOURCE comment cites recipe-info file)
     ├── test_auth_required.py       # specific: /api/v1.0/users/me/ → 401 without auth
     └── test_oidc_with_keycloak.py  # specific: full OIDC flow against the dep keycloak (uses
-                                    # harness.sso primitives + deps_apps["keycloak"])
+                                    # harness.sso primitives + the `deps` fixture)
 ```
 
 `!testme` on a lasuite-docs PR drives the orchestrator to:
-1. Deploy the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`) and wait healthy.
-2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`).
-3. Run install / upgrade / backup / restore + the 3 functional tests against the shared
-   deployment (custom tier).
+1. Provision the per-run keycloak dep (`keyc-<6hex>.ci.commoninternet.net`), wait healthy, write
+   creds to `$CCCI_DEPS_FILE` — BEFORE the recipe deploy.
+2. Deploy lasuite-docs (`lasu-<6hex>.ci.commoninternet.net`); `install_steps.sh` wires the OIDC
+   env into that one deploy.
+3. Run install / upgrade / backup / restore + the 3 custom tests against the shared
+    deployment (custom tier).
 4. Teardown lasuite-docs, then the keycloak dep (LAST), both with verify=True.
 5. Print the run summary; non-zero exit code on any failure (DG4.1 deploy-count mismatch, tier
    FAIL, dep teardown leak — all surfaced).
@@ -254,12 +264,13 @@ tests/lasuite-docs/
 ### Other shapes (concrete references)
 
 - **TCP / voice recipe — `tests/mumble/`**: `recipe_meta.py` (EXTRA_ENV sets
-  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml:compose.host-ports.yml`, `WELCOME_TEXT`/`USERS`
-  markers, `CHAOS_BASE_DEPLOY=True`, `READY_PROBE` TCP 64738), `install_steps.sh` (provides the
-  host-ports overlay to older versions), `functional/_mumble_proto.py` + the protocol/config-round-trip
+  `COMPOSE_FILE=compose.yml:compose.mumbleweb.yml` for the base; `UPGRADE_EXTRA_ENV` adds the
+  native `compose.host-ports.yml` at PR-head so 64738 is host-published on latest; private
+  `_WELCOME_TEXT_MARKER`/`_MAX_USERS` constants; `READY_PROBE(ctx)` TCP 64738 — phase-aware via
+  the live COMPOSE_FILE), `custom/_mumble_proto.py` + the protocol/config-round-trip
   tests, `ops.py`/`test_backup.py`/`test_restore.py` (sqlite P4). See §2.4.
 - **Multi-service, dep-less, in-container functional — `tests/mailu/`**: `recipe_meta.py`
-  (`EXTRA_ENV(domain)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
-  `functional/_mailu.py` (flask-CLI helpers), `test_mailbox.py` (create→config-export read-back),
+  (`EXTRA_ENV(ctx)` with `TLS_FLAVOR=notls` + `MAIL_DOMAIN`/`HOSTNAMES`/`TRAEFIK_STACK_NAME`),
+  `custom/_mailu.py` (flask-CLI helpers), `test_mailbox.py` (create→config-export read-back),
   `test_mail_flow.py` (in-container sendmail→doveadm delivery). No backupbot → P4 N/A (PARITY.md +
   DEFERRED.md). See §2.4.

docs/recipe-customization.md

@@ -0,0 +1,396 @@
+# Recipe customization — reference
+
+Status: REFERENCE — describes the customization system as restructured on branch
+`restructure/recipe-custom` (the "rcust" restructure). The pre-restructure system and its defects
+are documented in this file's history (commit `76a4b6b`, the review spec whose §8 R1–R9 drove the
+restructure); §8 below records how each was resolved.
+
+Companion docs: `docs/testing.md` (test architecture / tier semantics), `docs/enroll-recipe.md`
+(step-by-step enrollment). This doc is the **complete reference** for the two questions those docs
+answer only partially:
+
+1. How are custom tests written for a particular recipe?
+2. What are ALL the per-recipe CI settings, where do they live, and who reads them?
+
+---
+
+## 1. The three customization surfaces
+
+A recipe customizes its CI through **three distinct mechanisms**:
+
+| Surface | Form | Examples |
+|---|---|---|
+| **Declarative settings** | Python assignments in `tests/<recipe>/recipe_meta.py` | `DEPLOY_TIMEOUT = 1500`, `HEALTH_PATH = "/api/health"` |
+| **Code hooks** | Callables in `recipe_meta.py`, `ops.py` functions, one shell hook | `def READY_PROBE(ctx): ...`, `pre_upgrade(ctx)`, `install_steps.sh` |
+| **File presence** | A file existing at a discovered path changes behavior | `test_upgrade.py` overlay, `custom/test_*.py`, `compose.ccci.yml` |
+
+There is additionally a fourth, **operator-facing, local-dev-only** surface: environment variables
+(`CCCI_SKIP_GENERIC*`) that suppress the generic floor at run time (§7). Whatever a run resolves
+from all four surfaces is printed at run start as the **customization manifest** and embedded in
+`results.json` under `"customization"` (§7) — one block answers "what does this recipe customize?".
+
+## 2. Zero-config baseline
+
+A recipe with **no `tests/<recipe>/` directory at all** still gets the full generic floor:
+
+- deploy base version → INSTALL (generic `assert_serving`: HTTP on `/`, expect 200/301/302)
+- chaos-upgrade to PR head → UPGRADE (generic `assert_upgraded`: version label matches head, converged, serving)
+- BACKUP (generic `assert_backup_artifact`) — iff the recipe's compose files carry
+  `backupbot.backup` labels (auto-detected), else N/A
+- RESTORE (generic `assert_restore_healthy`)
+- CUSTOM tier: empty (no custom tests discovered)
+- teardown
+
+Defaults: `HEALTH_PATH="/"`, `HEALTH_OK=(200,301,302)`, `DEPLOY_TIMEOUT=600`, `HTTP_TIMEOUT=300`.
+Everything in this doc is opt-in deviation from that floor. The cardinal invariant
+(docs/testing.md §1): the generic floor is **always on** and never depends on custom code;
+custom is **additive** by default.
+
+## 3. The per-recipe tree — every file that can exist
+
+Two locations, with precedence and a security gate between them:
+
+- **cc-ci-owned**: `tests/<recipe>/` in this repo (trusted, maintainer-reviewed)
+- **repo-local**: the recipe repo's own `tests/` dir (PR-author-controlled → **default-deny**,
+  consulted only when the recipe is listed in `tests/repo-local-approved.txt` — gate HC2,
+  centralized in `runner/harness/discovery.py`)
+
+```
+tests/<recipe>/                      # cc-ci side (repo-local mirrors the same shape)
+├── recipe_meta.py                   # THE config file: registry-validated keys + ctx-hooks (§4)
+├── test_<op>.py                     # lifecycle overlay assertions, op ∈ install|upgrade|backup|restore (§5.1)
+├── ops.py                           # pre_<op>(ctx) seed hooks                    (§5.2)
+├── custom/test_*.py                 # custom tier: parity ports + recipe-specific + UI flows (§5.3)
+├── install_steps.sh                 # pre-deploy shell hook (the ONLY shell hook) (§5.4)
+├── compose.ccci.yml                 # CI-only ENVIRONMENTAL compose overlay (all deploys) (§5.5)
+├── previous/                        # version-specific base-only repair (optional)  (§5.5b)
+│   ├── compose.previous.yml         #   minimal compose to deploy the previous version
+│   └── VERSION                      #   the published version it targets (version-guard)
+└── PARITY.md                        # enrollment contract doc (human-read only)
+```
+
+**Placement rule (custom tests):** ALL custom-tier tests live under canonical `custom/`.
+Deprecated `functional/` and `playwright/` aliases are still discovered with a loud warning so
+coverage is not silently lost while recipe trees migrate. A top-level `test_*.py` is a lifecycle overlay (`test_<op>.py`) and nothing else —
+top-level non-lifecycle files are NOT discovered (`discovery.custom_tests`; the lifecycle-name
+exclusion stays as a safety net so a misfiled `test_<op>.py` can never double-run).
+
+Precedence (machine-docs/DECISIONS.md, implemented in `discovery.py`):
+
+- lifecycle overlay `test_<op>.py`: repo-local **wins** over cc-ci (same-name collision); the
+  generic floor still runs additively alongside.
+- custom tier (`custom/`, plus deprecated alias dirs during migration): **ALL** run, from both
+  locations (no collision
+  concept).
+- `install_steps.sh`: repo-local > cc-ci, or none.
+- `ops.py` pre-op hook: cc-ci wins; repo-local consulted only if approved.
+- `recipe_meta.py` and `compose.ccci.yml`: cc-ci only — repo-local recipes cannot set CI settings
+  or compose overlays (by design; those surfaces stay maintainer-controlled).
+
+## 4. `recipe_meta.py` — complete settings reference
+
+The single settings file. Plain Python, `exec()`d by the harness in exactly ONE place: the
+registry-backed loader `runner/harness/meta.py::load(recipe) -> RecipeMeta`. Every consumer — the
+orchestrator (which loads once and passes the object down), the pytest `meta` fixture, lifecycle,
+deps, canonical, screenshot — reads from that one loaded object.
+
+**Validation (hard errors at load, before any deploy):**
+
+- A key is "set" by a top-level ALL-CAPS assignment or `def`. Unknown ALL-CAPS top-level names
+  raise `MetaError` listing the unknown name and the nearest registered key (typo gate —
+  misspelling `READY_PROBE` can no longer silently disable the probe).
+- Type mismatches raise `MetaError`; callables are accepted only for hook-typed keys.
+- **Underscore-prefixed names (`_FOO`) are recipe-private and exempt** — that's where private
+  constants live (e.g. mumble's `_WELCOME_TEXT_MARKER`). Lowercase names (helpers/imports) are
+  ignored.
+- Hook callables must have the registered signature (below); a legacy-signature hook raises a
+  `MetaError` naming the migration, never a silent `TypeError` mid-run.
+
+A unit test (`tests/unit/test_meta.py`) loads every `tests/*/recipe_meta.py` through the registry,
+so a typo'd key fails at PR time, not at run time.
+
+<!-- META-TABLE-START -->
+
+_This table is GENERATED from the `runner/harness/meta.py` KEYS registry by `scripts/gen-meta-docs.py` — do not edit by hand (a unit test pins the sync)._
+
+| Key | Type | Default | Meaning |
+|---|---|---|---|
+| `HEALTH_PATH` | `str` | `'/'` | Path probed for serving/health checks (deploy wait + generic `assert_serving`). |
+| `HEALTH_OK` | `tuple[int]` | `(200, 301, 302)` | Acceptable HTTP status codes for health. |
+| `DEPLOY_TIMEOUT` | `int` | `600` | Max seconds to wait for swarm convergence per deploy. |
+| `HTTP_TIMEOUT` | `int` | `300` | Max seconds to wait for HTTP health after convergence. |
+| `BACKUP_CAPABLE` | `bool` | `None` | Override the backup-tier capability auto-detect (compose `backupbot.backup` labels). `False` forces an intentional skip of the backup/restore rung; `True` forces the tier on; unset = auto-detect. |
+| `EXPECTED_NA` | `dict` | `None` | Declare a non-run rung an INTENTIONAL skip: `{rung: reason}` — the level climbs past it; an undeclared non-run rung is *unverified* and blocks the level above it (classification table: machine-docs/DECISIONS.md phase lvl5). Never overrides an exercised pass/fail; the `lint` rung has no escape hatch. Declaring `upgrade` also suppresses the upgrade-tier BASE deploy — the single deploy is the PR head itself — for recipes whose published versions exist but are genuinely undeployable (phase bsky). |
+| `READY_PROBE` | `hook` | `None` | Callable `(ctx) -> [probe, ...]` returning extra readiness probes, run after install AND after upgrade: HTTP `{host, path, ok}` or TCP `{tcp_host, tcp_port, stable}`. |
+| `BACKUP_VERIFY` | `hook` | `None` | Callable `(ctx) -> bool` post-backup data-capture check; `False` re-runs the backup (truncated-dump race guard), retried up to 3 attempts. |
+| `UPGRADE_EXTRA_ENV` | `dict_or_hook` | `None` | Extra `.env` keys applied after the PR-head checkout, before the chaos redeploy (env that exists only at head). Dict, or callable `(ctx) -> dict`. |
+| `EXTRA_ENV` | `dict_or_hook` | `{}` | Extra `.env` keys applied at EVERY deploy (base install AND upgrade old-app). Dict, or callable `(ctx) -> dict` deriving values from the per-run domain (`ctx.domain`). |
+| `DEPS` | `list[str]` | `[]` | Dep recipes deployed/provisioned alongside (e.g. `["keycloak"]`); creds land in `$CCCI_DEPS_FILE`. |
+| `WARM_CANONICAL` | `bool` | `False` | Enroll the recipe in the warm/canonical app system (docs/warm.md): green cold runs on LATEST advance the canonical snapshot. |
+| `SCREENSHOT` | `hook` | `None` | Callable `(page, ctx)` driving Playwright to a safe, credential-free post-login view for the results-card screenshot (default: landing page). |
+| `UPGRADE_SECRET_PREP` | `hook` | `None` | Callable `(ctx)` invoked after UPGRADE_EXTRA_ENV env_set but before `abra secret generate --all` in the upgrade path. Use to pre-insert secrets that `generate --all` would produce with wrong format (e.g. when the .env.sample spec is commented out). |
+
+<!-- META-TABLE-END -->
+
+### 4.1 The uniform hook convention — `HookCtx`
+
+Every recipe callable takes a single `ctx` argument (`harness/meta.py::HookCtx`, frozen):
+
+| Field | Meaning |
+|---|---|
+| `ctx.domain` | the app's per-run domain |
+| `ctx.base_url` | `https://<domain>` |
+| `ctx.meta` | the recipe's full `RecipeMeta` |
+| `ctx.deps` | provisioned dep creds (`{dep_recipe: entry}`) or `None` |
+| `ctx.op` | current lifecycle op (`install`/`upgrade`/`backup`/`restore`) or `None` |
+
+Signatures: `EXTRA_ENV(ctx)`, `UPGRADE_EXTRA_ENV(ctx)`, `READY_PROBE(ctx)`, `BACKUP_VERIFY(ctx)`,
+`SCREENSHOT(page, ctx)`, ops.py `pre_<op>(ctx)`. Dict-valued `EXTRA_ENV`/`UPGRADE_EXTRA_ENV`
+(non-callable) are still fine — only the callable form takes ctx. The loader enforces the
+parameter names at load time (a pre-restructure `(domain)`/`(domain, meta)` hook gets a pointed
+`MetaError`, not a mid-run crash).
+
+Worked hook examples: cryptpad (`EXTRA_ENV(ctx)` derives `SANDBOX_DOMAIN` from `ctx.domain`),
+mumble (`READY_PROBE(ctx)` TCP voice-port probe, `UPGRADE_EXTRA_ENV(ctx)` adds a head-only compose
+overlay), ghost/discourse (`BACKUP_VERIFY(ctx)` dump-capture check).
+
+## 5. Writing custom tests & hooks
+
+### 5.1 Lifecycle overlay assertions — `test_<op>.py`
+
+One pytest file per lifecycle op (`install` / `upgrade` / `backup` / `restore`). The
+**orchestrator performs the op exactly once**; the overlay only *asserts* on the resulting state
+(HC3 op/assertion split — overlays never deploy, never restore, never mutate). The generic floor
+test runs additively against the same state.
+
+Conventions (see `tests/immich/test_backup.py` etc.):
+- use the `live_app` fixture (asserts `CCCI_APP_DOMAIN` is set, yields the domain)
+- use the `meta` fixture — the recipe's FULL validated `RecipeMeta` (attribute access)
+- use the `op_state` fixture for op context (versions, `snapshot_id`, artifact paths — the
+  orchestrator's run-scoped op record; skips with a clear reason outside an orchestrator run)
+- execute in-container checks via `harness.lifecycle.exec_in_app(domain, service, cmd)`
+
+### 5.2 Pre-op seed hooks — `ops.py`
+
+`def pre_<op>(ctx)` callables, imported and called by the orchestrator **before** performing the
+op. This is where data gets seeded so the post-op overlay can assert on it:
+
+```python
+# tests/immich/ops.py (pattern)
+def pre_upgrade(ctx):  _psql(ctx.domain, "INSERT ... 'upgrade-survives'")
+def pre_backup(ctx):   _psql(ctx.domain, "INSERT ... 'original'")
+def pre_restore(ctx):  _psql(ctx.domain, "DROP TABLE ci_marker")  # damage, restore must undo
+```
+
+Seed → op → assert is the whole pattern: `pre_backup` writes a marker, the orchestrator backs up,
+`pre_restore` destroys it, the orchestrator restores, `test_restore.py` asserts the marker is back.
+
+### 5.3 Custom tier — canonical `custom/`
+
+All custom-tier tests live under `tests/<recipe>/custom/` (discovery: `discovery.custom_tests`;
+the placement rule, §3). Deprecated `functional/` and `playwright/` dirs are still recognized
+with a warning during the migration window. Custom tests run in the CUSTOM tier, after
+restore, against the post-upgrade (PR-head) app. ALL discovered files run — cc-ci's and (if
+HC2-approved) repo-local's, additively.
+
+Enrollment contract (`docs/enroll-recipe.md`): ≥2 NEW custom tests beyond ports of existing
+upstream checks; ported tests carry `SOURCE:` comments. Browser-driven custom tests get the shared
+browser/harness helpers (`harness.browser`); SSO recipes get `harness.sso`
+(`setup_keycloak_realm` — idempotent, `oidc_password_grant` — provider-pluggable). The documented
+import toolbox for custom tests is `from harness import lifecycle, sso, browser`.
+
+Tests needing deps use the `deps` fixture (entries expose `.domain` plus the full creds dict) and
+carry `@pytest.mark.requires_deps` — when dep provisioning failed they skip with reason
+`deps-not-ready` and the skip count is reported and FAILS a declared-deps run (F2-11; a green exit
+must not mask an unrun SSO test). Fixtures replace direct `os.environ` reads — after the
+restructure no recipe test parses env by hand.
+
+### 5.4 Pre-deploy shell hook — `install_steps.sh`
+
+The ONLY shell hook. Runs after `abra app new` + `EXTRA_ENV` application + secret generation,
+**before** the single base deploy. For setup that must precede the first deploy: writing extra
+config files into the recipe checkout, editing `.env` beyond simple key=val, and — for recipes
+with `DEPS` — wiring dep-derived OIDC env into the deploy (deps are always provisioned BEFORE the
+deploy; install-time wiring is the only mode, so there is exactly one deploy and no post-deploy
+redeploy hook).
+
+Env contract: `CCCI_APP_DOMAIN`, `CCCI_RECIPE`, `CCCI_APP_ENV` (path to the app's `.env`), and —
+when `DEPS` is declared — `CCCI_DEPS_FILE` (jq-readable JSON of dep creds/URLs; see
+lasuite-drive/-meet/-docs for the pattern). Must locate the recipe checkout ABRA_DIR-aware:
+`RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (per-run `ABRA_DIR` since the
+concurrency restructure — a hardcoded `~/.abra` writes to the wrong tree).
+
+Graceful-generic rule: a recipe needing a hook but not shipping one simply fails the generic
+install — a correct reported outcome, not a harness error.
+
+### 5.5 CI-only compose overlay — `compose.ccci.yml`
+
+**First-class:** if `tests/<recipe>/compose.ccci.yml` exists, the harness itself copies it into
+the recipe checkout (ABRA_DIR-aware) before the base deploy and automatically uses `--chaos` for
+that deploy (the untracked file would otherwise trip abra's clean-tree gate). No
+`install_steps.sh` copy boilerplate, no flag to remember (the old `CHAOS_BASE_DEPLOY` ⇄ overlay
+coupling is gone). The overlay is cc-ci-owned only.
+
+Policy (phase prevb): `compose.ccci.yml` is **ENVIRONMENTAL-only** — node-reality tweaks that must
+apply to EVERY deploy including the PR head (e.g. ghost's 15m `start_period` grace — a literal,
+because abra validates `start_period` before env substitution; discourse's `order: stop-first` for
+the memory-tight upgrade crossover). It MUST NOT carry version-specific image pins or service
+add/drop — those leak onto the head and mask the change under test. Version-specific base repairs go
+in `previous/` (§5.5b). Reference the overlay from `EXTRA_ENV`'s `COMPOSE_FILE` as usual.
+
+### 5.5b Previous-version base repair — `tests/<recipe>/previous/`
+
+> **Prefer NOT to use this — it is a last resort.** The mechanism exists so that, when updating a
+> recipe's tests, you *can* bring up a previous base that won't deploy as-published. But reach for it
+> only after the dynamic base (last-green → main-tip) has genuinely failed to come up. Every `previous/`
+> you add re-introduces the per-version patching treadmill the dynamic base was designed to remove, so
+> the bar is **"the base will not deploy any other way."** Most recipes — including discourse, the case
+> that motivated this — need NONE. When in doubt, don't add one.
+
+Optional. The MINIMAL config to deploy the *previous (last-green) version* when it can't deploy
+as-published (e.g. an image relocation `bitnami/* → bitnamilegacy/*`, or an era-specific
+service/env). Applied to the **base deploy ONLY** and stripped before the head redeploy, so the PR
+head runs UNMODIFIED.
+
+- Layout: `tests/<recipe>/previous/compose.previous.yml` (+ a one-line `previous/VERSION` marker
+  declaring the published version it targets). Appended to the base deploy's `COMPOSE_FILE`.
+- **Version-guarded:** applied only when the resolved base equals `previous/VERSION`. On a main-tip
+  (ref) base or a version mismatch it is **skipped and flagged stale** (`previous/ targets X, base is
+  Y — remove it`). After an upgrade PR merges (new last-green), remove the now-stale folder — keep it
+  to ~one version, never an accumulating pile.
+- Keep it minimal and add one only where necessary. Most recipes (incl. discourse) need NONE — the
+  dynamic base (last-green/main-tip) deploys clean. Symbols: `lifecycle.previous_status` /
+  `provide_previous_overlay` / `remove_previous_overlay`.
+
+### 5.6 Environment & fixture contract (what custom code can read)
+
+Pytest fixtures (`tests/conftest.py` — the single fixture file):
+
+| Fixture | Yields |
+|---|---|
+| `recipe` | the recipe name (`$RECIPE`) |
+| `meta` | the FULL validated `RecipeMeta` (single loader) |
+| `live_app` | the shared deployment's domain (asserts it exists) |
+| `op_state` | the orchestrator's op-context dict (skips cleanly outside a run) |
+| `deps` | `{dep_recipe: entry}` — entries expose `.domain` + full SSO creds |
+
+Environment (hooks/shell, and approved repo-local code):
+
+| Var | Set for | Meaning |
+|---|---|---|
+| `CCCI_APP_DOMAIN` | all tests + hooks | the app's per-run domain |
+| `CCCI_BASE_URL` | approved repo-local code | `https://<domain>` |
+| `CCCI_RECIPE`, `CCCI_APP_ENV` | `install_steps.sh` | recipe name, app `.env` path |
+| `CCCI_OP_STATE_FILE` | overlay tests (via `op_state`) | JSON op context (versions, artifacts) |
+| `CCCI_DEPS_FILE` | `install_steps.sh` + harness | JSON dep creds dict |
+| `CCCI_DEPS_READY` / `CCCI_DEPS_NOT_READY_REASON` | custom tier (via `requires_deps`) | gate SSO tests, skip-with-reason |
+
+## 6. Run-model context (what the settings plug into)
+
+One deploy chain per run (full detail: `docs/testing.md` §2):
+
+```
+[DEPS? provision deps FIRST → $CCCI_DEPS_FILE]
+deploy BASE (dynamic: last-green → same-version step-back → main-tip → skip; EXTRA_ENV;
+             install_steps.sh; compose.ccci.yml [environmental] auto-copied + auto-chaos;
+             tests/<recipe>/previous/ [version-specific, base-ONLY] applied if it matches the base)
+  → INSTALL tier   (READY_PROBE; generic + overlay asserts)
+  → pre_upgrade(ctx) → strip previous/ + chaos-deploy PR HEAD (UPGRADE_EXTRA_ENV)
+                       → reconcile stack to head compose (prune services the head dropped)
+  → UPGRADE tier   (READY_PROBE; version-label == head_ref)
+  → pre_backup(ctx) → backup       (BACKUP_CAPABLE; BACKUP_VERIFY)
+  → BACKUP tier
+  → pre_restore(ctx) → restore
+  → RESTORE tier
+  → CUSTOM tier    (custom/; deps via the `deps` fixture)
+  → SCREENSHOT (best-effort, never affects the verdict)
+  → teardown (deps LAST)
+```
+
+Deploy-count guard (DG4.1): exactly `1 + len(DEPS)` deploys per run (chaos redeploys don't
+count); the per-run counter file is keyed by run since the concurrency restructure.
+
+## 7. Local iteration, the manifest, and the dev-only escape hatch
+
+```
+RECIPE=<recipe> PR=<n> REF=<sha> SRC=recipe-maintainers/<recipe> \
+  STAGES=install,upgrade,backup,restore,custom \
+  cc-ci-run runner/run_recipe_ci.py
+```
+
+(`docs/enroll-recipe.md` §5 for the full loop, including dep teardown caveats.)
+
+**Customization manifest.** Every run prints, right after meta load + discovery, one block:
+
+```
+===== customization manifest: <recipe> =====
+meta (non-default): DEPLOY_TIMEOUT=1500 DEPS=['keycloak'] EXTRA_ENV='<hook>'
+hooks: ops.py[pre_backup,pre_upgrade](cc-ci) install_steps.sh(cc-ci) compose.ccci.yml(cc-ci)
+overlays: test_backup.py(cc-ci) test_restore.py(repo-local)
+custom tests: custom/=7 (cc-ci)
+env overrides: (none)
+```
+
+The same dict is embedded in `results.json` under `"customization"`. It is pure presentation —
+built from the SAME discovery/meta calls the run uses (so it cannot disagree with what executes,
+and it honors the HC2 gate) — and never influences a verdict.
+
+**Dev-only generic skip.** `CCCI_SKIP_GENERIC=1` (all ops) / `CCCI_SKIP_GENERIC_<OP>=1` (one op)
+suppress the generic floor — a LOCAL-DEV-ONLY escape hatch for iterating on one tier. There is no
+declarative equivalent (the old `SKIP_GENERIC` meta key is deleted). If the env form is active in
+a CI (drone) run, the run prints a loud `!!` warning and the manifest records it.
+
+## 8. Restructure outcomes (the review spec's R1–R9)
+
+How each defect identified in the review spec (commit `76a4b6b` §8) was resolved:
+
+- **R1 — six divergent meta loaders → RESOLVED.** One registry-backed loader
+  (`harness/meta.py::load`), the only `exec()` of `recipe_meta.py`. The orchestrator loads once
+  and passes the `RecipeMeta` down; conftest/lifecycle/deps/canonical all read the one object.
+- **R2 — dead `SCREENSHOT` knob → RESOLVED (kept + fixed).** The registry replaced the allowlist
+  that orphaned it; the orchestrator path now delivers the hook to `screenshot.py`
+  (proven end-to-end by `tests/unit/test_screenshot.py::test_screenshot_reachable_through_real_load_path`).
+- **R3 — 4-key pytest `meta` fixture → RESOLVED.** The fixture returns the full validated
+  `RecipeMeta`.
+- **R4 — three config languages → MITIGATED by the manifest** (§7): the surfaces stay (they serve
+  different actors), but every run resolves them into one visible block + results key.
+- **R5 — reference-doc drift → RESOLVED.** §4's key table is generated from the registry
+  (`scripts/gen-meta-docs.py`); a unit test fails CI on drift; `testing.md`/`enroll-recipe.md`
+  point here instead of keeping partial lists.
+- **R6 — silent typos → RESOLVED.** Unknown ALL-CAPS keys and type mismatches are hard
+  `MetaError`s; private constants are underscore-prefixed (exempt).
+- **R7 — `compose.ccci.yml` ⇄ `CHAOS_BASE_DEPLOY` coupling → RESOLVED.** The overlay is
+  first-class: harness-copied, auto-chaos. The flag is deleted.
+- **R8 — zero-user `SKIP_GENERIC` meta key → RESOLVED (deleted).** Env form remains, documented
+  dev-only, loudly flagged in CI runs (§7).
+- **R9 — `recipe_meta.py` is code, not config → REJECTED by decision.** No data/hooks file split:
+  registry validation gets the value (typed, validated keys) at lower cost; one file per recipe
+  remains the single config place. The expressiveness need is real (cryptpad derives env from the
+  per-run domain).
+
+Also settled in the restructure: install-time deps provisioning is the ONLY mode (the legacy
+post-deploy `setup_custom_tests.sh` machinery and its extra redeploy are deleted); the custom-test
+placement rule (§3); the uniform ctx hook convention (§4.1); the consolidated fixture surface
+(§5.6 — `deps` replaces `deps_apps`+`deps_creds`; dead `deployed`/`deployed_app`/`app_domain`
+fixtures deleted).
+
+## 9. File / symbol index
+
+| Concern | Where |
+|---|---|
+| THE meta loader + key registry + `HookCtx` + `MetaError` | `runner/harness/meta.py` (`load`, `KEYS`, `check_hook_signature`) |
+| Generated key table | `scripts/gen-meta-docs.py` → §4 above (sync pinned by `tests/unit/test_meta.py`) |
+| Customization manifest | `runner/harness/manifest.py` (`build`, `render`), printed by `runner/run_recipe_ci.py` |
+| Overlay/custom/hook discovery + HC2 gate + placement rule | `runner/harness/discovery.py` |
+| HC2 allowlist | `tests/repo-local-approved.txt` |
+| Generic assertions + `BACKUP_CAPABLE` detect | `runner/harness/generic.py` |
+| `compose.ccci.yml` auto-copy + auto-chaos | `runner/harness/lifecycle.py` (`provide_ccci_overlay`, `deploy_app`) |
+| Dynamic upgrade base (last-green → main-tip → skip) | `runner/run_recipe_ci.py` (`resolve_upgrade_base`, `BasePlan`); `runner/harness/lifecycle.py` (`recipe_branch_commit`) |
+| `previous/` discovery + version-guard + base-only apply + head strip | `runner/harness/lifecycle.py` (`previous_status`, `provide/remove_previous_overlay`); `tests/unit/test_previous.py` |
+| `READY_PROBE` consumption | `runner/harness/lifecycle.py` (`wait_ready_probes`) |
+| `EXPECTED_NA` reporting | `runner/harness/results.py` |
+| `SCREENSHOT` consumer | `runner/harness/screenshot.py` |
+| Fixtures (`recipe`/`meta`/`live_app`/`op_state`/`deps`) + F2-11 skip-report | `tests/conftest.py` |
+| Skip-generic env logic (dev-only) | `runner/run_recipe_ci.py` (`_skip_generic`) |
+| Unit tests pinning all of the above | `tests/unit/test_meta.py`, `test_manifest.py`, `test_discovery*.py` |
+| Worked examples | `tests/ghost/` (overlay+compose.ccci.yml), `tests/mumble/` (TCP probe, UPGRADE_EXTRA_ENV, private `_` constants), `tests/lasuite-drive/` (DEPS + install-time OIDC wiring), `tests/immich/` (ops.py seed pattern) |

docs/results-ux.md

@@ -10,12 +10,9 @@ It is the R8 reference for Phase 3 (`plan-phase3-results-ux.md`).
 
 ---
 
-## 1. The level ladder (R1)
+## 1. The level ladder (phase lvl5 semantics, operator-decided 2026-06-11)
 
-Every run earns a single integer **level 0–6**. The ladder is cumulative with **YunoHost
-gap-caps-the-level** semantics: you earn level `L` only if **every rung 1..L was a clean PASS**. The
-first rung that is not a clean PASS — a real **FAIL** *or* genuinely **N/A** for this recipe — stops
-the climb, and `level_cap_reason` records which rung and why.
+Every run earns a single integer **level 0–5** over the FIVE essential rungs:
 
 | Level | Rung | Earned when |
 |------:|------|-------------|
@@ -24,42 +21,52 @@ the climb, and `level_cap_reason` records which rung and why.
 | **L2** | upgrade | previous published version → PR/latest, stays healthy, data intact. |
 | **L3** | backup/restore | seeded data survives backup → wipe → restore. |
 | **L4** | functional | the recipe-specific functional tests pass. |
-| **L5** | integration | SSO/OIDC + cross-app integration tests pass. |
-| **L6** | recipe-local | the recipe repo's own `tests/` (D4) pass and are merged. |
+| **L5** | lint | `abra recipe lint` passes against the exact ref under test. |
 
-**N/A caps, fairly.** A rung that does not apply to a recipe (only one published version → no
-upgrade; not backup-capable; no SSO/integration surface; no recipe-local tests) is **N/A**, which
-caps the climb at the rung below it with a recorded reason — it is *not* counted as a failure. This is
-the only fair reading of "a missing lower rung caps the level": e.g. a recipe with **no integration
-surface caps at L4 by definition**, shown as `level_cap_reason = "L5 integration … N/A"`. A stateless
-app whose functional tests pass but which cannot be backed up is honestly capped at **L2** (`"L3
-backup/restore … N/A"`) rather than shown as L4 — understating is safe; overstating is forbidden.
+Each rung has one of FOUR statuses, and the level is:
 
-Worked examples (real runs):
-- `uptime-kuma` — install+upgrade+backup+restore+functional all pass, no SSO surface → **L4**
-  (`cap = "L5 integration (SSO/OIDC + cross-app) N/A"`).
-- `custom-html-tiny` — stateless, not backup-capable: install+upgrade pass, backup/restore N/A →
-  **L2** (`cap = "L3 backup/restore (data integrity) N/A"`).
+    level = the highest rung that PASSED, where every rung below it is "pass" or an intentional skip
+
+- **pass / fail** — the rung was exercised. A FAIL blocks: no rung above it counts, however green.
+- **skip (intentional)** — the rung *genuinely does not apply*, from a declared or structural fact:
+  not backup-capable (declared), only one published version (no upgrade target), or a declared
+  `EXPECTED_NA`. Intentional skips are **climbed past** — a stateless recipe with passing
+  functional tests and a clean lint reaches **L5**, not the old "capped at 2".
+- **unver (unverified)** — the rung *should* have run but didn't: infra error, missing tool,
+  harness exception, prior-stage abort, timeout. **The level cannot rise above an unverified
+  rung** — it blocks exactly like a fail (we never claim what we didn't check). Anything
+  unclassifiable defaults to unver (conservative).
+
+There is **no capping concept** (no `cap_reason`, no `capped`): the per-rung table
+(✔ / ✘ / intentional-skip / unverified) on the card and in `results.json.rungs` is the sole
+carrier of "why isn't this level higher". Worked examples:
+
+- install ✔, upgrade ✘, backup ✔, functional ✔, lint ✔ → **level 1** (fail blocks).
+- install ✔, upgrade ✔, backup skip (not capable), functional ✔, lint ✔ → **level 5**.
+- install ✔, upgrade ✔, backup unver (harness error), functional ✔, lint ✔ → **level 2**.
+- all four ✔, lint unver (abra missing) → **level 4** (an unverified top rung isn't earned).
+
+Integration (SSO/OIDC + cross-app) and recipe-local tests are **optional capabilities**, not
+rungs — they never affect the level (SSO remains enforced for the run VERDICT).
 
 ### How tiers map to rungs (the translation layer)
 
 `run_recipe_ci.py` holds the run's per-tier results (`install/upgrade/backup/restore/custom`) +
-deps/SSO signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict that
-`runner/harness/level.py::compute_level` scores. The mapping (also in `DECISIONS.md`, Phase 3):
+structural signals; `runner/harness/results.py::derive_rungs` maps them to the rung-status dict
+that `runner/harness/level.py::compute_level` scores. The full intentional-vs-unintentional
+classification table for every N/A source is in `machine-docs/DECISIONS.md` (phase lvl5). Summary:
 
-- **install** ← install tier (pass/fail).
-- **upgrade** ← upgrade tier; `skip` → **na** (only one published version).
+- **install** ← install tier (pass/fail; a non-run is unver — install always applies).
+- **upgrade** ← upgrade tier; tier skipped with no upgrade target (single published version,
+  structural) → skip; declared `EXPECTED_NA` → skip; otherwise unver.
 - **backup_restore** ← backup AND restore tiers both pass → pass; either fail → fail; not
-  backup-capable → **na**.
-- **functional** ← the custom tier minus its SSO tests; a custom failure conservatively fails this
-  rung (we don't split functional-vs-SSO failure → never inflate); no custom tests → **na**.
-- **integration** ← applies only if the recipe declares deps; pass iff deps wired and SSO verified and
-  custom didn't fail; recipes with no declared deps → **na** (the "caps at L4" rule).
-- **recipe_local** ← the recipe repo's own `tests/` (discovery source `repo-local`) ran and passed;
-  none present → **na**.
-
-The pure scorer is exhaustively unit-tested + fuzz-verified (all 729 rung combinations: level ==
-count of leading consecutive passes, zero inflation).
+  backup-capable (structural/declared) → skip; unverified-while-capable → unver.
+- **functional** ← the custom tier; a custom failure conservatively fails this rung; no custom
+  tests is a coverage GAP → unver, unless declared `EXPECTED_NA["functional"]` → skip.
+- **lint** ← the lint executor (`runner/harness/lint.py`): `abra recipe lint` on a pristine
+  scratch clone of the run's recipe tree at the exact tested sha, 60s hard budget, full output in
+  the run artifact `lint.txt`. pass/fail only — when lint can't run the rung is **unver** (never
+  a silent pass, never an intentional skip). Lint never changes the run verdict.
 
 ### Invariant flags (shown, not climbed)
 
@@ -77,19 +84,29 @@ build number, or the run's unique app domain for a hand-run). Schema:
 
 ```json
 {
-  "schema": 1, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
+  "schema": 2, "run_id": "...", "recipe": "...", "version": "...", "pr": "...", "ref": "...",
   "finished": 0.0,
-  "level": 4, "level_cap_reason": "L5 integration (SSO/OIDC + cross-app) N/A",
-  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"pass","functional":"pass",
-            "integration":"na","recipe_local":"na"},
+  "level": 5,
+  "rungs": {"install":"pass","upgrade":"pass","backup_restore":"skip","functional":"pass",
+            "lint":"pass"},
+  "lint": {"status":"pass","detail":"","rules_failed":[]},
+  "skips": {"intentional": {"backup_restore": "not backup-capable (no backupbot labels / declared)"},
+            "unintentional": []},
   "stages": [{"name":"install","status":"pass",
               "tests":[{"name":"test_serving","status":"pass","ms":168,"source":"generic"}]}],
-  "results": {"install":"pass","upgrade":"pass","backup":"pass","restore":"pass","custom":"pass"},
+  "results": {"install":"pass","upgrade":"pass","backup":"skip","restore":"skip","custom":"pass"},
   "flags": {"clean_teardown": true, "no_secret_leak": true},
   "screenshot": "screenshot.png", "summary_card": "summary.png"
 }
 ```
 
+`rungs` carries the four-status vocabulary above; `skips.intentional` maps each intentionally
+skipped rung to its (declared or structural) reason and `skips.unintentional` lists the
+unverified rungs. `lint` carries the L5 rung outcome + failing rule ids; the full
+`abra recipe lint` output is served at `/runs/<run_id>/lint.txt`. Pre-lvl5 artifacts
+(`"schema": 1`, 4-rung ladder, `level_cap_reason`/`level_cap_rung` present, `"na"` statuses)
+are still rendered as-is by the dashboard/card — their stored level is never recomputed.
+
 Assembly is **best-effort**: a failure to build/write `results.json` is logged but never changes the
 run's exit code (cosmetics never block the pipeline, R7).
 

docs/runbook.md

@@ -32,9 +32,11 @@ curl -s -H "Authorization: Bearer $DT" --proxy socks5h://localhost:1055 \
   from the private mirror origin. All recipe-touching harness calls pass `-C -o` (chaos+offline);
   `recipe_versions`/upgrade use the upstream tags fetched read-only at clone time. If you see this,
   a new abra call is missing `-o`.
-- **upgrade stage SKIPPED ("no previous published version"):** the recipe clone has no version tags.
-  `fetch_recipe` read-only-fetches them from the public upstream (`git.coopcloud.tech/coop-cloud/<r>`);
-  confirm the upstream has ≥2 tags (`git ls-remote --tags`).
+- **upgrade stage SKIPPED:** the dynamic base resolved to `skip` (phase prevb) — no last-green warm
+  canonical AND no resolvable `main` tip, or `head == main tip` (no predecessor delta), or a declared
+  `EXPECTED_NA[upgrade]`. The run log prints the exact reason (`upgrade base: kind=skip … SKIP: <reason>`).
+  For a recipe that should upgrade from `main`, confirm the per-run clone has `origin/main` (or
+  `origin/master`) and that it differs from the PR head (`resolve_upgrade_base` in `run_recipe_ci.py`).
 - **health wait hangs / 502:** the app isn't answering `HEALTH_PATH` yet. Slow apps (keycloak JVM +
   Liquibase, lasuite 9-service) just need time; raise `DEPLOY_TIMEOUT`/`HTTP_TIMEOUT` in
   `recipe_meta.py`. A persistent 502 with services 1/1 = wrong `HEALTH_PATH` (e.g. keycloak needs

docs/testing.md

@@ -16,12 +16,13 @@ year from now, this is the one rule that should still hold.
   ship as the floor for every recipe. No SSO provider, no external deps, no per-recipe state
   scaffolding — just "does this recipe deploy and lifecycle work?"
 - **Generic must not depend on custom.** A custom test or a custom-tests setup (e.g. SSO/OIDC dep
-  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: the
-  orchestrator runs all generic tiers (install → upgrade → backup → restore) against the recipe
-  **alone, with no deps deployed**, then runs the `setup_custom_tests` step (deps + post-deps
-  wiring) only after — and a failure there is **isolated** to the custom tier (tests tagged
-  `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"`; generic tier reports
-  normally). See `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
+  provisioning) **can never be a precondition for the generic tier to pass.** Concretely: deps are
+  provisioned BEFORE the single deploy (so `install_steps.sh` can wire OIDC env into that one
+  deploy), but a dep-provisioning failure is **isolated** to the custom tier — the recipe still
+  deploys alone, every generic tier (install → upgrade → backup → restore) runs normally, and
+  tests tagged `@pytest.mark.requires_deps` skip with reason `"deps-not-ready"` (a counted,
+  reported skip — F2-11). A deps failure can never fail or block a generic tier. See
+  `cc-ci-plan/plan-sso-dep-testing.md` for the SSO-dep specifics.
 - **Custom tests are the thoroughness layer — and they cost more to maintain.** They're more
   thorough (authenticated APIs, multi-app flows, version-specific browser selectors, helper
   scripts, state-management) and *therefore* take more maintenance: an SSO provider's admin API
@@ -47,8 +48,9 @@ once**; the assertion files (generic and overlay) evaluate the *post-op* state a
 op themselves. Asserted every run: **`deploy-count = 1`** (one `abra app new`).
 
 ```
-deploy ONCE  (base version: the previous published version when an upgrade tier will run and one
-              exists — so upgrade is a real previous→PR-head; else the target / current PR head)
+deploy ONCE  (base version, resolved DYNAMICALLY when the upgrade tier runs: last-green (warm
+              canonical) → target-branch `main` tip → else skip — so upgrade is a real
+              predecessor→PR-head; else the target / current PR head. phase prevb)
   → INSTALL    [optional pre_install seed]   then  generic + overlay assertions   (no op)
   → UPGRADE    [optional pre_upgrade seed]   then  abra app deploy --chaos to PR-head      (op once)
                                              then  generic + overlay assertions
@@ -113,9 +115,12 @@ repo-local  <recipe-repo>/tests/test_<op>.py     (upstream-authoritative; gated
 Only ONE overlay source wins for a given op (repo-local > cc-ci); the generic floor runs **in
 addition** unless explicitly opted out.
 
-**Custom (non-lifecycle) `test_*.py`** — any other `test_*.py` (e.g. `test_sso.py`) is **opt-in and
-additive**: it has no generic equivalent and runs only when present, discovered from both locations
-(repo-local gated by the HC2 allowlist).
+**Custom (non-lifecycle) tests** — e.g. `custom/test_sso.py` — are **opt-in and additive**:
+they have no generic equivalent and run only when present, discovered from both locations
+(repo-local gated by the HC2 allowlist). Placement rule: custom tests live under canonical
+`custom/`; deprecated `functional/` and `playwright/` aliases are still discovered with a loud
+warning so old recipe trees are not silently dropped. A top-level `test_*.py` is a lifecycle
+overlay and nothing else (top-level non-lifecycle files are not discovered).
 
 ### Pre-op seed hooks (per-recipe `ops.py`)
 
@@ -127,35 +132,38 @@ etc.). Since the orchestrator owns the op, overlays place their seed in an optio
 # tests/<recipe>/ops.py
 from harness import lifecycle
 
-def pre_upgrade(domain, meta):
+def pre_upgrade(ctx):
     # seed a marker before the harness performs the upgrade
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo upgrade-survives > /path/marker"])
 
-def pre_backup(domain, meta):
+def pre_backup(ctx):
     # establish a known "original" state before the backup op captures it
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo original > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo original > /path/marker"])
 
-def pre_restore(domain, meta):
+def pre_restore(ctx):
     # diverge from the backed-up state so a successful restore is observable
-    lifecycle.exec_in_app(domain, ["sh", "-c", "echo mutated > /path/marker"])
+    lifecycle.exec_in_app(ctx.domain, ["sh", "-c", "echo mutated > /path/marker"])
 ```
 
 The orchestrator imports `ops.py` in-process (with the recipe dir on `sys.path`, so it can import
-sibling helpers like `kc_admin.py`) and calls `pre_<op>(domain, meta)` immediately before performing
-the op. Then `test_<op>.py` asserts the post-op state. See `tests/custom-html/` (volume marker),
+sibling helpers like `kc_admin.py`) and calls `pre_<op>(ctx)` immediately before performing the
+op — `ctx` is the uniform `HookCtx` every recipe hook receives (`.domain`, `.base_url`, `.meta`,
+`.deps`, `.op` — `docs/recipe-customization.md` §4.1). Then `test_<op>.py` asserts the post-op
+state. See `tests/custom-html/` (volume marker),
 `tests/keycloak/` (admin-API/realm), `tests/matrix-synapse/`, `tests/lasuite-docs/` (psql in the `db`
 service) for worked examples.
 
-### Opting out of the generic floor
+### Opting out of the generic floor (LOCAL-DEV-ONLY)
 
-The generic runs additively by default. To skip it (e.g. when an overlay's recipe-specific check
-fully replaces the generic's mechanism check) set, in increasing specificity:
+The generic runs additively by default and there is **no declarative opt-out** — no recipe can
+ship without the floor. For local iteration only (e.g. re-running one tier while developing an
+overlay), two env escape hatches exist:
 
 - **env `CCCI_SKIP_GENERIC=1`** — skip generic for ALL ops (run-wide).
 - **env `CCCI_SKIP_GENERIC_<OP>=1`** — e.g. `CCCI_SKIP_GENERIC_UPGRADE=1` — skip generic for that one op.
-- **declarative in `recipe_meta.py`** — `SKIP_GENERIC = ["upgrade"]` (per-op) or `SKIP_GENERIC = ["all"]`.
 
-Opting out is per-recipe and visible in git — not a hidden global. Truthy = `1`/`true`/`yes`/`on`.
+Truthy = `1`/`true`/`yes`/`on`. If either is active in a CI (drone) run, the run prints a loud
+`!!` warning and the customization manifest records it (`docs/recipe-customization.md` §7).
 
 ## Repo-local trust gate (HC2) — default-deny
 
@@ -194,7 +202,12 @@ server's content volume — without it the generic install fails 404, with it it
 
 Concretely, the upgrade tier:
 
-1. base deployment is the **previous published version** (a clean pinned-tag deploy).
+1. base deployment is the **dynamically-resolved predecessor** (phase prevb): last-green (warm
+   canonical, pinned-tag deploy) → else the target-branch `main` tip (chaos deploy of the branch
+   HEAD — the real predecessor the PR merges onto) → else the upgrade tier is skipped. An optional
+   `tests/<recipe>/previous/` supplies version-specific repair to the base ONLY (stripped before the
+   head redeploy). (The old explicit `UPGRADE_BASE_VERSION` pin was removed in phase canon §2.G — the
+   dynamic last-green/step-back resolution makes it redundant.)
 2. orchestrator captures `head_ref` (preferring `$REF` — the PR head sha; falls back to the recipe
    checkout HEAD for non-PR `!testme`).
 3. on the upgrade tier: re-checkout the recipe to `head_ref` (the prev-tag base deploy reset the
@@ -215,12 +228,14 @@ installs and stays 1.
    `tests/custom-html/test_upgrade.py`). Assert the POST-op state — reading app state through
    `lifecycle.exec_in_app` (volume/DB) for data checks, not HTTP. Generic + your overlay both run.
 3. If the overlay needs to seed PRE-op state (data-continuity markers, the backup→restore
-   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(domain, meta)`.
+   divergence), drop `tests/<recipe>/ops.py` with `pre_upgrade/pre_backup/pre_restore(ctx)`.
 4. If the recipe needs install-time setup, add `tests/<recipe>/install_steps.sh`.
-5. Set per-recipe knobs (health path, timeouts, opt-out) in `recipe_meta.py`.
+5. Set per-recipe knobs (health path, timeouts) in `recipe_meta.py`.
 6. **Never weaken or skip an assertion to make a run pass** — a red tier is information.
 
-Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional):
+Per-recipe config (`tests/<recipe>/recipe_meta.py`, all optional — the COMPLETE key reference is
+the generated table in `docs/recipe-customization.md` §4; unknown keys are hard errors, private
+constants are underscore-prefixed):
 
 ```python
 HEALTH_PATH = "/realms/master"   # path that returns a healthy status (default "/")
@@ -228,8 +243,7 @@ HEALTH_OK = (200,)               # acceptable status codes (default 200/301/302)
 DEPLOY_TIMEOUT = 600             # seconds for services to converge (default 600)
 HTTP_TIMEOUT = 600               # seconds for the app to answer (default 300)
 BACKUP_CAPABLE = True            # override backup-capability auto-detection (default: scan compose)
-EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(domain) -> dict; extra .env keys set at deploy
-SKIP_GENERIC = ["upgrade"]       # per-recipe declarative opt-out from generic ops ("all" = every op)
+EXTRA_ENV = {"KEY": "value"}     # or EXTRA_ENV(ctx) -> dict; extra .env keys set at deploy
 ```
 
 The harness self-tests for discovery / precedence / the HC2 allowlist live in `tests/unit/` (run:

machine-docs/BACKLOG-aoeng.md

@@ -0,0 +1,9 @@
+# BACKLOG — phase aoeng
+
+## Build backlog
+
+*(Builder-owned section — Adversary reads only)*
+
+## Adversary findings
+
+*(none yet)*

machine-docs/BACKLOG-aotest.md

@@ -0,0 +1,18 @@
+# BACKLOG — phase aotest
+
+## Build backlog
+
+- [x] Unit tests for: config load + defaults merge, kickoff-template assembly, phase machine
+      (advance/idempotent-complete/append-resumes), limit reset-banner parsing, WAITING-UNTIL/stall
+      parsing, claude+opencode activity detectors. — `tests/test_unit.py` (51 tests)
+- [x] Isolated live claude smoke through the harness (attach + status + down, cleaned up). —
+      `tests/smoke_claude.sh`
+- [x] Isolated live opencode smoke through the harness, dedicated non-4096 port, cleaned up. —
+      `tests/smoke_opencode.sh`
+- [x] Test runner: unit always + live smokes when backends available; README documented. —
+      `tests/run.sh`, README `## Testing`
+- All items complete at deliverable commit `cdcece9`; gate CLAIMED 2026-06-13T18:56Z.
+
+## Adversary findings
+
+*(none yet — awaiting Builder deliverable)*

machine-docs/BACKLOG-bsky.md

@@ -0,0 +1,18 @@
+# BACKLOG — phase bsky
+
+## Build backlog
+
+- [x] B1: Root-cause diagnosis — inspect recipe compose/entrypoint + actual `:0.4` image vs exact tags on cc-ci (2026-06-11)
+- [x] B2: Upstream research persisted to cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247)
+- [x] B3: DECISIONS.md entry — pin choice (exact 0.4.219 over 0.5.1-main / digest pin), version label bump
+- [x] B4: Mirror PR branch `upgrade-0.3.0+v0.4.219` — compose.yml re-pin + label bump; open PR on recipe-maintainers/bluesky-pds
+- [x] B5: `!testme` on the PR → full lifecycle green (install/health, upgrade-path status justified, backup/restore, functional, L5 lint); record level under de-capped semantics + reconcile expected baseline
+- [x] B6: Screenshot on the green PR run — verify PNG real/representative/credential-free (Read it); SCREENSHOT hook only if needed
+- [x] B7: Claim M1 (root cause + green fix PR + screenshot verified)
+- [ ] B8: Close DEFERRED bluesky entries with pointers; JOURNAL note updating shot-phase N/A disposition
+- [ ] B9: Operator handoff summary in STATUS-bsky.md (what was wrong, what the PR changes, post-merge expectations incl. canonical/warm reseed)
+- [x] B10: Claim M2
+
+## Adversary findings
+
+(Adversary-owned)

machine-docs/BACKLOG-canon.md

@@ -0,0 +1,102 @@
+# BACKLOG — phase `canon`
+
+## Build backlog (Builder-owned)
+
+Milestone map → Definition of Done (§5). M1 = machinery + unit tests (Adversary cold-verifies the
+pieces). M2 = proven end-to-end in real CI.
+
+### M1 — machinery works locally, each piece proven
+
+- [x] **M1.1 Tagged-promote gate (§2.A).** Extend `should_promote_canonical` to ALSO require the
+      tested head version corresponds to a published release tag. Add a `tagged: bool` param computed
+      at the call site (`head_version in recipe_tags(recipe)`); keep the function pure. Untagged head
+      → no promote. Unit tests: enrolled+green+cold+not-ref+tagged → True; each missing condition
+      (incl. untagged) → False.
+- [x] **M1.2 Release-tag trigger + mirror-sync in the sweep (§2.C/§2.D).** New pure helper
+      `sweep_decision(recipe, latest_tag, canon_version)` → `run` | `skip:no-new-version` |
+      `skip:never-released`, keyed on `version_key` (NOT commit). Wire `nightly_sweep.sweep()` to, per
+      enrolled recipe: (1) faithful mirror-sync main+tags to upstream (reuse open-recipe-pr.sh
+      `--reconcile-only`, vendored into the repo for reproducibility); (2) compute latest release tag
+      vs canonical; (3) skip or run cold ON THE TAG (checkout tag + `CCCI_SKIP_FETCH=1`). Unit tests
+      for `sweep_decision` (new tag → run; equal → skip; older/no tag → skip).
+- [x] **M1.3 Enroll all recipes (§2.B).** Set `WARM_CANONICAL = True` in each of the 21 used-recipes
+      `tests/<r>/recipe_meta.py`. Leave fixtures (custom-html-*-bad, concurrency, regression) alone.
+- [x] **M1.4 Hollow-sweep fix (root cause).** Make the deployed sweep read the REAL tests/ + run
+      current code: set `CCCI_REPO=/etc/cc-ci` in the sweep service and run `nightly_sweep.py` from
+      the checkout (not the store copy). Deploy procedure pulls `/etc/cc-ci` before nixos-rebuild.
+- [x] **M1.5 Weekly timer (§2.F).** `nightly-sweep.nix` `OnCalendar` daily → weekly (one line),
+      `Persistent=true` (already set). Low-traffic slot.
+
+### M2 — proven end-to-end in real CI
+
+- [ ] **M2.1 Deploy** the M1 changes: `git -C /etc/cc-ci pull` + `nixos-rebuild switch`; verify host
+      health after.
+- [ ] **M2.2 Full sweep run** across the enrolled set on cc-ci: mirrors synced, canonicals promoted
+      for green recipes (records with correct version+commit), red recipes left intact, no-new-tag
+      recipes skipped. Per-recipe results log captured.
+- [ ] **M2.3 Determinism proof:** run the sweep a SECOND time immediately → every recipe SKIPS
+      (latest tag == canonical for all) = clean no-op, no CI rerun.
+- [ ] **M2.4 Tagged-promote proof:** a green run on an UNTAGGED state does NOT promote; a green run
+      on a TAGGED release DOES. Construct if the live set doesn't cover it.
+- [ ] **M2.5 Real (non-hollow) timer fire:** after a timer fire, canonicals have ADVANCED (evidence),
+      not exit-0 on an empty set.
+- [ ] **M2.6 samever orthogonality:** (a) no new tag (even with untagged commits on main) → SKIP, no
+      upgrade-tier run, no promote; (b) new tag → cold-test new tag, canonical(older)→new, promote.
+      Show step-back never fires inside the sweep.
+- [ ] **M2.7 Disk budget recorded;** all recipes enrolled (or documented exception in DECISIONS).
+- [ ] **M2.8 §2.G UPGRADE_BASE_VERSION retirement** — after plausible's canonical lands at 3.0.1:
+      remove the pin, confirm dynamic base resolves 3.0.1 + passes; if it holds, strip the key
+      (meta KEYS, resolver branch, docs, unit tests) + update bluesky-pds comment. Else KEEP with a
+      recorded reason in DECISIONS.
+
+## Notes
+- Order within M1: M1.1 → M1.2 (depend on version helpers) → M1.3/M1.4/M1.5 (config). Claim M1 only
+  when all unit tests green + tree clean + pushed.
+
+## Adversary findings
+
+- [x] **DEFECT-1 [adversary] (M2.2 results-label untrustworthy)** — CLOSED @16:14Z (M2 PASS). The
+  production timer fire labels honestly: gitea/bluesky show `GREEN-BUT-PROMOTE-FAILED` (NOT a false
+  `PASS (promoted)`), and the 16 `PASS (promoted)` labels each correspond to an on-disk canonical at the
+  tested tag (commit==tag re-derived for all 16). Label now derives from the registry, not rc. ↓ orig:
+  `nightly_sweep.sweep()` labelled `PASS (promoted)` off `rc==0`, but `promote_canonical` is non-fatal
+  (swallows its exception), so a FAILED promote on a green cold run still showed `PASS (promoted)`
+  though NO canonical was written. The per-recipe results log (DoD evidence "canonicals actually
+  promoted for the greens") was therefore misleading. Repro (run-1 evidence captured): `grep "WC5
+  promote failed" _sweep.log` vs `grep "PASS (promoted)" _sweep.log` — failed promotes appeared in
+  BOTH. Builder fix f94de22 derives the label from `canonical.read_registry(r).version == latest`
+  (PASS / GREEN-BUT-PROMOTE-FAILED / FAIL). **Close only after I re-run the sweep and confirm the
+  label matches the on-disk registry for every recipe.**
+- [x] **DEFECT-2 [adversary] (M2.2 promote path failing broadly)** — CLOSED @16:14Z (M2 PASS). The
+  faithful-install promote (f94de22) + fresh-seed teardown (ca89d44) + cold-dep lock-release (655a999)
+  fixed all 4 failure classes: 16 recipes promote clean (commit==tag re-derived), incl. ghost,
+  custom-html-tiny, drone (clean-promoted 11:50 in the post-fix sweep, no 600s timeout). Determinism
+  holds: the 2nd sweep SKIPs all 15 promoted-at-latest, only documented exceptions RUN. ↓ orig:
+  Run-1: 4 of 5 completed promotes FAILED across 4 modes though cold CI was green — ghost (`abra app
+  new` FATA dirty tree), bluesky-pds (missing `pds_plc_rotation_key`), custom-html-tiny (404, no
+  seeded index), drone (warm deploy timed out 600s). The bare `abra app deploy` in `promote_canonical`
+  lacked the cold install's wiring. Net-new canonical run-1 = 1 (cryptpad). Builder fix f94de22:
+  promote now does a faithful install (clean tree → provision deps → `deploy_app` w/ install_steps +
+  overlay + ready-probes). **Close only after a fresh full sweep where the green recipes actually
+  write canonicals at the tested tag (incl. the 4 failure classes), AND determinism (M2.3) holds
+  (run-twice → skip-all).** Note the drone 600s timeout may be node-contention, not wiring — watch it.
+- [x] **DEFECT-3 [adversary] (deployed nightly-sweep.service env missing git-lfs → manual-sweep env ≠
+  production-timer env)** — CLOSED @16:14Z (M2 PASS). Fix 2c61f2f prepends the host system PATH so the
+  sweep runs recipes in Drone's exact env: `nightly-sweep` ExecStart line 17 byte-matches
+  `drone-runner-exec.service` PATH; git-lfs present at `/run/current-system/sw/bin`. Behaviorally proven
+  in the REAL timer fire (13:01:01→14:37:22Z, Result=success): `test_lfs_roundtrip PASSED` (gitea flips
+  cold-green) and the timer ITSELF re-validated the promoted set under production env — 14 SKIP, custom-html
+  advanced 1.11→1.13, no NEW promote failures the manual env hid. Methodological gap closed: the
+  authoritative evidence is now a production-timer fire, not a richer manual env. ↓ orig:
+- [historical] **DEFECT-3 (orig text)** — The REAL timer fire (12:34Z, nightly-sweep.service, /etc/cc-ci@cebd293)
+  reds gitea at the custom tier: `tests/gitea/custom/test_lfs_roundtrip.py` → `git: 'lfs' is not a git
+  command` → level 3/5 → rc=1. Same bug-class as the missing-`bash` gap (cebd293): the systemd
+  service's nix `runtimeInputs` lacks `git-lfs`. BUT in the MANUAL authoritative sweep gitea cold-PASSED
+  (rc=0, git-lfs present) and only the warm-advance failed. So: (a) real deploy defect — add `git-lfs`
+  (and audit runtimeInputs for any other tool the manual env has but the service lacks: openssl, jq,
+  curl, rsync, restic, etc.); (b) METHODOLOGICAL — the manual M2.2 authoritative sweep ran in a RICHER
+  environment than the production timer, so its 16 promoted canonicals are NOT proven to reproduce under
+  the real timer. The DoD is "proven end-to-end in REAL CI (the timer)". Repro: `journalctl -u
+  nightly-sweep.service | grep -A40 "sweep: gitea RUN"`. **Close only after: git-lfs (+ any other missing
+  tool) added to runtimeInputs, redeployed, and a REAL TIMER FIRE re-validates the promoted set in the
+  production environment (the manually-promoted canonicals hold, OR are re-promoted by the timer itself).**

machine-docs/BACKLOG-cf48.md

@@ -0,0 +1,21 @@
+# BACKLOG — phase cf48
+
+## Build backlog
+
+- [x] Confirm session model is `claude-opus-4-8` on the `claude` backend (phase Model Requirement)
+- [x] Read inputs: cfold plan, STATUS-cfold/REVIEW-cfold, STATUS-cf55/REVIEW-cf55
+- [x] Cat 1 — Diff review of `44e0242` line-by-line for coverage loss
+- [x] Cat 2 — Discovery parity: recompute custom-test inventory + cardinal coverage diff vs pre-cfold
+- [x] Cat 3 — Assertion preservation: confirm no weakened/removed/skipped assertions
+- [x] Cat 4 — Old-folder behavior: deprecated-alias + loud-warning live probe
+- [x] Cat 5 — Lifecycle-overlay separation: 0 in custom/, overlays top-level, RUNG name intact
+- [x] Cat 6 — Evidence audit: cfold M2 full-sweep all-20-recipes L5, zero leaks
+- [x] Cat 7 — Cleanliness: clean tree, no stray root/temp files
+- [x] cf55-vs-cf48 agreement note (incl. keycloak sys.path discrepancy cf48 caught)
+- [x] Write review matrix to STATUS-cf48.md + claim M1
+- [ ] Await Adversary M1 + M2 PASS in REVIEW-cf48.md
+- [ ] On M1+M2 PASS with no VETO → write `## DONE` to STATUS-cf48.md
+
+## Adversary findings
+
+_(Adversary-owned — do not edit)_

machine-docs/BACKLOG-cf55.md

@@ -0,0 +1,12 @@
+# BACKLOG — phase cf55
+
+## Build backlog
+(Builder-only section — read-only to Adversary)
+
+- [x] Seed `STATUS-cf55.md` + `JOURNAL-cf55.md`
+- [x] Produce cf55 review matrix and claim M1 (2026-06-13T05:11Z)
+- [x] Await Adversary M1+M2 PASS (2026-06-13T05:13:45Z) — DONE
+
+## Adversary findings
+
+No findings yet.

machine-docs/BACKLOG-cfold.md

@@ -0,0 +1,141 @@
+# BACKLOG — phase cfold
+
+## Build backlog
+(Builder-only section — read-only to Adversary)
+
+- [x] Seed `STATUS-cfold.md` + `JOURNAL-cfold.md`; consume Adversary inbox
+- [x] Record deprecated-folder policy in `DECISIONS.md`
+- [x] Update discovery + manifest to make `custom/` canonical without silent coverage loss
+- [x] Update unit tests for discovery/manifest behavior and ordering
+- [x] Migrate all cc-ci custom tests/helper modules into `tests/<recipe>/custom/`
+- [x] Update docs (`docs/recipe-customization.md`, `docs/testing.md`, `docs/enroll-recipe.md`)
+- [x] Produce M1 coverage-diff proof: discovered custom-test set identical before/after
+- [x] Claim M1 with WHAT/HOW/EXPECTED/WHERE in `STATUS-cfold.md`
+- [x] Await Adversary M1 verdict
+- [x] Build the pre-sweep recipe baseline matrix for M2
+- [x] Run the full real-CI `!testme` sweep and capture recipe-by-recipe evidence
+- [x] Claim M2 only after the sweep is green and zero leaks are confirmed
+
+## Adversary findings
+
+No findings yet. Pre-migration baseline recorded below for reference during M1 verification.
+
+### Baseline inventory (pre-migration, 2026-06-11T22:54Z)
+
+**64 custom test files** across 20 recipes, all in `functional/` or `playwright/` subdirs:
+
+| Recipe | functional/ | playwright/ | Helper modules |
+|---|---|---|---|
+| bluesky-pds | 4 | 0 | — |
+| cryptpad | 2 | 2 | — |
+| custom-html | 3 | 1 | — |
+| custom-html-tiny | 1 | 0 | — |
+| discourse | 3 | 0 | _discourse.py |
+| drone | 1 | 0 | __init__.py |
+| ghost | 4 | 0 | _ghost.py |
+| hedgedoc | 2 | 0 | — |
+| immich | 3 | 0 | — |
+| keycloak | 3 | 0 | — |
+| lasuite-docs | 5 | 0 | — |
+| lasuite-drive | 3 | 0 | — |
+| lasuite-meet | 3 | 0 | — |
+| mailu | 3 | 0 | _mailu.py |
+| matrix-synapse | 3 | 0 | — |
+| mattermost-lts | 3 | 0 | _mm.py |
+| mumble | 5 | 0 | _mumble_proto.py |
+| n8n | 4 | 0 | — |
+| plausible | 2 | 0 | — |
+| uptime-kuma | 3 | 1 | — |
+| **TOTAL** | **59** | **5** | **6 helper modules** |
+
+Full file list (64 test files):
+```
+tests/bluesky-pds/functional/test_account_and_post.py
+tests/bluesky-pds/functional/test_describe_server.py
+tests/bluesky-pds/functional/test_health_check.py
+tests/bluesky-pds/functional/test_session_auth.py
+tests/cryptpad/functional/test_health_check.py
+tests/cryptpad/functional/test_spa_assets.py
+tests/cryptpad/playwright/test_pad_content_roundtrip.py
+tests/cryptpad/playwright/test_pad_create.py
+tests/custom-html/functional/test_content_roundtrip.py
+tests/custom-html/functional/test_content_type_header.py
+tests/custom-html/functional/test_health_check.py
+tests/custom-html/playwright/test_browser_smoke.py
+tests/custom-html-tiny/functional/test_serves_content.py
+tests/discourse/functional/test_create_topic.py
+tests/discourse/functional/test_health_check.py
+tests/discourse/functional/test_site_basic.py
+tests/drone/functional/test_scm_configured.py
+tests/ghost/functional/test_admin_redirect.py
+tests/ghost/functional/test_content_api.py
+tests/ghost/functional/test_health_check.py
+tests/ghost/functional/test_post_roundtrip.py
+tests/hedgedoc/functional/test_branding.py
+tests/hedgedoc/functional/test_health_check.py
+tests/immich/functional/test_asset_processing.py
+tests/immich/functional/test_asset_upload.py
+tests/immich/functional/test_health_check.py
+tests/keycloak/functional/test_create_client_and_use.py
+tests/keycloak/functional/test_health_check.py
+tests/keycloak/functional/test_password_grant_token.py
+tests/lasuite-docs/functional/test_auth_required.py
+tests/lasuite-docs/functional/test_create_doc.py
+tests/lasuite-docs/functional/test_health_check.py
+tests/lasuite-docs/functional/test_oidc_login.py
+tests/lasuite-docs/functional/test_oidc_with_keycloak.py
+tests/lasuite-drive/functional/test_health_check.py
+tests/lasuite-drive/functional/test_minio_storage.py
+tests/lasuite-drive/functional/test_oidc_with_keycloak.py
+tests/lasuite-meet/functional/test_health_check.py
+tests/lasuite-meet/functional/test_meeting_flow.py
+tests/lasuite-meet/functional/test_oidc_with_keycloak.py
+tests/mailu/functional/test_health_check.py
+tests/mailu/functional/test_mailbox.py
+tests/mailu/functional/test_mail_flow.py
+tests/matrix-synapse/functional/test_federation_version.py
+tests/matrix-synapse/functional/test_health_check.py
+tests/matrix-synapse/functional/test_register_and_message.py
+tests/mattermost-lts/functional/test_create_message.py
+tests/mattermost-lts/functional/test_health_check.py
+tests/mattermost-lts/functional/test_multiuser_message.py
+tests/mumble/functional/test_protocol_handshake.py
+tests/mumble/functional/test_server_config_limits.py
+tests/mumble/functional/test_tcp_health.py
+tests/mumble/functional/test_web_client.py
+tests/mumble/functional/test_welcome_text_roundtrip.py
+tests/n8n/functional/test_health_check.py
+tests/n8n/functional/test_login_state.py
+tests/n8n/functional/test_rest_settings.py
+tests/n8n/functional/test_workflow_roundtrip.py
+tests/plausible/functional/test_health_check.py
+tests/plausible/functional/test_event_tracking.py
+tests/uptime-kuma/functional/test_health_check.py
+tests/uptime-kuma/functional/test_socketio_handshake.py
+tests/uptime-kuma/functional/test_spa_branding.py
+tests/uptime-kuma/playwright/test_monitor_wizard.py
+```
+
+Helper modules also in functional/ dirs (must move to custom/ alongside tests):
+- tests/discourse/functional/_discourse.py
+- tests/drone/functional/__init__.py
+- tests/ghost/functional/_ghost.py
+- tests/mailu/functional/_mailu.py
+- tests/mattermost-lts/functional/_mm.py
+- tests/mumble/functional/_mumble_proto.py
+
+**String literal audit** — all places that name the FOLDER (not the playwright package):
+- runner/harness/discovery.py:113 — `subdirs = ("functional", "playwright")`
+- runner/harness/manifest.py:55 — comment `# functional | playwright`
+- docs/recipe-customization.md — multiple §5.3 references
+- docs/enroll-recipe.md — multiple references
+- docs/testing.md:117,120 — placement rule
+- tests/unit/test_discovery_phase2.py — creates functional/ and playwright/ dirs
+- tests/unit/test_manifest.py — creates functional/ and playwright/ dirs; asserts `{"functional": 2, "playwright": 1}`
+- tests/unit/test_discovery.py:83,84 — creates functional/ dirs
+
+NOT to touch (playwright package references, not folder):
+- runner/harness/browser.py (playwright package import)
+- runner/harness/screenshot.py (playwright package import)
+- runner/harness/card.py:232 (playwright package import)
+- level.py, results.py (rung name "functional" — NOT a folder name)

machine-docs/BACKLOG-conc.md

@@ -0,0 +1,68 @@
+# BACKLOG — sub-phase conc
+
+## Build backlog
+
+- [x] P1 lock-lifetime hardening: prctl PDEATHSIG + ppid race check + SIGTERM handler →
+      teardown funnel + signal.alarm(3600) hard deadline; .drone.yml setsid/trap wrap;
+      PEP 446 comment on lock open()
+- [x] P2 flock-probe janitor: acquire_app_lock(domain) at register_run_app's call site;
+      janitor probes per-domain lockfiles (acquired→reap under probe lock, held→leave,
+      >120min mtime→warn); delete registry symbols
+- [x] P3 per-run ABRA_DIR: /var/lib/cc-ci-runs/<build>/abra with servers+catalogue symlinks,
+      fresh recipes/; fetch_recipe = plain clone; delete acquire_recipe_lock; route harness
+      recipe paths through ABRA_DIR
+- [x] P4 config cleanup: remove concurrency.limit from .drone.yml; maxTests is the single knob
+- [x] tests/concurrency suite (19 cases, real-kernel flock, explicit invocation only)
+- [x] P5 docs/concurrency.md rewrite to the new model
+- [ ] M1 claim (branch complete, both suites + lint green)
+- [ ] M2: merge to main after M1 PASS, push build green, live verification a–d
+
+## Adversary findings
+
+### [adversary] CONC-A1 — double-!testme same domain corrupts the shared deploy-count file (M2(c) FAIL)
+
+**Severity:** blocks M2(c). Both runs of a same-domain double-!testme go RED.
+
+**Root cause (two coupled defects, one shared root):**
+1. The DG4.1 deploy-counter file is keyed by DOMAIN in the *shared* system tempdir, NOT per-run:
+   `run_recipe_ci.py:930  countfile = /tmp/ccci-deploys-<domain>`. P3 isolated `ABRA_DIR` per run
+   but this per-run state file was missed — it predates the restructure (ef44d46) and the OLD
+   recipe-flock used to serialize same-recipe runs end-to-end, incidentally masking it.
+2. `lifecycle.deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE
+   `acquire_app_lock(domain)` (lifecycle.py:254, introduced by P2 b302f3a). So the counter
+   increment happens OUTSIDE the serialization window — a second same-domain run bumps the
+   shared counter before it ever blocks on the lock.
+
+**Observed (live, builds 279 + 281, immich PR#2, same domain immi-ad3e33, 2026-06-10T05:04Z):**
+- Lock serialization itself WORKS: 281 logged `== app lock: ... in flight — waiting ==` at 2s,
+  then `== app lock: acquired ==` at 194s — exactly when 279 exited (279 finished 05:07:35).
+- 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`. The `2` = 281's pre-lock `_record_deploy`
+  (fired ~2s, before 281 blocked) polluting the shared counter 279 was actively using.
+- 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33...` at run_recipe_ci.py:1213 —
+  279's end-of-run `os.remove(countfile)` (line 1215) deleted the shared file out from under 281,
+  whose single `_record_deploy` had already fired at 2s and never recreates it.
+- Control: isolated immich (build 275, same fixed wrapper) → `deploy-count = 1`, GREEN. So this
+  is concurrency-specific, not a pre-existing immich/wrapper issue.
+
+**Repro:** two `!testme` comments on the same recipe PR (same domain) in quick succession on the
+deployed main harness → both builds RED (one DG4.1 false-violation, one FileNotFoundError).
+
+**Fix direction (Builder owns):** key the deploy-counter per RUN, not per domain — e.g. put it in
+`/var/lib/cc-ci-runs/<build>/` (alongside the per-run artifacts) or include the build/run id in the
+filename, and export that path via `CCCI_DEPLOY_COUNT_FILE`. Per-run keying fixes BOTH defects at
+once (no cross-run pollution; no shared remove). Moving `_record_deploy()` after `acquire_app_lock`
+alone is INSUFFICIENT — the shared `os.remove`/`FileNotFoundError` collision survives. Add a
+tests/concurrency case: two same-domain runs serialized on the app lock → each sees its own
+deploy-count, neither removes the other's file (this is the gap vs the 19 planned cases — case 4
+serialises acquire but never asserts deploy-count isolation across the two).
+
+**Closure:** adversary-owned. Re-test the (c) double-!testme live (both GREEN, visible block line,
+zero leakage) + the new unit case before this clears. Only I close it.
+
+**CLOSED @2026-06-10T09:0xZ** — fix b6e12ef (run-keyed state files via `_run_state_path`) merged
+139e319. Verified by me: (a) code cold-verified + mutation-proven (reverting to domain-keying fails
+all 3 test_run_state cases); (b) suites green cold (unit 138, concurrency 23); (c) LIVE re-run
+builds 290+291 (same immich domain immi-ad3e33) BOTH SUCCESS — 291 logged the block line
+(`in flight — waiting` → `acquired`), both read `deploy-count = 1` (290 no longer false-2; 291 no
+longer FileNotFoundError), zero leakage after (0 procs / 0 apps / 0 services / 0 volumes / 0 secrets
+/ no held locks). Full evidence in REVIEW-conc M2(c) PASS.

machine-docs/BACKLOG-dash.md

@@ -0,0 +1,17 @@
+# BACKLOG — phase `dash`
+
+## Build backlog
+
+- [x] Root-cause confirmed (Drone 100-build window) + host artifact schema inspected.
+- [x] M1: rewrite `history_for` to source from `/var/lib/cc-ci-runs` local artifacts, newest-first by
+      `finished`, capped at HISTORY_CAP, malformed/empty dirs skipped, security/other routes unchanged.
+- [x] M1: unit test for local sourcing (count/order/cap/skip) + full-fixture verify vs real data.
+- [ ] M1: awaiting Adversary PASS in REVIEW-dash.md.
+- [x] M2: deployed. Procedure (host flake source = `/etc/cc-ci` git clone):
+      `ssh cc-ci 'git -C /etc/cc-ci pull && systemd-run --no-block --unit=ccci-dash-sw --collect
+      --property=Type=oneshot nixos-rebuild switch --flake /etc/cc-ci#cc-ci'`. Content-hash image tag
+      rolls dashboard.py change: current deployed `15addbc7bf45` → expected new `11ac2a1e6c07`
+      (`sha256sum dashboard/dashboard.py | cut -c1-12`). Then verify live on `/recipe/bluesky-pds`
+      (8 runs) + ≥2 recipes, overview + badges still 200, deploy-dashboard active, host health after.
+- [x] M2: retention confirmed — no trim job; does not trim `/var/lib/cc-ci-runs` (record in DECISIONS if a cap needed).
+- [x] DONE: both gates Adversary-PASS in REVIEW-dash.md → write `## DONE` in STATUS-dash.md.

machine-docs/BACKLOG-drone.md

@@ -0,0 +1,222 @@
+# BACKLOG — phase drone (drone enrollment with gitea SCM dep)
+
+**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
+
+---
+
+## Build backlog
+
+_(Builder's section — Adversary read-only)_
+
+### M1 tasks
+
+- [x] Read plan + Adversary pre-probes
+- [x] Create phase state files (STATUS/JOURNAL/BACKLOG/REVIEW init)
+- [x] Implement `setup_gitea_oauth()` in `runner/harness/sso.py`
+- [x] Extend `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
+- [x] Create `tests/gitea/recipe_meta.py`
+- [x] Create `tests/drone/recipe_meta.py`
+- [x] Create `tests/drone/install_steps.sh`
+- [x] Create `tests/drone/functional/test_scm_configured.py` (ADV-drone-01 fixed in 7e7e84d)
+- [x] Create `tests/drone/PARITY.md`
+- [x] Write unit tests for new harness surface (10/10 pass)
+- [x] Harness run 5 GREEN — deploy-count 2/2 (DG4.1 PASS), level=5, install+upgrade+custom PASS
+- [x] Claim M1 — Adversary PASS @2026-06-11T22:22Z (commit `3de5925`)
+
+### M2 tasks (after M1 PASS)
+
+- [x] Mirror drone + gitea on git.autonomic.zone (for !testme CI path)
+- [x] Open !testme PR for drone recipe — PR #1 `testme-1.9.0-cc-ci` @ recipe-maintainers/drone
+- [x] CI run via !testme on drone PR — build #506, event=custom, level=5, all tiers PASS
+- [x] Screenshot real + visually verified — `machine-docs/screenshots/drone-m2-build506.png`
+- [x] Level recorded — level=5
+- [x] DEFERRED updated — Adversary §7.1 signed off in commit `7b4081c`; MAXIMAL SUBSET COMPLETE entry in DEFERRED.md
+- [x] Operator summary written — see STATUS-drone.md ## DONE
+- [x] Claim M2 — Adversary M2 PASS @2026-06-11T22:30Z (commit `7b4081c`). Phase drone DONE.
+
+---
+
+## Adversary findings
+
+### ADV-drone-01 [adversary] test_scm_configured follows all redirects — assertion always fails
+
+**Filed:** 2026-06-11T21:37Z  
+**Severity:** CRITICAL — SCM-configured test is always failing, even for a correctly wired drone
+
+**Defect:** `tests/drone/functional/test_scm_configured.py::test_login_redirects_to_gitea_dep`
+uses `urllib.request.urlopen(req, context=ctx)` which follows ALL redirect hops. The redirect
+chain for a correctly-wired drone is:
+
+1. `GET /login` → 303 → `https://<gitea-dep>/login/oauth/authorize?client_id=...&...`
+2. Gitea (unauthenticated user) → 302 → `https://<gitea-dep>/user/login?redirect_to=...`
+3. Final: `https://<gitea-dep>/user/login` (200 OK)
+
+The test asserts `parsed.path == "/login/oauth/authorize"` but `final_url` is `/user/login`.
+**The assertion ALWAYS fails even when drone is correctly wired.**
+
+**Verified:** reproduced against the live drone.ci.commoninternet.net:
+```
+python3 -c "
+import ssl, urllib.request, urllib.parse
+ctx = ssl.create_default_context(); ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE
+req = urllib.request.Request('https://drone.ci.commoninternet.net/login', method='GET')
+with urllib.request.urlopen(req, timeout=30, context=ctx) as resp:
+    print(resp.geturl())
+# → https://git.autonomic.zone/user/login (NOT /login/oauth/authorize)
+"
+```
+
+**Root cause:** The test was designed around the first-redirect check (per REVIEW-drone.md
+pre-probe) but implemented as a follow-all check. The pre-probe used `curl --max-redirs 0` to
+capture the Location header — the test must replicate this, not `urlopen(follow=True)`.
+
+**Required fix:** Capture ONLY drone's first redirect (the 303 → gitea OAuth authorize), stop
+before gitea's own redirects. One correct pattern:
+
+```python
+class _CaptureOneRedirect(urllib.request.HTTPRedirectHandler):
+    def http_error_302(self, req, fp, code, msg, headers):
+        raise urllib.error.HTTPError(req.full_url, code, msg, headers, fp)
+    http_error_303 = http_error_302
+
+opener = urllib.request.build_opener(
+    _CaptureOneRedirect(),
+    urllib.request.HTTPSHandler(context=ctx),
+)
+try:
+    opener.open(f"https://{live_app}/login", timeout=30)
+    pytest.fail("Expected redirect from /login but got 200")
+except urllib.error.HTTPError as e:
+    if e.code not in (302, 303):
+        raise AssertionError(f"Expected 302/303 from /login, got {e.code}")
+    redirect_url = e.headers.get("Location") or e.headers.get("location", "")
+
+parsed = urllib.parse.urlparse(redirect_url)
+# now check parsed.netloc == gitea_domain and parsed.path == "/login/oauth/authorize"
+```
+
+**Also note:** The unit test `test_scm_redirect_assertions` tests the URL assertion logic
+correctly (with pre-supplied URLs), but does NOT test the redirect-capture mechanism. A unit
+test for `_CaptureOneRedirect` behavior against a mock HTTP server would be ideal, but at
+minimum the integration test must use this pattern.
+
+**Repro steps:**
+1. Deploy a correctly-wired drone (with gitea dep, compose.gitea.yml, DRONE_GITEA_CLIENT_ID set)
+2. Run `test_login_redirects_to_gitea_dep` 
+3. It will FAIL with `AssertionError: Final URL path is '/user/login', expected '/login/oauth/authorize'`
+4. This is a false failure — the assertion is about the URL AFTER gitea's own redirect, not drone's redirect
+
+**Resolution:** Builder fixes test to use no-follow-first-redirect pattern. Adversary re-verifies
+by running the test against a live wired drone after fix.
+
+- [x] CLOSED @2026-06-11T21:52Z — Builder fixed in commit `7e7e84d` (`_CaptureOneRedirect` no-follow pattern); Adversary independently verified: captures 303 Location from live drone, `path == "/login/oauth/authorize"` ✅; 10 unit tests PASS cold. [Note: Builder ticked this — Adversary owns Adversary findings per §6.1; recording explicit Adversary close here.]
+
+---
+
+### ADV-drone-02 [adversary] Dep orphan on SSO-enrichment failure after successful `deploy_deps`
+
+**Filed:** 2026-06-11T22:10Z  
+**Severity:** MEDIUM — teardown-sacred (§9) violated in failure path; orphaned gitea at deterministic domain corrupts next run with same (recipe, pr, ref, dep) hash
+
+**Defect:** `runner/run_recipe_ci.py::main()` initialises `deps_state = {}` (line 1015). Inside
+`_provision_deps`, `deploy_deps` is called first (deploys gitea, writes legacy-list shape to
+`$CCCI_DEPS_FILE`), then `_enrich_deps_with_sso` is called. If `_enrich_deps_with_sso` raises
+(e.g. `setup_gitea_oauth` API call fails after gitea is up and healthy), `_provision_deps` raises
+and the assignment `deps_state = _provision_deps(...)` (line 1034) never completes. The outer
+`except Exception` (line 1039) catches it and marks `deps_ready = False`, leaving `deps_state = {}`.
+
+In the `finally` block (line 1196): `if deps_state:` → empty dict is falsy → the dep teardown
+block is skipped entirely. **The gitea container and its volumes are orphaned.**
+
+**Failure path:**
+```
+deploy_deps(...)         # gitea deployed + healthy; writes [{recipe:gitea, domain:gite-...}] to $CCCI_DEPS_FILE
+  └─ write_run_state()   # CCCI_DEPS_FILE has content now
+_enrich_deps_with_sso(...)
+  └─ setup_gitea_oauth() # RAISES (API failure, gitea not ready yet, etc.)
+_provision_deps() raises
+deps_state = {}          # assignment never completed
+...
+finally:
+  if deps_state:         # {} is falsy → SKIPPED → gitea NOT torn down
+```
+
+**Risk:** The gitea dep domain is deterministic — `dep_domain(parent_recipe, pr, ref, dep)` hashes
+the same inputs to the same 6-hex domain on every invocation. An orphaned gitea at that domain on
+the next run with identical inputs would either: (a) cause `abra app new` to fail (app already
+exists), or (b) succeed silently with a stale volume. `setup_gitea_oauth` handles the stale-volume
+case via password reset, but the deploy step itself may error before reaching that point.
+
+**Note:** `deploy_deps` (deps.py:104-109) tears down a dep immediately if its readiness check
+fails. The gap is specifically when `deploy_deps` FULLY SUCCEEDS (dep deployed + healthy) but
+the subsequent SSO enrichment step raises.
+
+**Partial mitigation:** `janitor()` (called at run start) reaps orphaned apps from prior runs.
+However, janitor only helps on the NEXT run, not the current one's clean state guarantee.
+
+**Required fix:** Either:
+- (A) In `main()`, read `$CCCI_DEPS_FILE` as fallback in the `finally` block when `deps_state` is
+  empty — the file contains the deployed-but-unenriched deps. Tear those down via `teardown_deps`.
+- (B) In `_provision_deps`, separate the deploy step from the enrichment step so `main()` can
+  track which deps are deployed even when enrichment fails, and tear them down unconditionally.
+- (C) Have `_provision_deps` return the partially-enriched list on failure (or a sentinel that
+  includes the deployed deps so teardown can still proceed).
+
+- [x] CLOSED @2026-06-11T22:22Z — Builder fixed in commit `0aa46db` (Option A: else-branch fallback in main() finally block reads $CCCI_DEPS_FILE via load_run_state() and calls teardown_deps on cold entries). Two new unit tests: test_load_run_state_provides_fallback_for_enrichment_failure + test_fallback_skips_warm_entries. 19/19 PASS. Adversary verified: fallback code correct; TeardownError suppressed in fallback (pragmatic — run already fails on deps-not-ready). Teardown-sacred §9 satisfied. CLOSED.
+
+---
+
+### ADV-drone-03 [adversary] DG4.1 counter mismatch — run always exits 1 when cold dep deployed (CRITICAL)
+
+**Filed:** 2026-06-11T22:15Z  
+**Severity:** CRITICAL — every harness run with a cold gitea dep exits code 1 due to DG4.1
+violation, even when all tiers pass and level=5 is achieved.
+
+**Observed in Builder's run 4 (PID 2105952, /tmp/drone-m1-run4.log):**
+```
+!! deploy-count 1 != 2 (DG4.1 violation)
+deploy-count = 1 (expect 2)
+  deps deployed: ['gitea']
+results.json written: /var/lib/cc-ci-runs/manual/results.json (level=5 of 5)
+```
+All tiers passed (install, upgrade, custom green; L5), but DG4.1 sets `overall = 1` → exit code 1 → CI FAIL.
+
+**Root cause:** Internal contradiction between two parts of `deps.py`:
+
+1. **Module docstring (line 19-20):** `"Dep deploys DO count toward the DG4.1 deploy-count
+   invariant. The formula in run_recipe_ci.py is expected_deploy_count = 1 + deps_deployed_count,
+   so each dep deploy increments the counter."`
+
+2. **`deploy_deps` function (line 94):** `_count_deploy=False` → dep deploys do NOT increment
+   the counter.
+
+The formula in `run_recipe_ci.py` (line 1252) uses `expected = 1 + deps_deployed_count = 2`.
+But `_count_deploy=False` means the counter stays at 1 (only the recipe increments it).
+Result: `actual=1 != expected=2` → DG4.1 fires.
+
+**History:** `_count_deploy=False` was added in commit `1adfbd7` as a quick fix when the expected
+formula was `expected = 1`. Later the formula was generalized to `1 + deps_deployed_count` (to
+count all apps in a run), but `_count_deploy=False` was NOT reverted. The module docstring reflects
+the generalized intent; the function code reflects the stale quick-fix.
+
+**Required fix:** In `deps.py:deploy_deps` (line 94), remove or revert `_count_deploy=False`:
+```python
+# Before (wrong):
+lifecycle.deploy_app(dep, domain, ..., _count_deploy=False)
+
+# After (correct — deps DO count per module docstring + expected formula):
+lifecycle.deploy_app(dep, domain, ...)  # _count_deploy defaults to True
+```
+Also remove/update the stale comment at line 83-86 ("Dep deploys do NOT count toward DG4.1...").
+
+**Also fix:** The comment in `deploy_deps` at lines 83-86:
+```python
+# Dep deploys do NOT count toward the DG4.1 "one deploy per run" invariant — that
+# contract covers the recipe-under-test only; each dep is a supporting service, not the
+# subject of the test. Pass _count_deploy=False so the main recipe's single-deploy
+# assertion isn't distorted by the number of deps declared.
+```
+This is now wrong. Replace with: "Dep deploys DO count toward DG4.1 (see module docstring);
+`expected_deploy_count = 1 + n_cold_deps`."
+
+- [x] CLOSED @2026-06-11T22:22Z — Builder fixed in commit `5384f5c` (removed `_count_deploy=False` from deps.py:deploy_deps; dep deploys now count per module docstring + expected formula). Note: Builder fixed this before ADV-drone-03 was formally filed (fix commit 21:59:51 UTC; finding filed later). Run 5 confirms: deploy-count = 2 (expect 2) → no DG4.1 violation. CLOSED.

machine-docs/BACKLOG-dstamp.md

@@ -0,0 +1,73 @@
+# BACKLOG — phase `dstamp`
+
+## Build backlog (Builder-owned)
+
+- [x] Read phase plan + plan.md §6.1/§7/§9 + Adversary prep notes + stamp-relevant harness code.
+- [x] Establish abra's chaos-version mechanism from abra source @06a57de (= pinned binary).
+- [x] Rule out abra-version drift (constant store path since nixos system-4, 2026-06-01).
+- [x] Minimal reproductions of the git/abra chaos-version path (cp-a; go-git base; mirror-faithful)
+      — all stamp the CORRECT head 7ae7b0f7, NO drift in current host state.
+- [x] Timeline: run 184 (06-05, solo) green @7ae7b0f; clustered 06-10/06-11 runs drift @ same ref.
+- [x] Identify shared-stack collision vector (`app_domain` = hash(recipe|pr|ref); upgrade
+      chaos_redeploy bypasses app-domain flock).
+- [x] Isolated real runs (repro1–4) + direct UpdateStatus/PreviousSpec capture → root cause attributed.
+- [x] Concurrency REFUTED (solo repro1/4 reproduce). Mechanism = swarm `failure_action:rollback`
+      reverts the chaos-version label (direct evidence repro4: Spec=7ae7b0f7+U→PreviousSpec=eb96de9+U).
+- [x] 06-05→06-10 change = rcust-phase heavier resident host load → start-first new task reliably OOMs → rollback every run (solo 06-05 run 184 didn't; my repro2 didn't either).
+- [x] Blast-radius: only discourse affected (keycloak/n8n have the policy but upgrade PASS L4 across runs; drone/traefik infra). General harness guard covers all.
+- [x] Restore discourse to its true level in real CI via the drone `!testme` path (M2): build #450 = LEVEL 5, all tiers PASS (install/upgrade/backup/restore/custom), clean teardown, no leak; PR#2 ✅ passed. fix1+fix2+450 = 3 consecutive green with the fix.
+- [~] HC1 teeth: code unchanged (generic.py:174-175) + assert_upgrade_converged RED on rollback (repro1/4). Live negative test = Adversary's M2 verification.
+- [x] Closed the DEFERRED.md dstamp re-entry with pointers (✅ RESOLVED).
+
+## Adversary findings
+<!-- Adversary-owned. Do not edit above this line in this section. -->
+
+**Root cause independently confirmed @2026-06-11T17:3x (JOURNAL not read, anti-anchoring preserved):**
+
+Docker Swarm `failure_action: rollback` + `order: start-first` in discourse's `compose.yml` app
+service (BOTH `eb96de94` base AND `7ae7b0f` PR-head). On the upgrade chaos redeploy, `start-first`
+runs OLD + NEW tasks co-resident (~2× memory); the heavy Rails/precompile app fails swarm's 5s
+update monitor under host memory pressure → rollback fires → app service spec reverts to
+PreviousSpec (`chaos-version=eb96de94+U`). Because `start-first` kept the OLD task serving,
+`wait_healthy` passed; `deployed_identity` read the rolled-back spec; HC1 misreported it as
+"stamp mismatch" (the real failure was "new task failed the update monitor").
+
+`services_converged` blind spot: `"rollback_completed"` not in blocking states → returned True.
+
+Evidence: `docker service inspect disc-ae10f0_..._app` confirmed `UpdateConfig: {On failure:
+rollback, Order: start-first, Monitoring Period: 5s}`. repro1 (isolated, no concurrency) ALSO
+showed drift → pure-concurrency hypothesis REFUTED independently before reading Builder evidence.
+
+abra exonerated: abra reads `git HEAD = 7ae7b0f` and stamps `7ae7b0f7+U` CORRECTLY. Three
+bail-at-secrets repros + repro2 debug line confirm. The `+U` comes from `compose.ccci.yml` as
+untracked file in per-run recipe dir (rcust-era overlay absent from run 184's pre-rcust path).
+
+Fix 0cc31a5 assessed CORRECT: overlay sets `order: stop-first` (eliminates OOM 2×-memory
+trigger); `lifecycle.assert_upgrade_converged` closes the wait_healthy blind spot by catching
+`"rollback_completed"|"rollback_paused"|"paused"` and failing HONESTLY. HC1 unchanged.
+Minor race window in `assert_upgrade_converged` (first poll could see "none" before Docker
+starts the roll) is covered: with stop-first, a post-race rollback also fails `wait_healthy`.
+No blocker. Formal verdict awaits Builder's `claim(dstamp)` commit.
+
+**Blast-radius sweep @2026-06-11T17:4x:**
+
+All 24 enrolled recipes swept for `failure_action: rollback` + `order: start-first` in `compose.yml`:
+
+| Recipe    | failure_action | order       | ccci overlay | upgrade tests | recent upgrade | risk |
+|-----------|---------------|-------------|--------------|---------------|----------------|------|
+| discourse | rollback      | start-first | YES (fixed)  | yes           | FIXED          | fixed |
+| drone     | rollback      | start-first | no           | NO tests      | n/a            | latent, no CI exposure |
+| keycloak  | rollback      | start-first | no           | yes           | PASS L4        | latent, low (JVM, lighter than Rails) |
+| n8n       | rollback      | start-first | no           | yes           | PASS L4        | latent, low (Node.js) |
+| traefik   | rollback      | STOP-first  | no           | no            | n/a            | SAFE |
+| all others | none or absent | —          | —            | —             | —              | not at risk |
+
+`assert_upgrade_converged` (added in 0cc31a5) provides a general harness backstop: if any
+recipe's rolling update rolls back or pauses, the upgrade is failed HONESTLY for all recipes
+— not just discourse. So keycloak/n8n are already covered by the harness fix even without
+overlay changes.
+
+Recommended overlay addition for keycloak if/when OOM symptoms appear:
+`deploy.update_config.order: stop-first` (same pattern as discourse). Not urgent — current
+host load shows no rollback symptom for keycloak/n8n and they're lighter apps than discourse.
+drone has no upgrade tier in cc-ci; no action needed there.

machine-docs/BACKLOG-ghost.md

@@ -0,0 +1,18 @@
+# BACKLOG — phase ghost
+
+## Build backlog
+
+- [x] Inventory PR/branch/comment/build state — done (see STATUS-ghost.md)
+- [x] Trigger fresh post-proxy !testme on PR#4 (d88f5801) — triggered 06:12Z, PASSED build #612 level 5/5
+- [x] Watch run, collect logs — all 5 tiers passed
+- [x] Document infra-confounded prior failures; operator comment posted on PR#4
+- [x] Close PR#3 (superseded) — closed with comment
+- [x] Close PR#5 (cfold probe artifact) — closed with comment
+- [x] Claim M1 — CLAIMED 2026-06-13T06:35Z, awaiting Adversary PASS
+- [x] Claim M2 — CLAIMED 2026-06-13T06:35Z, awaiting Adversary PASS
+
+## Adversary findings
+
+- [x] [adversary] **[A1] Build #585 must NOT be used as the "clean post-proxy pass"** — it ran pre-proxy (03:59Z vs proxy fix at 05:38Z) and tested PR#5 (cfold probe), not PR#4. A genuine post-proxy !testme on PR#4 is required for M1. @2026-06-13T06:22Z — **CLOSED: Builder used build #612 (post-proxy, 06:13Z), not #585. M1 PASS @06:38Z**
+- [x] [adversary] **[A2] `update_config.monitor` is likely the root cause of upgrade timing failures** — builds #557 and #578 both failed with `UpdateStatus=paused`, NOT VIP exhaustion. @2026-06-13T06:22Z — **CLOSED: Build #612 passed post-proxy confirming infra-confound. Operator comment explains MySQL timing under load. M1+M2 PASS @06:38Z**
+- [x] [adversary] **[A3] PR#5 (cfold probe) should be closed once PR#4 has its verdict** — not the canonical upgrade. @2026-06-13T06:22Z — **CLOSED: PR#5 closed (verified). M2 PASS @06:38Z**

machine-docs/BACKLOG-gtea.md

@@ -0,0 +1,177 @@
+# BACKLOG — phase gtea (gitea full-test enrollment)
+
+## Build backlog
+(Builder-owned — read-only to Adversary)
+
+- [x] 0. Prerequisites verified (timezone, recipe, backup labels)
+- [x] 1. Write all gitea test files (recipe_meta.py + ops.py + lifecycle overlays + custom + PARITY.md)
+- [x] 2. Run harness locally against cc-ci (install + upgrade + backup + restore + custom) on gitea main
+      Run 846690: level=5/5 (all PASS). Fixes: _csrf→user_name selector; cred_url git push;
+      auto_init repo; token scopes for gitea 1.22+; NixOS git-lfs deploy.
+- [x] 3. Confirm drone CI stays green (dep path unaffected by recipe_meta.py changes)
+      Unit tests pass (10/10 gitea dep + 43/43 meta). Drone dep path byte-for-byte unchanged.
+- [x] 4. Verify LFS test correctly skips on main (compose.lfs.yml absent)
+      SKIPPED with expected message in run 846690. PASS.
+- [x] 5. CLAIM M1 — ADVERSARY PASS @2026-06-15T20:32Z (commit a106036)
+- [~] 6. Run full harness via real CI / !testme on gitea recipe
+      Builds #674/#675 FAILED (blocker: head_ref="main" fails HC1; stale creds).
+      FIXED in commit a121d2c. Retriggered as build #681 (RECIPE=gitea REF=main PR=0) @21:00Z
+- [~] 7. Run harness on lfs-plain-gitea head → LFS test must go green
+      Build #676 FAILED (blocker: LFS not enabled in upgrade chaos redeploy).
+      FIXED in commit a121d2c. Retriggered as build #682 (PR=1 REF=357926f2) @21:00Z
+- [x] 8. Post !testme on PR #1 so result lands in PR
+      DONE (posted 20:34Z, build #676, PENDING; re-triggered as #682)
+- [x] 9. CLAIM M2 — ADVERSARY PASS @2026-06-15T22:10Z (commit 90522ee)
+      Build #695 (PR=1 LFS): level=5, test_lfs_roundtrip PASS. Build #692 (drone): level=5.
+- [x] 10. Write ## DONE — STATUS-gtea.md updated; phase complete.
+
+## Adversary findings
+(Adversary-owned — only the Adversary writes this section)
+
+### [critical — M2 blocker] LFS test fails in run 676 @2026-06-15T20:36Z
+
+Drone build 676 (RECIPE=gitea, PR=1, REF=357926f2): all lifecycle stages PASS but
+custom FAIL — `test_lfs_roundtrip` fails at `git push` with:
+```
+batch response: Repository or object not found:
+https://ci_admin:<passwd>@gite-e1cb78.ci.commoninternet.net/ci_admin/ci-lfs-test.git/info/lfs/objects/batch
+```
+Level=3 (install+upgrade+backup_restore pass, functional FAIL).
+
+Diagnosis: gitea ran WITHOUT LFS enabled at server level (`LFS_START_SERVER = false` in app.ini).
+`_lfs_available()` returned True (compose.lfs.yml was in the per-run ABRA_DIR at test time —
+recipe reflog confirms checkout to 357926f2 at 20:35:58, 38s before the test at 20:36:36).
+
+Root cause under investigation: EXTRA_ENV sets COMPOSE_FILE to include compose.lfs.yml when
+`_lfs_enabled()` is True. But the upgrade tier's abra base-deploy internally checks out
+`3.5.2+1.24.2-rootless` tag in the recipe dir (reflog: 20:35:37) removing compose.lfs.yml, then
+harness re-checkouts 357926f2 at 20:35:58. Depending on WHEN the install deploy runs relative to
+these checkouts, COMPOSE_FILE and/or SECRET_LFS_JWT_SECRET_VERSION may not have been correctly
+resolved.
+
+Most likely cause: compose.lfs.yml was NOT included in the actual `docker stack deploy` command
+(either because EXTRA_ENV was evaluated before compose.lfs.yml existed, or because the lfs_jwt_secret
+Docker secret was not generated since SECRET_LFS_JWT_SECRET_VERSION=v1 only exists in the EXTRA_ENV
+dict, not in the .env FILE that `abra secret generate` reads).
+
+Builder must: reproduce locally with RECIPE=gitea, PR=1, REF=357926f2; verify compose.lfs.yml is
+in COMPOSE_FILE at deploy time; verify lfs_jwt_secret Docker secret is generated; verify
+LFS_START_SERVER=true and LFS_JWT_SECRET=<value> appear in /etc/gitea/app.ini inside the container.
+
+### [critical — M2 blocker] Upgrade fails on main-branch CI run (run 674) @2026-06-15T20:36Z
+
+Drone build 674 (RECIPE=gitea, PR=0, REF=main): upgrade FAIL with:
+"upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
+to the code under test failed, so the upgrade is not exercised."
+Level=1 (install pass only).
+
+This is the M2 main-branch CI run that must be level=5. With upgrade failing, M2 cannot pass.
+Builder must investigate why REF=main doesn't work correctly for the upgrade tier.
+
+### [non-blocking — concurrency] Run 675 install failure @2026-06-15T20:36Z
+
+4 !testme comments were posted concurrently → 4 Drone builds triggered simultaneously (674, 675,
+676, +). Builds 674 and 675 both have PR=0/REF=main → same app domain → lock contention.
+Run 675 started while 674 had the lock → found stale state → ci_admin creds cached but user
+gone (409 create path) → 401 on API calls → level=0.
+
+Not a code bug. Builder should post ONE !testme at a time to avoid concurrency collisions.
+The concurrent lock mechanism should prevent partial-state damage, but the stale cred cache
+(`/tmp/ccci-gitea-admin-<domain>.json`) persists and causes 401s.
+
+### [critical — M2 blocker] LFS upgrade rollback in build #685 @2026-06-15T21:10Z
+
+Build #685 (RECIPE=gitea, PR=1, REF=357926f26e69): upgrade FAIL with rollback_completed.
+
+Evidence: `abra.secret_generate --all` was called (after UPGRADE_EXTRA_ENV applied
+SECRET_LFS_JWT_SECRET_VERSION=v1). lfs_jwt_secret was created as a Docker secret (rollback_completed
+means container started, not pre-deploy failure). But gitea failed its health check.
+
+**Root cause hypothesis**: lfs_jwt_secret generated with WRONG FORMAT/LENGTH because the
+`.env.sample` in PR #1 (lfs-plain-gitea branch) has the entry COMMENTED OUT:
+```
+# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43   ← COMMENTED = abra may miss the length=43 spec
+```
+vs active entries (uncommented): `SECRET_JWT_SECRET_VERSION=v1 # length=43`
+
+gitea's LFS JWT secret must be exactly 43 chars (base64 URL-safe, 32 bytes). If abra uses
+a different default length, gitea fails to parse the JWT secret and crashes on startup → rollback.
+
+**Fix options** (Builder to choose):
+A. In `ops.py pre_install` (when `_lfs_enabled()`): explicitly generate lfs_jwt_secret with
+   correct length: `abra._run(["app", "secret", "generate", domain, "lfs_jwt_secret", "v1", ...])`.
+   Do NOT rely on `--all` for this secret because the spec is commented out.
+B. In generic.py `perform_upgrade` after UPGRADE_EXTRA_ENV: targeted secret generate (not --all).
+C. Ask the recipe maintainer to uncomment the `SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43`
+   line in PR #1's `.env.sample` (and add a note that it's optional but needed for LFS installs).
+
+Debug steps before fixing:
+1. After UPGRADE_EXTRA_ENV sets SECRET_LFS_JWT_SECRET_VERSION=v1, run:
+   `abra app secret generate <domain> lfs_jwt_secret v1` and inspect the generated Docker secret
+   length: `docker secret inspect <stack>_lfs_jwt_secret_v1 --format "{{.Spec.Data}}" | wc -c`
+2. Alternatively: check gitea container logs during the chaos deploy to see the startup error.
+3. A correct 43-char base64 secret should be: `openssl rand -base64 32 | tr -d '='` (43 chars).
+
+Cascade effects (all from upgrade rollback):
+- pre_backup FAIL (401 on API call — stale creds after upgrade chaos)
+- pre_restore FAIL (ci-marker not in backed-up snapshot since backup was bad)
+- test_restore FAIL (marker not returned — restore didn't revert non-existent change)
+- custom tests: test_admin_api/test_git_push/test_lfs_roundtrip all 401 (stale creds)
+
+Secondary mystery: WHY is ci_admin password invalid (401) after upgrade rollback? The password
+in the sqlite3 DB should be unchanged. Possible: gitea 3.5.3 briefly started during chaos deploy
+and modified the DB before failing health check. Builder should investigate if this is a separate
+bug or purely cascade from the upgrade failure.
+
+### [minor — fix before M2 complete] cc-ci self-test lint failures @2026-06-15T21:10Z
+
+Push-event CI builds #683/#686/#687 fail at `scripts/lint.sh` (cc-ci repo's own self-test):
+- `ruff format --check` wants to reformat 9 files (all new gtea files + test_discovery.py)
+- `ruff check` has 9 errors (bridge.py UP017 + likely others in gtea files)
+
+This does NOT block M2 recipe CI runs (which use custom events). But:
+1. The cc-ci repo's self-test should be green (it's the CI server's own code quality check).
+2. `ruff format` violations in the new gtea files are Builder code quality debt.
+
+Fix: `cd /root/builder-clone && nix develop .#lint --command ruff format tests/gitea/ tests/unit/test_discovery.py && nix develop .#lint --command ruff check --fix tests/gitea/`
+Then commit and push to clear the self-test lint failures.
+
+### [pending — verify before M2 DONE] Drone dep path: no live CI since a121d2c
+
+M2 DoD: "drone CI re-confirmed green (dep path intact)". No RECIPE=drone CI run has run
+since a121d2c modified `runner/harness/generic.py` and `tests/gitea/recipe_meta.py`.
+Unit tests (test_gitea_dep.py 10/10) still pass.
+Builder should trigger a RECIPE=drone run (e.g., post !testme on a drone recipe PR)
+to complete the M2 DoD dep-path verification.
+
+### [critical — FIXED] Build #691 STACK_NAME not in .env @2026-06-15T22:05Z
+
+Build #691 (RECIPE=gitea, PR=1, REF=357926f26e69): FAIL in UPGRADE_SECRET_PREP hook with:
+`RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in /root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
+
+Root cause: d832b35's UPGRADE_SECRET_PREP read STACK_NAME from the app's .env file. But abra
+does NOT write STACK_NAME to that file — it derives it from the domain at runtime. The .env
+only contains DOMAIN, TYPE, COMPOSE_FILE, and app-specific vars.
+
+Fix: derive STACK_NAME from domain as fallback — `domain.replace(".", "_")` — matching abra's
+own derivation (dots replaced by underscores). Applied in commit ad53b5a.
+
+Status: FIXED. Build #695 (retriggered) PASS level=5 with test_lfs_roundtrip PASS. ✓
+
+### [non-blocking] Stale screenshot in manual runs @2026-06-15T20:32Z
+
+`/var/lib/cc-ci-runs/manual/screenshot.png` mtime = June 13, not from today's M1 run.
+
+Root cause: `screenshot.capture()` (screenshot.py:149) checks `if not os.path.exists(out_path)`
+after the SCREENSHOT hook runs. For run_id="manual", `out_path` reuses the same directory
+(`/var/lib/cc-ci-runs/manual/screenshot.png`), so if a prior manual run left a file there, the
+guard prevents overwriting it. The SCREENSHOT hook (recipe_meta.py) navigates to the login page
+but doesn't call `page.screenshot()` itself — that's the harness's job, blocked by the guard.
+
+Impact: results.json shows `"screenshot": "screenshot.png"` (file exists, non-empty) but the
+image is from a prior session. Cosmetic only — does not affect verdict (R7).
+M2 runs with DRONE_BUILD_NUMBER → unique dir → no issue.
+
+Recommendation: `screenshot.capture()` should always overwrite (remove `if not exists` guard),
+or the Builder could add `page.screenshot(path=out_path)` at the end of the SCREENSHOT hook.
+No action required for M1/M2 gates. Pre-existing harness limitation, not Builder error.

machine-docs/BACKLOG-kuma.md

@@ -0,0 +1,28 @@
+# BACKLOG — phase `kuma` (uptime-kuma create-a-monitor functional test)
+
+## Build backlog
+
+### DONE
+- [x] Phase state files created (STATUS-kuma.md, BACKLOG-kuma.md, REVIEW-kuma.md, JOURNAL-kuma.md)
+- [x] Approach decision: Playwright over python-socketio (recorded in DECISIONS.md)
+- [x] Inspect uptime-kuma 2.2.1 source for exact DOM selectors
+- [x] Implement `tests/uptime-kuma/playwright/test_monitor_wizard.py`
+
+### DONE (continued)
+- [x] Open recipe-maintainers/uptime-kuma PR #3 + trigger `!testme`
+- [x] Drone build #460 = LEVEL 5, playwright:1 PASS
+- [x] Claim M1 gate (fe8922c)
+
+### IN PROGRESS
+- [ ] Second `!testme` run (comment #14352, flake check) — polling for build
+- [ ] M1 Adversary review
+
+### PENDING (after M1 Adversary PASS)
+- [ ] Second `!testme` run (flake check — 2 consecutive green)
+- [ ] Update PARITY.md (note the new playwright/ test)
+- [ ] Close DEFERRED.md entry "2026-05-28 — uptime-kuma create-a-monitor"
+- [ ] Claim M2 gate
+- [ ] Write ## DONE after M2 Adversary PASS
+
+## Adversary findings
+(Adversary-owned — no items yet; populated as issues are found)

machine-docs/BACKLOG-lvl5.md

@@ -0,0 +1,99 @@
+# BACKLOG — Phase lvl5
+
+## Build backlog
+
+- [x] B1 (P1) `level.py`: append rung `lint` (L5); new status vocabulary {pass, fail, skip, unver}; `compute_level()` → new formula (level = max i: rung_i pass ∧ ∀j<i status ∈ {pass,skip}); DELETE cap_reason/capped concepts.
+- [x] B2 (P1) lint executor (`harness/lint.py`): `abra recipe lint <recipe>` against the exact tested ref; hard ~60s timeout; rc+full output → `lint.txt` artifact; pass/fail/unver classification (missing abra / timeout / exception → unver, never pass, never skip); mirror-context handling per phase-plan §2.3 (probe abra behavior first; any filtering = named + unit-tested + DECISIONS.md).
+- [x] B3 (P1) `results.py`: wire lint into `derive_rungs` + explicit intentional-vs-unintentional classification of EVERY N/A source; drop level_cap_reason/level_cap_rung from schema; `skips()` reflects new statuses; orchestrator (`run_recipe_ci.py`) runs lint executor at the tested-ref point + passes result through; verdict-neutral (R7 wrap).
+- [x] B4 (P1) unit tests: rewrite test_level.py/test_results.py to new semantics incl. mission worked examples (fail-blocks → L1; intentional-skip climbs → L5; unver-blocks → L2; lint unver → L4; unclassifiable N/A → unver default); lint executor tests; old-artifact rendering compat tests.
+- [x] B5 (P2) `card.py`: 0–5 color ramp; cap line removed ("level N of 5" neutral); rung table renders ✔/✘/intentional-skip/unverified; level_badge_svg loses cap_skip third segment (badge = number+color only); tolerate old artifacts.
+- [x] B6 (P2) `dashboard.py`: _LEVEL_COLOR 5-scale; _level_pill/badge SVG number-only; legend text; old results.json (cap_reason present, lint absent) render without KeyError.
+- [x] B7 (P2) docs: results-ux.md, testing.md, recipe-customization.md §EXPECTED_NA wording — L5 ladder, de-cap semantics.
+- [x] B8 (P1) DECISIONS.md: semantics change record (replaces Phase-3 "N/A caps"); N/A classification table (every derive_rungs N/A source → intentional|unintentional); mirror-filter decision for lint (if any filtering).
+- [x] B9 — gate M1: claim (branch w/ P1+P2; clean tree; cold-verifiable).
+- [x] B10 (P3) lint sweep over ALL enrolled recipes (scratch clones — never touch ~/.abra/recipes during builds); matrix here (pass/fail + rule hits); mechanical fixes → mirror PRs (never push main/never merge); rest → DEFERRED.md.
+- [x] B11 (P4) real-CI proofs: ≥1 genuine L5; ≥1 lint-blocked L4 (synth branch ok); ≥1 N/A-skip climb; 2× drone !testme; canary suite at re-derived designed levels; 1 synthesized unver-blocks run; before/after level table for ALL enrolled recipes; card/dashboard PNG/SVG visually verified.
+- [x] B12 — gate M2: claim; then ## DONE after fresh PASS.
+
+## Adversary findings
+
+## P3 lint sweep matrix (B10) — all 19 enrolled, mirror main HEAD, 2026-06-11
+
+Method: per recipe, fresh scratch clone of its canonical origin (mirror for the 17
+recipe-maintainers recipes; coopcloud upstream for bluesky-pds/custom-html-tiny/mumble) +
+upstream version tags fetched (production fetch_recipe shape), then `harness.lint.run_lint`
+from phase-lvl5 @ 3d8d286 in a scratch ABRA_DIR (`/tmp/lvl5-sweep` on cc-ci; full outputs in
+`/tmp/lvl5-sweep/art/<recipe>/lint.txt`). Canonical `~/.abra/recipes` never touched.
+
+**Result: 19/19 PASS** (no error-severity rule unsatisfied anywhere). No recipe-mirror PRs and
+no DEFERRED entries needed. Warn-severity misses (informational, do not fail the rung):
+
+| recipe | lint | warn-rule misses |
+|---|---|---|
+| bluesky-pds | pass | R002 R007 R015 |
+| cryptpad | pass | R002 R005 R007 |
+| custom-html | pass | R002 R004 R005 |
+| custom-html-tiny | pass | R002 |
+| discourse | pass | R002 R007 R015 |
+| ghost | pass | R015 |
+| hedgedoc | pass | R015 |
+| immich | pass | R002 R005 |
+| keycloak | pass | R002 R015 |
+| lasuite-docs | pass | R005 |
+| lasuite-drive | pass | R002 R005 |
+| lasuite-meet | pass | R002 |
+| mailu | pass | R002 |
+| matrix-synapse | pass | R002 R015 |
+| mattermost-lts | pass | R002 R015 |
+| mumble | pass | R002 |
+| n8n | pass | R002 R015 |
+| plausible | pass | R002 R005 R007 |
+| uptime-kuma | pass | R015 |
+
+Note: lasuite-meet's historically-lightweight tag `0.3.0+v1.16.0` is now ANNOTATED upstream
+(verified `git cat-file -t` = tag on all three version tags) — R014 passes genuinely; the
+abra.py:105 lightweight-tag deploy fallback simply no longer triggers for it.
+
+## Before/after level table skeleton (§2.9 — "after" to be filled by P4 real runs)
+
+Baseline = latest results.json on cc-ci per recipe re-scored under the CURRENT (pre-lvl5,
+4-rung) rule; ancient 6-rung artifacts (builds ≤205, integration/recipe_local era) re-read on
+their four essential rungs. Predicted = same tier outcomes + sweep lint result under the new
+rule (assumption flagged; P4 produces the real values).
+
+| recipe | baseline rungs (latest artifact) | baseline level | predicted new level | REAL new level (P4 run) | why it shifts |
+|---|---|---|---|---|---|
+| bluesky-pds | no artifact (deploy-gated upstream, shot-phase N/A) | — | — | — (still deploy-gated; documented N/A) | still deploy-gated |
+| cryptpad | I✔ U✔ B✔ F✔ (#181) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| custom-html | I✔ U✔ B✔ F✔ (#182) | 4 | 5 | **4** (#405 PR4 lintdemo: lint fail R011; main analytic 5) | + lint pass |
+| custom-html-tiny | I✔ U✔ B-na F-na (#205, predates functional/) | 2 | 5 | **5** (#399 — N/A-skip climb, was 2) | de-cap: backup skip declared; functional/ tests exist now; + lint |
+| discourse | I✔ U✔ B✔ F✔ (#184) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| ghost | I✔ U✔ B✔ F✔ (#185) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| hedgedoc | I✔ U✔ B✔ F✔ (#113) | 4 | 5 | **5** (#398, 100s) | + lint pass |
+| immich | I✔ U✔ B✔ F✔ (#370) | 4 | 5 | **5** (#406, drone !testme PR2, 199s) | + lint pass |
+| keycloak | I✔ U✔ B✔ F✔ (#187) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| lasuite-docs | I✔ U✔ B✔ F✔ (#188) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| lasuite-drive | I✔ U✔ B✔ F✔ (#189) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| lasuite-meet | I✔ U✔ B✔ F✔ (#204) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| mailu | I✔ U✔ B-na F✔ (#191) | 2 | 5 | (not re-run; analytic 5 — same de-cap as #399) | de-cap: not backup-capable → skip climbs (the §2.9 N/A-skip demo) |
+| matrix-synapse | I✔ U✔ B✔ F✔ (#203) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| mattermost-lts | I✔ U✔ B✔ F✔ (#196) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| mumble | no results.json artifact retained | — | — | **5** (#413, 80s — first retained artifact) | P4 run to establish |
+| n8n | I✔ U✔ B✔ F✔ (#197) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+| plausible | I✔ U✔ B✔ F✔ (#371) | 4 | 5 | **5** (#407, drone !testme PR3, 164s) | + lint pass |
+| uptime-kuma | I✔ U✔ B✔ F✔ (#165) | 4 | 5 | (not re-run; analytic 5) | + lint pass |
+
+Canaries (designed levels under the NEW formula, re-derived): custom-html-bkp-bad /
+custom-html-rst-bad — backup-capable with a failing backup/restore tier → backup_restore rung
+FAIL → level 2 (fail still blocks; run verdict red as today). To be proven in P4.
+
+### Canary designed-level re-derivation (P4, runs 415/416 — 2026-06-11)
+
+Under the NEW formula the bad canaries' designed level is **1**, not the old 2: their mirrors
+carry no published version tags on the SRC+REF path → upgrade = intentional skip (climbs past
+but never earns), backup_restore = FAIL blocks → level = install = 1. Verified live: 415
+(bkp-bad) + 416 (rst-bad) both **verdict FAILURE (red)**, rungs
+{install: pass, upgrade: skip, backup_restore: fail, functional: unver (post-failure abort),
+lint: pass}, LEVEL 1. Backup/restore fail still blocks; verdict logic untouched.
+(First attempts 411/412 failed in 1s: canaries are mirror-only, not catalogue recipes — they
+need SRC+REF params, as prior phases ran them.)

machine-docs/BACKLOG-mailu.md

@@ -0,0 +1,32 @@
+# BACKLOG — phase `mailu` (backupbot labels + backup/restore coverage)
+
+## Build backlog
+(Builder-owned — read only for Adversary)
+
+## Adversary findings
+
+### [ADV-mailu-01] `/mail` Maildir volume restoration not tested — seed too shallow [adversary]
+
+**Filed**: 2026-06-11T20:58Z
+**Status**: CLOSED @2026-06-11T21:00Z — fix verified green in build #477 (M1 PASS)
+
+**Plan requirement** (`plan-phase-mailu-backup.md` §2.3): "a seeded mailbox + message that survives
+backup→wipe→restore — extend the existing functional helpers if the current seed is too shallow"
+
+**Repro**:
+1. Current `ops.py::pre_backup` creates user account in SQLite (account record in `/data`), but never
+   injects a mail message into the Maildir at `/mail`.
+2. `ops.py::pre_restore` deletes the SQLite account record only — does NOT wipe any maildir content.
+3. `test_restore.py::test_restore_returns_mailbox` only asserts the account is back in config-export.
+4. Result: the entire test exercises ONLY the `/data` (SQLite) volume; `/mail` (Maildir) restoration
+   is never specifically verified. If backupbot silently failed to restore `/mail`, this test passes.
+
+**Fix**:
+1. `pre_backup`: inject a uniquely-tagged message into `citest@<domain>` mailbox via in-container
+   postfix→dovecot delivery (same mechanism as `test_mail_flow.py::test_send_and_receive_mail`)
+2. `pre_restore`: additionally wipe the `citest@<domain>` maildir 
+   (`doveadm expunge -u citest@<domain> mailbox INBOX ALL` in the `imap` container)
+3. `test_restore.py`: also assert the seeded message is back
+   (e.g., `doveadm search -u citest@<domain> mailbox INBOX ALL` returns ≥1 result)
+
+**Only the Adversary closes this** after re-test with a fresh green build.

machine-docs/BACKLOG-nixenv.md

@@ -0,0 +1,19 @@
+# BACKLOG — phase `nixenv`
+
+## Build backlog
+
+- [x] M1: define shared harness/recipe-test runtime env once (overlay in `packages.nix`):
+      `ccciPyEnv` + `ccciRuntimeTools` (the union tool set) + `cc-ci-run`.
+- [x] M1: `harness.nix` references `pkgs.cc-ci-run` (no local pyEnv/runtimeInputs).
+- [x] M1: `nightly-sweep.nix` invokes `cc-ci-run` (no duplicate pyEnv, no own tool list, DEFECT-3 patch gone).
+- [x] M1: both host `configuration.nix` `systemPackages` reference `pkgs.ccciRuntimeTools` (+ openssh); end identical.
+- [x] M1: grep proof — exactly one `withPackages`/`pytest playwright` in nix/ (packages.nix); no module declares its own harness tool list.
+- [x] M1: `nixos-rebuild build` succeeds for both `#cc-ci` and `#cc-ci-hetzner`.
+- [x] M1: CLAIM, await Adversary PASS.
+- [x] M2: deploy via `nixos-rebuild switch`; verify host health (systemctl --failed, oneshots, timer, endpoints).
+- [x] M2: live parity — gitea `test_lfs_roundtrip` green under BOTH Drone path (build #871) and a real timer fire from the unified env.
+- [x] M2: canon-style sweep still promotes/SKIPs correctly (no regression; gitea promote-fail + discourse/mattermost red all pre-existing, identical pre-deploy).
+- [x] M2: CLAIM @ 2026-06-17T18:17Z (this commit). Await Adversary PASS → `## DONE`.
+
+## Adversary findings
+<!-- Adversary-owned section. Builder does not edit. -->

machine-docs/BACKLOG-poe2e.md

@@ -0,0 +1,36 @@
+# BACKLOG — phase poe2e
+
+## Build backlog
+
+(Builder-owned)
+
+- [x] **B1 — PO scratch project full lifecycle (D1).** Use the PO's `scripts/create-project.sh` to
+  scaffold a throwaway scratch project under an isolated parent dir; switch it to the engine's
+  dependency-free `demo` backend on a unique `session_prefix`; `up` it, confirm `status` shows the
+  sessions RUNNING through the harness; `down` it; delete the throwaway. Capture full transcript.
+- [x] **B2 — Staged cc-ci project skeleton (D2).** Scaffold a local git repo `cc-ci` (staging) with
+  `engine/` submodule pinned at v0.1.0 (`289ef07`). Initial commit.
+- [x] **B3 — Migrate `agents.toml` (D2).** Translate the live `/srv/cc-ci/cc-ci-plan/agents.toml`
+  to the engine v0.1.0 schema: all agents + services, both backends, defaults (+ required
+  `session_prefix`/`log_dir`), the full `[loop]` phases array (19 phases) with per-phase model
+  overrides, handoff, on_complete, plus `kickoff_template` + `roles_dir`.
+- [x] **B4 — Migrate `prompts/` (D2).** Copy `prompts/{builder,adversary}.md` verbatim from live;
+  author `prompts/kickoff.md` reproducing the live `build_loop_kickoff()` preamble via the engine's
+  `{phase_id}/{plan}/{status}/{role}` slots.
+- [x] **B5 — Parity verification (D2).** Run `engine/agents.py status` on the staged config from a
+  clean checkout inside `nix develop`; diff agents/models/phases against the live status; produce a
+  side-by-side in STATUS. Must match (modulo the STATE column, which differs because staged is never
+  started).
+- [x] **B6 — Register staged cc-ci in `fleet.toml` (D3).** Add a `[[project]]` entry in the PO
+  repo's `fleet.toml`; `scripts/fleet.py validate` passes.
+- [x] **B7 — Operator cutover runbook (D4).** Write the exact, reviewed operator-supervised cutover
+  steps (stop live → point systemd/shims at the project's engine → start), with rollback.
+- [x] **B8 — Prove live untouched (D5).** Re-checksum live `agents.{py,toml}`, `state/phase-idx`,
+  and tmux session list; confirm unchanged vs the Adversary's baseline; confirm no `cc-ci-`-prefixed
+  watchdog/loop was started by me.
+- [x] **B9 — Claim the gate.** Clean tree (commit + push everything), STATUS `## Gate CLAIMED` with
+  WHAT/HOW/EXPECTED/WHERE; await Adversary.
+
+## Adversary findings
+
+(Adversary-owned — read-only for Builder)

machine-docs/BACKLOG-porepo.md

@@ -0,0 +1,16 @@
+# BACKLOG — phase porepo
+
+## Build backlog
+(Builder-owned — read-only to Adversary)
+
+1. [x] Create `recipe-maintainers/project-orchestrator` repo (Gitea API) + clone to `/home/loops/porepo/`.
+2. [x] Add `engine/` submodule pinned at `agent-orchestrator` `v0.1.0` (289ef07).
+3. [x] PO harness config: `agents.toml` (persistent `project-orchestrator` agent, fleet-mgmt role) + `prompts/`.
+4. [x] `fleet.toml` — documented schema + sample entry that parses (`scripts/fleet.py validate`).
+5. [x] Project-management capability: docs (`docs/`) + helper scripts (`scripts/`) for create / start-stop-update / list-status.
+6. [x] `flake.nix` + `flake.lock` devShell (python3>=3.11, tmux, git+submodule); README documents `nix develop`.
+7. [x] Bootstrap doc (`docs/bootstrap.md`).
+8. [x] Self-verified all DoD from a clean anon `/tmp` recursive clone inside `nix develop`; clean tree; **gate CLAIMED** @ 346ed31.
+
+## Adversary findings
+(none yet)

machine-docs/BACKLOG-prevb.md

@@ -0,0 +1,33 @@
+# BACKLOG — phase `prevb`
+
+SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-prevb-previous-dynamic-base.md`.
+
+## Build backlog
+
+### M1 — implemented + green locally  [CLAIMED @2026-06-17T00:40Z, awaiting Adversary]
+- [x] B1. Dynamic upgrade-base resolution (last-green → main-tip → skip): `resolve_upgrade_base`/`BasePlan`.
+- [x] B2. `tests/<recipe>/previous/` mechanism: discovery, VERSION marker, base-only application,
+      head exclusion (stripped before head redeploy), version-guard + stale-flag. Unit-tested.
+- [x] B3. Discourse migration: `compose.ccci.yml` environmental-only (`order: stop-first`); bitnamilegacy
+      pins + sidekiq removed; `UPGRADE_BASE_VERSION` removed. No `previous/` (base deploys clean).
+- [x] B4. Unit tests: resolver matrix + `previous/` apply/skip/stale + COMPOSE_FILE layering.
+- [x] B5. Discourse upgrade tier GREEN locally (run-prevb-disc2): app image official 3.5.3 (not
+      bitnamilegacy), no sidekiq (pruned), version 0.8.1+3.5.0→1.0.0+3.5.3, install+upgrade pass.
+      (Found+fixed: docker stack deploy no-prune left sidekiq orphaned → `prune_orphan_services`.)
+- [x] B6. CLAIM M1 (clean tree + STATUS WHAT/HOW/EXPECTED/WHERE/TEETH).
+
+### M2 — proven in real CI + spot-check  [M1 PASS @01:03Z dbc7a3b]
+- [x] B7. discourse PR #4 `!testme` GREEN in real CI — **Drone build 717** ✅, bridge marked PR#4 "passed".
+      All 5 tiers 0-fail (junit): install/upgrade/backup/restore/custom. Upgrade tier proved
+      `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head` PASS
+      (head = official discourse/discourse:3.5.3, sidekiq dropped, migration exercised). Custom green via
+      the image-agnostic mint_admin fix (b66abc4). Clean teardown. Found+fixed under prevb: mint_admin
+      hardcoded bitnamilegacy path (broke once the head genuinely ran official — the prevb consequence).
+- [x] B8. Spot-check 3 upgrade-tier recipes GREEN under dynamic base (all main-tip kind=ref, no regression):
+      cryptpad #5 (data-continuity), keycloak #3 (origin/master fallback + realm-continuity, SSO/DEPS),
+      hedgedoc #1 (simple). + discourse PR#4 real CI = 4 recipes. (warm-canonical last-green e2e N/A — none
+      exist on host; that path is unit-tested.) Records reconciled: 717 artifacts durable, PR#4 "✅ passed".
+- [x] B9. M2 PASS @01:58Z (1c3ba71). Both M1+M2 fresh Adversary PASS, no VETO → ## DONE written.
+
+## Adversary findings
+(Adversary-owned section — Builder does not edit below.)

machine-docs/BACKLOG-pvcheck.md

@@ -0,0 +1,20 @@
+# BACKLOG — phase pvcheck (post-proxy verification)
+
+## Build backlog
+
+- [x] Create pvcheck phase files (STATUS, JOURNAL, BACKLOG)
+- [x] Fix [A2] upgrade-all SKILL.md stale description (orchestrator commit 84e13a7)
+- [x] Collect M1 evidence (proxy subnet, endpoints, service health, routes, VIP journal)
+- [x] Claim M1 — control plane and routing verified
+- [x] M2: real recipe CI run through proxy — hedgedoc build #608 ✅ passed level 5 (06:04Z post-fix)
+- [x] M2: bounded allocator headroom proof — 5 stacks deploy/rm, 0 leaks, 0 VIP errors (06:08Z)
+- [x] M2: cleanup verification — proxy endpoints: 7 (baseline), no residue (06:09Z)
+- [x] M2: claim gate
+
+## Adversary findings
+
+### [A2] upgrade-all SKILL.md guard description stale (2026-06-13T05:56Z)
+
+- [x] Filed
+- [x] Builder fix — orchestrator commit `84e13a7` (2026-06-13T05:59Z): updated guard description from "until that lands" to "belt-and-suspenders even after the /16 fix"
+- [x] Adversary re-verify and close — CLOSED 2026-06-13T06:10Z. Orchestrator commit 84e13a7 confirmed in git log. SKILL.md text now reads "belt-and-suspenders even after the /16 fix." ✅

machine-docs/BACKLOG-pvfix.md

@@ -0,0 +1,64 @@
+# BACKLOG — phase pvfix
+
+## Build backlog
+
+- [x] Seed pvfix state files
+- [x] Read plan-phase-pvfix-swarm-proxy.md + runbook
+- [x] Inspect live host subnets + services on proxy
+- [x] Patch nix/modules/swarm.nix (add --subnet 10.10.0.0/16)
+- [x] Write exact maintenance procedure in STATUS-pvfix.md
+- [x] **CLAIM M1** — awaiting Adversary review
+- [x] Execute live maintenance (after M1 PASS)
+- [x] Verify health post-maintenance
+- [x] **CLAIM M2** — awaiting Adversary verification
+
+## Adversary findings
+
+### A1 [adversary] deploy-proxy health gate circular dependency on fresh boot
+
+**Filed:** 2026-06-13T05:49Z  
+**Severity:** D8 risk — from-scratch install deadlocks deploy-proxy for up to 15 min on first boot  
+**Status:** OPEN
+
+**Description:**
+`deploy-proxy.service` runs `warm_reconcile.py traefik` whose health gate checks
+`ci.commoninternet.net` returns HTTP 200. That URL is served by the dashboard.
+`deploy-dashboard.service` has `After=deploy-proxy.service` (`nix/modules/dashboard.nix`),
+so systemd holds deploy-dashboard until deploy-proxy exits.
+
+On a fresh-from-scratch boot:
+1. deploy-proxy starts, deploys traefik, calls `wait_healthy` → polls `ci.commoninternet.net`
+2. deploy-dashboard is blocked by `After=deploy-proxy.service` (systemd won't start it)
+3. `ci.commoninternet.net` never returns 200 (dashboard not up)
+4. deploy-proxy times out at `TimeoutStartSec=900` (15 min) and fails
+5. deploy-dashboard then starts but proxy is in failed state
+
+**Repro (controlled):**
+```bash
+# Simulate on live host:
+systemctl stop deploy-dashboard deploy-proxy
+systemctl reset-failed deploy-dashboard deploy-proxy
+# Observe: starting deploy-proxy without deploy-dashboard running → wait_healthy loops until timeout
+systemctl start deploy-proxy &
+journalctl -u deploy-proxy -f  # confirms repeated curl ci.commoninternet.net failures
+```
+
+**Root cause:** `warm_reconcile.py traefik` spec has `health_domain = "ci.commoninternet.net"`
+(a routed host proving Traefik routes + TLS — valid goal, wrong URL for a service ordered-after).
+
+**Fix options for Builder:**
+1. Change `health_domain` to a URL independent of ordered services (e.g. a Traefik
+   `api/ping` endpoint on `traefik.ci.commoninternet.net`, or `drone.ci.commoninternet.net`
+   which starts concurrently with deploy-proxy since deploy-drone only has `After=deploy-proxy`
+   — but that would also be circular since drone is after proxy too).
+2. Remove `deploy-proxy.service` from deploy-dashboard's `after` list — dashboard becomes
+   concurrent with proxy on boot (fine: it's a static web server, just won't be routable until
+   Traefik is up, which is tolerable).
+3. Add `Wants=deploy-dashboard.service` + `After=deploy-dashboard.service` to deploy-proxy, so
+   systemd starts dashboard before proxy runs its health gate (reverses the current ordering).
+
+**Note:** Pre-existing, not introduced by pvfix. Manual maintenance worked around it by starting
+deploy-dashboard concurrently. Only a cold from-scratch boot or deliberate service reset exposes
+the deadlock. Builder flagged it in STATUS-pvfix.md anomaly note.
+
+**Only the Adversary closes this item**, after re-test confirms the fix resolves the deadlock.

machine-docs/BACKLOG-pxgate.md

@@ -0,0 +1,29 @@
+# BACKLOG — phase pxgate
+
+## Build backlog
+(Builder-owned — Adversary reads only)
+
+- [x] Create phase state files (STATUS/JOURNAL/BACKLOG-pxgate.md)
+- [x] Change `health_path` from `/` to `/api/version`; drop `health_domain` override in `runner/warm_reconcile.py`
+- [x] Update stale comments in warm_reconcile.py + proxy.nix
+- [x] Update DECISIONS.md + DEFERRED.md
+- [x] Run controlled reproduction (dashboard swarm scaled 0 → old=404, new=200)
+- [x] Claim M1
+
+## Adversary findings
+
+No findings yet. Recording break-it probes to run once the fix lands.
+
+### Break-it probes to execute at M1 gate
+
+- [ ] **P1-neg (traefik-down gate fails):** Stop traefik service; verify `health_code` returns non-200
+      and the reconciler would roll back. (Prove the new gate has teeth — not always-pass.)
+- [ ] **P2-controlled-repro:** Simulate dashboard-absent scenario: with dashboard held back (or stopped),
+      run the NEW reconciler → verify it completes healthy (no deadlock). Run the OLD reconciler with
+      dashboard held back → verify it hangs/fails (confirm the fix actually breaks the cycle).
+- [ ] **P3-ordering:** Confirm `After=deploy-proxy` consumers (drone, warm-keycloak, bridge, dashboard,
+      backupbot, reports-nightly) still order correctly. Check `systemctl cat <service>` for each.
+- [ ] **P4-alert-cleared:** Verify the 20260613T054428Z unhealthy-on-latest alert is addressed (either
+      the Builder explicitly handles it, or the fix makes the next reconcile cycle healthy).
+- [ ] **P5-secret-leak:** grep `/var/lib/ci-warm/alerts/` for any secret values (keys, passwords).
+      The alert file must contain only version strings, no credentials.

machine-docs/BACKLOG-rcust.md

@@ -0,0 +1,23 @@
+# BACKLOG — sub-phase rcust
+
+## Build backlog
+
+- [ ] P1.1 `runner/harness/meta.py`: KEYS registry (14 keys + 3 deprecated) + `load(recipe) -> RecipeMeta`
+- [ ] P1.2 migrate readers L1–L6 to `meta.load()` (orchestrator loads once, passes down)
+- [ ] P1.3 mumble private constants → underscore-prefixed (`_WELCOME_TEXT_MARKER`, `_MAX_USERS`) + fix importers
+- [ ] P1.4 `tests/unit/test_meta.py` (all-recipes-load-clean, MetaError cases, defaults, R2 proof)
+- [ ] P1.5 `scripts/gen-meta-docs.py` + doc-sync unit test
+- [ ] P2a compose.ccci.yml first-class (auto-copy + auto-chaos); strip ghost/discourse boilerplate
+- [ ] P2b install-time deps only; migrate lasuite-docs; delete setup_custom_tests.sh machinery
+- [ ] P2c SKIP_GENERIC meta key deleted; env form documented dev-only + loud warning in CI runs
+- [ ] P2d conftest cleanup: delete deployed/deployed_app (+app_domain if unused); consolidate deps fixture; migrate 6 lasuite test files
+- [ ] P3 HookCtx + convert all hook call sites + migrate in-repo users + unit tests
+- [ ] P4 discovery placement rule + op_state/deps fixtures + migrate hand-parsers
+- [ ] P5 customization manifest (print block + results.json key) + unit tests
+- [ ] P6 docs rewrite (recipe-customization.md §8, testing.md, enroll-recipe.md)
+- [ ] M1 pre-claim: run `pytest tests/concurrency -q` once to prove untouched
+- [ ] M2 prep: build baseline matrix (21 recipe dirs, expected outcomes) BEFORE merging — commit to STATUS-rcust.md
+
+## Adversary findings
+
+(Adversary-owned section)

machine-docs/BACKLOG-redfix.md

@@ -0,0 +1,56 @@
+# BACKLOG — phase `redfix`
+
+## Build backlog
+
+### M1 — investigate + isolate + classify (all six)
+- [ ] discourse — reproduce cold-deploy timeout/wedge in isolation; root-cause (headroom vs
+      convergence bug vs upstream compose defect `sidekiq.depends_on: discourse`); classify.
+- [ ] mattermost-lts — `test_restore.py::test_restore_returns_state` in isolation: green→load flake,
+      red→diagnose restore (recipe vs test).
+- [ ] mumble — `custom/test_protocol_handshake.py::test_handshake_completes_with_channel_presence` in
+      isolation (canonical already present from today → likely flake; confirm).
+- [ ] bluesky-pds — warm-canonical promote routing: why `warm-bluesky-pds…` → 000 over HTTPS while
+      container healthy internally + cold-test domain routes. Find cc-ci warm-machinery defect.
+- [ ] gitea — `3.5.3→3.6.0` warm advance crash (`app.ini` read-only, JWT save). Recipe vs harness.
+- [ ] keycloak — de-enrolled (live-warm OIDC collision). Design collision-free warm domain/namespace.
+
+### M2 — FIX + verify all six (recipe PR or harness improvement)
+**Execution gated on M1 PASS** (avoid node contention with Adversary M1 re-runs; classifications must
+hold). Concrete fix designs from M1 evidence:
+
+- [ ] **mattermost-lts** (recipe PR, clearest) — add `pg_backup.sh` (immich pattern, no VectorChord
+      bits): `backup(){ pg_dump -U mattermost mattermost | gzip > /var/lib/postgresql/data/backup.sql; }`
+      `restore(){ gunzip -c …/backup.sql | psql -U mattermost -d mattermost -f -; }`. compose: add
+      `configs: pg_backup → /pg_backup.sh`; postgres labels → `backup.pre-hook: /pg_backup.sh backup`,
+      `restore.post-hook: /pg_backup.sh restore`, `backup.volumes.postgres.path: backup.sql` (dump-only,
+      drop the whole-PGDATA `backup.path` + the `rm` post-hook). Verify via `!testme` → restore green.
+- [ ] **bluesky-pds** (recipe PR) — eliminate the `app`-alias collision on shared proxy: give the PDS
+      service a unique name (e.g. `pds`) OR a unique network alias, and update caddy refs
+      (`reverse_proxy`, `on_demand_tls ask http://…/tls-check`), healthcheck, backup labels, ops/test
+      service= refs. Verify warm promote → 200 on /xrpc/_health. (NOTE: cc-ci harness `ops.py`/tests
+      reference `service="app"` for bluesky? check + update if the recipe service renames — but recipe
+      mirror is PR-only; cc-ci-side refs are a separate cc-ci change.) Confirm exact approach in M2.
+- [ ] **gitea** (recipe PR) — make app.ini writable on the warm-reattach advance so 3.6.0 can persist
+      the JWT secret: render app.ini into the WRITABLE `config:/etc/gitea` volume via the existing
+      `docker-setup.sh` entrypoint (copy the templated config to a writable path) instead of the
+      read-only `app_ini` docker-config mount; OR ensure the persisted JWT secret is accepted without
+      rewrite. Verify the 3.5.3→3.6.0 advance promotes. (Ties to LFS PR #1.)
+- [ ] **keycloak** (harness, cc-ci branch) — `canonical.canonical_domain(r)`: return a collision-free
+      domain when `r` is a live-warm provider (`r in warm.WARM_DOMAINS`) → e.g.
+      `warm-canon-<r>.ci.commoninternet.net`; else keep `warm-<r>` (zero blast radius on the 15 others).
+      Set keycloak `WARM_CANONICAL=True`. Verify keycloak promotes at warm-canon-keycloak WITHOUT
+      disrupting live warm-keycloak (200 throughout).
+- [ ] **mumble** (harness, cc-ci branch) — stabilize the handshake under load: add a READY_PROBE/
+      readiness gate (TCP 64738 stably listening + a successful handshake) before the custom tier
+      and/or raise `retry_handshake` budget; verify green under a concurrent-load re-run.
+- [ ] **discourse** (TRICKIEST — decide in M2) — the overlay `test_upgrade.py` asserts a
+      bitnamilegacy→official migration absent from all releases/main. Options: (a) cc-ci test PR
+      (--with-tests) scoping the faithfulness assertion to ONLY fire when the head actually performs
+      the migration (image still bitnamilegacy → N/A, not RED) — NOT a weakening, a correct scope; +
+      file an upstream recipe issue/PR for the real bitnamilegacy→official migration. (b) recipe PR
+      doing the migration (major rewrite — official discourse image is launcher-based, likely
+      infeasible cleanly). Lean (a)+tracked-upstream; may need operator input (DEFERRED?) — assess in M2.
+
+## Adversary findings
+
+(Adversary-owned — do not edit.)

machine-docs/BACKLOG-regall.md

@@ -0,0 +1,107 @@
+# BACKLOG — phase `regall`
+
+## Build backlog
+
+### Batch 1 (DONE)
+- [x] B1a: drone PR#1 → Drone 726 → L5 ✓
+- [x] B1b: gitea PR#1 → Drone 727 → L5 ✓
+- [x] B1c: matrix-synapse PR#4 → Drone 725 → L5 ✓
+
+### Batch 2 (DONE)
+- [x] B2a: mumble PR#1 → Drone 732 → L5 ✓
+- [x] B2b: lasuite-meet PR#7 → Drone 730 → L5 ✓
+- [x] B2c: n8n PR#6 → Drone 731 → L5 ✓
+
+### Batch 3 (DONE)
+- [x] B3a: custom-html PR#5 → Drone 737 → L5 ✓
+- [x] B3b: mattermost-lts PR#2 → Drone 739 → L5 ✓
+- [x] B3c: mailu PR#4 → Drone 738 → L5 ✓
+
+### Batch 4 (DONE)
+- [x] B4a: ghost PR#6 → Drone 744 → L5 ✓
+- [x] B4b: immich PR#3 → Drone 745 → L5 ✓
+- [x] B4c: lasuite-docs PR#6 → Drone 743 → L5 ✓
+
+### Batch 5 (DONE)
+- [x] B5a: lasuite-drive PR#3 → Drone 749 → L5 ✓
+- [x] B5b: plausible PR#3 → Drone 758 → L5 ✓ (genuine upgrade; recipe bug in PR#4 no-op)
+- [x] B5c: uptime-kuma PR#4 → Drone 748 → L5 ✓
+
+### Batch 6 (DONE)
+- [x] B6a: custom-html-tiny PR#8 → Drone 752 → L5 ✓
+- [x] B6b: bluesky-pds PR#3 → Drone 753 → L5 ✓
+
+### Post-sweep (DONE)
+- [x] B7: Results table built — all 21 GREEN, 0 prevb regressions (see STATUS-regall.md)
+- [x] B8: No prevb-caused regressions to fix
+- [x] B9: N/A (no fixes needed)
+- [x] B10: M1 CLAIMED — 2026-06-17T04:45Z
+- [x] B11: M2 CLAIMED — 2026-06-17T04:45Z
+
+## Adversary findings
+
+### A-regall-2 [adversary] OPEN @2026-06-17T03:25Z — plausible backup_restore=fail; classify prevb regression or flake
+
+**Filed:** 2026-06-17T03:25Z
+**Severity:** MEDIUM — backup_restore failure drops plausible from baseline L5 to L2. Blocks M1 classification.
+
+**Run:** 750 (Drone 750, PR#4). Result: level=2, backup_restore=fail.
+**Baseline:** run 658, level=5, backup_restore=pass.
+
+**Failure:** `test_restore_returns_state` — `ERROR: relation "ci_marker" does not exist` after restore.
+- Backup test passed (only checks artifact file exists, 0.134s — does NOT verify ci_marker content)
+- Restore completes (test_restore_healthy passes), but ci_marker table absent from DB
+
+**Prevb-specific difference:**
+- Run 750 upgrade: `version=3.0.1+v2.0.0→3.0.1+v2.0.0` (NO-OP: UPGRADE_BASE_VERSION='3.0.1+v2.0.0' matches recipe.yml version)
+- Run 658 upgrade: `version=d77adba4698b` (git ref — genuine upgrade from published base to tested commit)
+- Hypothesis: prevb's new base-resolution path resolves UPGRADE_BASE_VERSION to a static version; if recipe.yml also pins that same version, the upgrade is a no-op, which may change the DB state sequence enough to break backup/restore
+- Same failure pattern in m2r-plausible and m2rr-plausible (prevb development runs) — both level=2, backup_restore=fail
+
+**Builder rerun:** Drone 754 — **ALSO FAILED** (same error, same level=2, backup_restore=fail).
+
+**Adversary verdict: GENUINE REGRESSION (2/2 runs failed) — NOT a flake.**
+
+Both runs 750 and 754:
+- `version=3.0.1+v2.0.0→3.0.1+v2.0.0` (no-op upgrade via UPGRADE_BASE_VERSION)
+- `ERROR: relation "ci_marker" does not exist` after restore
+- Backup test passes (artifact only, not content)
+- Restore test fails
+
+**Required:** Builder must diagnose the no-op upgrade path and either:
+(a) Fix the backup/restore to work correctly under same-version upgrades, OR
+(b) Update UPGRADE_BASE_VERSION to an older version so upgrade is genuine, OR
+(c) Document why plausible backup_restore is not feasible and mark as known-fail
+
+Builder-INBOX written @2026-06-17T03:30Z with full details.
+
+**CLOSED @2026-06-17T03:45Z:** Builder diagnosis accepted. Run 758 (PR#3, d77adba4698b) → L5, backup_restore=pass. Pre-existing recipe bug in 3.0.1+v2.0.0, NOT prevb regression. Plausible counts as L5 GREEN in regall sweep.
+
+---
+
+### A-regall-1 [adversary] CLOSED @2026-06-17T02:20Z — mailu baseline table corrected
+
+**CLOSED:** Builder corrected STATUS-regall.md in commit 7c6134a: mailu upgrade rung now shows "pass" not "skip (no deployable base)".
+
+~~### A-regall-1 [adversary] OPEN — mailu baseline table has incorrect upgrade rung~~
+
+**Filed:** 2026-06-17T02:10Z
+**Severity:** LOW (informational — does not block the sweep, but affects regression classification)
+
+**Discrepancy:** STATUS-regall.md baseline table shows mailu upgrade rung = "skip (no deployable base)".
+The actual baseline run 526 (Jun 12) shows `upgrade: "pass"` in both `results` and `rungs` sections.
+
+**Evidence (cold-verified from /var/lib/cc-ci-runs/526/results.json):**
+```
+"results": { ..., "upgrade": "pass", ... }
+"rungs": { ..., "upgrade": "pass", "backup_restore": "skip", ... }
+```
+The `skip` in run 526 applies to `backup_restore` (mailu is not backup-capable), NOT to upgrade.
+
+**Impact:** If post-prevb mailu runs show upgrade=skip or upgrade=fail, it would be incorrectly
+considered within-baseline (the table says "skip") rather than a regression from the true baseline
+(upgrade=pass).
+
+**Required correction:** STATUS-regall.md should read: `mailu | 5 | pass | 526` for the upgrade rung.
+
+**Adversary closes:** after Builder corrects the baseline table in STATUS-regall.md.

machine-docs/BACKLOG-samever.md

@@ -0,0 +1,25 @@
+# BACKLOG — phase `samever`
+
+## Build backlog
+
+- [x] **M1** — resolver reads head version; step-back chain; unit tests. (CLAIMED 2026-06-17)
+  - [x] `abra.head_compose_version(recipe)` — parse `coop-cloud.<stack>.version` from head compose.yml
+  - [x] `warm_reconcile.version_key` + `newest_older_version` — single coop-cloud ordering source
+  - [x] resolver chain: override → (canonical if ≠ head) → (newest-older if canonical==head) → main-tip → skip
+  - [x] unit tests extended (13 pass): step-back, canonical≠head unchanged, no-older→skip, ordering, None-head
+- [ ] **M2** — prove in real CI: nightly steady-state (canonical==latest) cold-on-latest steps back
+  (base_version < latest); PR form (non-version-bump PR, head==canonical); discourse #4 version-bump
+  UNAFFECTED; spot-check ≥1 other enrolled recipe. Awaiting M1 PASS before starting real-CI runs.
+
+## M2 execution log (live)
+- Run A (custom-html cold-on-latest, /root/samever-runA.log on cc-ci): launched 04:3xZ. No canonical
+  yet → upgrade base kind=skip (head==main tip); on green promotes canonical→latest 1.13.0+1.31.1.
+- Run B (next): cold-on-latest again → canonical==head → expect step-back base 1.11.0+1.29.0 (<latest).
+
+### M2 result — CLAIMED 2026-06-17T04:55Z (all 5 demonstrations green)
+- [x] Run B nightly steady-state step-back: custom-html canonical==head 1.13.0 → base 1.11.0+1.29.0,
+  upgrade 1.11.0→1.13.0 (base<head real delta), 5 tiers green. [§5 DoD]
+- [x] Run C version-bump UNAFFECTED (enrolled): canonical older 1.11.0 → head 1.13.0, "last-green" path.
+- [x] Run D PR form: ref=2b82ebab pr=999, head==canonical → step-back still triggers.
+- [x] discourse #4 UNAFFECTED: kind=ref main-tip f87c612d, migration 0.8.1→1.0.0 green. [§5 DoD]
+- [x] Spot-check hedgedoc: step-back 3.0.9→3.0.10 generalizes to a 2nd recipe/tag-set, green.

machine-docs/BACKLOG-settings.md

@@ -0,0 +1,24 @@
+# BACKLOG — phase `settings`
+
+## Build backlog
+
+- [x] **B1** — `harness/settings.py`: stdlib `tomllib` loader, `[upgrade].skip_canonicals_for_upgrade`
+  (bool, default false), `_SCHEMA` single-source defaults+validation, graceful on absent/malformed,
+  warn-and-ignore unknown keys/tables, raise on wrong type. Path `$CCCI_SETTINGS` / `/etc/cc-ci/settings.toml`.
+- [x] **B2** — tracked `settings.toml.example` documenting keys + defaults (no secrets).
+- [x] **B3** — wire `SKIP_CANONICALS_FOR_UPGRADE` into `resolve_upgrade_base` (`run_recipe_ci.py`):
+  flag true → bypass canonical lookup → no-canonical fallback. Scope = upgrade base only.
+- [x] **B4** — improved no-canonical fallback `_no_canonical_base` (§2.C): newest release tag `< head`
+  (reuse `warm_reconcile.newest_older_version`) → main-tip → skip. Always-on.
+- [x] **B5** — unit tests: full resolution matrix (`tests/unit/test_upgrade_base.py`) + loader
+  (`tests/unit/test_settings.py`). 315 unit pass, lint clean.
+- [x] **B6 (M1 claim)** — clean tree, push, claim M1 in STATUS-settings.md.
+
+### M2 (after M1 PASS)
+- [x] **B7** — deploy to cc-ci (`/etc/cc-ci` git pull + nixos-rebuild if needed); confirm harness reads
+  settings (absent → default false; or file present false).
+- [x] **B8** — live evidence (a): a recipe WITHOUT a canonical resolves base to newest release tag `< head`
+  (not raw main-tip).
+- [x] **B9** — live evidence (b): flip `SKIP_CANONICALS_FOR_UPGRADE = true` (scratch) → a canonical-bearing
+  recipe ALSO resolves to the release-tag base (canonical bypassed); then restore false.
+- [x] **B10 (M2 claim)** — claim M2; on fresh PASS of M1+M2 → `## DONE`.

machine-docs/BACKLOG-shot.md

@@ -0,0 +1,128 @@
+# BACKLOG-shot.md — phase `shot` (recipe screenshot audit & repair)
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md. Gates: M1 (audit+diagnosis), M2 (all OK / agreed N/A).
+
+## Build backlog
+
+### P1 — Audit matrix (status: complete, all 19 PNGs visually inspected 2026-06-11)
+
+Enrolled set (19) = `tests/<r>/recipe_meta.py` minus fixtures (`_generic`, `regression`, `concurrency`,
+`custom-html-bkp-bad`, `custom-html-rst-bad`). Evidence: `/var/lib/cc-ci-runs/<run>/` on cc-ci;
+PNGs pulled to /tmp/shot-audit/ on the builder host and each one Read (visually).
+
+| recipe | latest run w/ artifacts | screenshot field | PNG bytes | visual content (I looked) | class |
+|---|---|---|---|---|---|
+| bluesky-pds | ab-bluesky-pds-oldmain | null | — | no PNG; install=fail level=0 (upstream image breakage, rcust DEFERRED) → capture correctly skipped (`if deploy_ok`) | N-A-candidate (blocked upstream) |
+| cryptpad | m2r-cryptpad | screenshot.png | 4802 | solid light-grey frame, nothing else | BLANK |
+| custom-html | m2r-custom-html | screenshot.png | 35707 | "Welcome to nginx!" default page | OK? (diagnose: is this the recipe's true fresh-install content?) |
+| custom-html-tiny | m2r-custom-html-tiny | screenshot.png | 12950 | seeded CI content ("cc-ci custom-html-tiny … DG5") | OK |
+| discourse | m2p-discourse | screenshot.png | 66121 | real forum UI, welcome topic, Sign Up/Log In | OK |
+| ghost | m2r-ghost | screenshot.png | 444183 | real blog landing ("Thoughts, stories and ideas") | OK |
+| hedgedoc | m2r-hedgedoc | screenshot.png | 131967 | real landing (logo, Sign In, feature intro) | OK |
+| immich | 356 | screenshot.png | 4801 | pure white frame | BLANK |
+| keycloak | m2r-keycloak | screenshot.png | 8764 | spinner + "Loading the Administration Console" | LOADING |
+| lasuite-docs | m2r-lasuite-docs | screenshot.png | 6022 | lone spinner on white | LOADING |
+| lasuite-drive | m2p2-lasuite-drive | screenshot.png | 5895 | lone spinner on white | LOADING |
+| lasuite-meet | m2r-lasuite-meet | screenshot.png | 4801 | pure white frame | BLANK |
+| mailu | m2r-mailu | screenshot.png | 33800 | real sign-in page (empty fields) | OK |
+| matrix-synapse | m2r-matrix-synapse | screenshot.png | 33296 | "It works! Synapse is running" landing | OK |
+| mattermost-lts | m2b-mattermost-lts | screenshot.png | 242139 | brand splash/loading screen (logo on blue), NOT the login form | LOADING (borderline — brand-recognizable but a loading state) |
+| mumble | m2r-mumble | screenshot.png | 7913 | spinner on grey — a web page IS served on the domain | LOADING (diagnose what serves it; N/A may NOT be justified) |
+| n8n | m2r-n8n | screenshot.png | 4801 | off-white blank frame. Flaky: run 197 (30256 B) shows the real "Set up owner account" form (empty fields, credential-free) | BLANK (flaky) |
+| plausible | 357 | null | — | no PNG on ANY run (122→357) | NULL |
+| uptime-kuma | m2r-uptime-kuma | screenshot.png | 30858 | real "Create your admin account" setup form (empty fields) | OK |
+
+PNG-size note: 4801/4802 B at 1280×800 is a byte-stable blank-frame fingerprint (3 different apps, same size).
+
+### P2 — Root-cause diagnoses
+
+- [x] **NULL — plausible** (evidence: Drone build 357 ci-step log, t=73s):
+  `screenshot: capture failed (non-fatal, verdict unaffected): page.goto(https://plau-b51425.ci.commoninternet.net/) never returned a status in (200, 301, 302, 303, 401, 403) after 15 attempts (45s); last status=500`.
+  Plausible's `/` 500s **by design** under `DISABLE_AUTH=true` (auth_controller; documented in
+  `tests/plausible/functional/test_health_check.py` docstring and recipe_meta — that's why HEALTH_PATH
+  is `/api/health`). Default landing-page capture can NEVER succeed → needs a per-recipe SCREENSHOT
+  hook to a path that actually renders (probe live: e.g. /login or /sites).
+- [x] **NULL — bluesky-pds**: install fails (level=0) before the app is up → `if deploy_ok:` gate in
+  runner/run_recipe_ci.py:1024 correctly skips capture. Not a screenshot defect; upstream image
+  breakage already filed in machine-docs/DEFERRED.md (rcust). → documented N/A while upstream is broken.
+- [x] **BLANK class — immich, lasuite-meet, n8n(flaky), cryptpad**: SPA paint race. capture() navigates
+  with `wait_until="domcontentloaded"` (runner/harness/screenshot.py:91) and screenshots immediately;
+  SPA shell HTML has loaded but JS hasn't painted → solid 4801-2 B frame. n8n flakiness = same race,
+  sometimes JS wins (run 197 captured the real form).
+- [x] **LOADING class — keycloak, lasuite-docs, lasuite-drive, mumble, mattermost-lts(borderline)**:
+  same race, caught mid-paint (spinner/splash rendered, app JS still loading/connecting).
+- [x] **mumble** web stack identified: recipe deploys a `web` service (mumble-web client) on the domain —
+  spinner is its connecting state; landing renders a connect dialog once JS settles. NOT an N/A.
+- [x] **custom-html** nginx-welcome question: the recipe's fresh install genuinely serves the nginx
+  default page at `/` (no content seeded for this recipe's install; only custom-html-tiny seeds via
+  install_steps.sh). Screenshot is an honest representative view of a fresh install. → OK as-is.
+
+### P3 — Fixes (all merged to main)
+
+- [x] Harness default improvement (ce50f64 + A1 hardening 7ad7d1f): bounded networkidle settle
+  (10s) + 0.5s render grace after domcontentloaded; blank/spinner-frame detect (<10000 B) → ONE
+  retry with 4s settle, larger frame kept (A1). Wait budget 45+10+0.5+4+0.5 = 60s, unit-tested.
+  8 new unit tests; 207 pass; lint PASS.
+- [x] plausible — NOT a hook in the end: the real root cause was EXTRA_ENV SECRET_KEY_BASE being
+  62 chars (<64-byte Phoenix cookie-store minimum) → every HTML render 500'd. Fixed to 68 chars
+  (b98a471); default capture then lands the genuine registration page. Stale auth_controller
+  comments corrected (no assertion touched).
+- [x] mattermost-lts SCREENSHOT hook (80e5713 + 3c33129): interstitial appears on ANY first-visit
+  route incl /login (proven byte-identical PNG) → hook navigates /login, clicks "View in Browser"
+  best-effort, settles; lands the real login form. First real hook; public screenshot.settle().
+- [x] keycloak / lasuite-docs / lasuite-drive / lasuite-meet / immich / cryptpad / n8n: fixed by
+  the harness default alone (no hooks needed — proof PNGs below).
+- [x] mumble: NOT fixable harness-side — pinned mumble-web:0.5 client never paints UI for an
+  anonymous browser (≥90s DOM/console/network observation: no errors, no failed requests,
+  connect-dialog elements absent, no autoconnect overrides). Loader frame = the genuine anonymous
+  web view; voice (the recipe's function) fully covered by protocol tests. DEFERRED.md entry filed
+  (upstream question for the operator).
+- [x] bluesky-pds: documented N/A while upstream image broken (rcust DEFERRED; Adversary-agreed at
+  M1, contingent re-check at M2 — latest failing evidence ab-bluesky-pds-oldmain, 2026-06-11).
+
+### P4 — Proof runs (fresh, post-fix; every PNG visually Read by Builder)
+
+| recipe | proof run (dir on cc-ci) | level (baseline) | PNG B | visual |
+|---|---|---|---|---|
+| immich | 370 (drone !testme immich#2) | 4 (=356:4) | 234351 | real "Welcome to Immich" onboarding |
+| plausible | 371 (drone !testme plausible#3) | 4 (=357:4) | 64132 | real registration form, empty fields |
+| keycloak | shot-proof-keycloak | 4 | 215587 | real "Sign in to your account" form |
+| cryptpad | shot-proof-cryptpad | 4 | 57310 | real landing + document-type picker |
+| lasuite-meet | shot-proof-lasuite-meet | 4 | 225686 | real video-conferencing landing |
+| lasuite-docs | shot-proof-lasuite-docs | 4 | 284769 | real Docs landing |
+| lasuite-drive | shot-proof2-lasuite-drive | 4 | 132037 | real Drive landing |
+| n8n | shot-proof-n8n | 4 | 26433 | real "Set up owner account", empty fields (now deterministic) |
+| mattermost-lts | shot-proof3-mattermost-lts | 2 (=m2r:2) | 178367 | real "Log in to your account" form (hook v2) |
+| mumble | shot-proof-mumble | 4 | 7980 | loader frame — best-available (see P3/DEFERRED) |
+
+Drone durations pre/post (same recipe+PR): immich 199s→198s; plausible 209s→166s (faster — capture
+no longer burns 45s failing). Healthy class (ghost, hedgedoc, discourse, custom-html,
+custom-html-tiny, mailu, matrix-synapse, uptime-kuma): existing artifacts cited in P1 matrix, each
+visually verified real + credential-free; no new runs needed per plan §3 P4.
+Dashboard/card: grid thumbnails for runs 370/371 served 200, summary.html embeds screenshot.png,
+/badge/immich.svg 200.
+
+## Adversary findings
+
+### [adversary] A1 — blank-retry can REGRESS a larger frame to a worse one (LOW, non-blocking) — CLOSED @2026-06-11T06:32Z
+**CLOSED:** fixed in 7ad7d1f (retry snapped to a temp path; `os.replace` only if `retry >= first`,
+else discard + cleanup in `finally`). Re-verified COLD with my own probe (not the Builder's test):
+the exact filed case `[9999,4801]` now keeps **9999** (retry discarded, no temp leak); originals
+intact (`[4801,30256]`→30256, `[4801,4802]`→4802, `[35707]`→1 shot, `[5000,5000]`→replace). 5/5 pass.
+R7 contract preserved (retry-raise still propagates to capture's swallow → None; first frame on disk).
+--- original finding (for the record) ---
+**Where:** `runner/harness/screenshot.py` `_snap_with_blank_retry` (ce50f64).
+**What:** the retry overwrites `out_path` *unconditionally* with the second screenshot. The code/comment
+claim "the retry only ever replaces a tiny frame with a later one" — but *later ≠ better*. If the first
+frame is e.g. 9999 B (a partial render, just under `BLANK_SIZE_BYTES=10000`) and the page regresses in the
+extra 4 s settle (redirect, session-timeout splash, error overlay), the retry can yield a 4801 B blank that
+**overwrites the better 9999 B frame**. The Builder's unit test only covers blank→blank (4801→4802); the
+bigger→smaller regression is untested.
+**Repro (cold, my independent probe, not the Builder's test file):** fake page returning sizes
+`[9999, 4801]` → `_snap_with_blank_retry` keeps **4801** (the worse frame).
+**Severity:** LOW. R7 holds (cosmetic only, never affects verdict); my M2 per-PNG visual check is the
+backstop — any actually-blank final PNG will FAIL that recipe regardless. Filed for hardening, not a veto.
+**Suggested guard (trivial, strictly safer):** keep the larger frame — only overwrite if
+`getsize(retry) >= getsize(first)` (or snap retry to a temp path and pick `max`). Then extend the unit
+test with a bigger→smaller case asserting the larger frame survives.
+**Closes:** only I close this, after re-test. Non-blocking for an M2 claim, but I will re-check at M2.

machine-docs/DECISIONS.md

@@ -4,6 +4,17 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
 
 ## Settled
 
+- **nixos-rebuild submodule protocol — SETTLED (2026-06-13, phase pvfix).** The canonical nixos-rebuild command on the live host is `nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"`. The `path:` scheme does NOT support `?submodules=1` in this Nix version; `git+file://` does. Plain `nixos-rebuild switch --flake /root/builder-clone#cc-ci` fails with `secrets/secrets.yaml does not exist` because the git submodule is not included in the nix store copy.
+
+- **deploy-proxy health gate — SETTLED (2026-06-13, phase pxgate, supersedes pvfix workaround).** Changed the traefik health probe from `ci.commoninternet.net/` (dashboard, ordered After=deploy-proxy → circular on cold boot) to `traefik.ci.commoninternet.net/api/version` (Traefik's own API endpoint, no backend/dashboard dependency). A broken traefik still fails the gate (returns non-200 or times out), so rollback semantics are preserved. Controlled reproduction confirms: with dashboard scaled to 0, old probe returns 404, new probe returns 200. Cold-boot deadlock eliminated. DEFERRED item 2026-06-13 closed by this fix. (Old pvfix note about concurrent manual restart workaround is now superseded.)
+
+- **cfold deprecated-folder policy — SETTLED (2026-06-12, phase cfold).** `tests/<recipe>/custom/`
+  is the canonical home for custom tests. Discovery keeps recognizing legacy `functional/` and
+  `playwright/` subdirs for both cc-ci and approved repo-local tests as a temporary compatibility
+  alias, but it emits a one-line warning to stderr whenever it discovers tests there. Rationale:
+  the phase plan forbids silent coverage loss, and recipe repos outside this clone may still be on
+  the old layout during the migration window.
+
 - **Wildcard TLS:** operator pre-issues wildcard cert at `/var/lib/ci-certs/live/`; Traefik file
   provider serves it; **no ACME** for commoninternet.net. (Plan §4.0/§8 — fixed.)
 - **Repo:** `git.autonomic.zone/recipe-maintainers/cc-ci`, private. Bot is org admin. (Bootstrap.)
@@ -1283,3 +1294,318 @@ the commit), which is the correct SCM integration.
   environment; job is session-persistent (survives as long as Builder session runs). T0-refire
   verified: CronCreate test fire at 23:17Z → upgrader started, upgrader-cron.log created, status
   RUNNING. (2026-06-01)
+
+## conc P3 (2026-06-10, Builder): install_steps.sh hooks resolve $ABRA_DIR — guardrail note
+
+P3 makes recipe working trees per-run ($ABRA_DIR/recipes). tests/{ghost,discourse}/install_steps.sh
+hard-coded `${HOME}/.abra/recipes/...` to copy their compose.ccci.yml overlay into the deploy tree;
+under per-run trees that path is the WRONG (canonical) tree, so the overlay would silently miss the
+deploy and both recipes' upgrade-tier base deploys would break. Fixed with ONE mechanical line per
+hook: `RECIPE_DIR="${ABRA_DIR:-${HOME}/.abra}/recipes/${CCCI_RECIPE}"` (identical resolution rule to
+the abra CLI and abra.recipe_dir()). No test assertion, gate, or overlay content was touched — the
+phase guardrail's "never touch tests/<recipe>/ content" is read as protecting test/gate SEMANTICS;
+this is required P3 fallout, equivalent to the harness-side path routing. Flagged here for the
+Adversary's gate-integrity review.
+
+## Phase lvl5 — L5 lint rung + level semantics de-cap (SETTLED 2026-06-11, operator-specified)
+
+**The level formula (replaces the Phase-3 "N/A caps" stance).** Operator decision 2026-06-11
+(explicit Q&A, recorded verbatim in plan-phase-lvl5-lint-rung.md): with per-rung statuses
+{pass, fail, skip (intentional), unver (unintentional/not-verified)}:
+
+    level = max i such that rung_i == "pass" and all j < i have status in {"pass","skip"}; else 0.
+
+A real FAIL blocks. An INTENTIONAL skip (the rung genuinely does not apply, from a declared or
+structural fact) is climbed past — this is the de-cap: a non-backup-capable recipe is no longer
+stuck at L2. An UNVERIFIED rung (should have run, wasn't checked) blocks exactly like a fail —
+this preserves the honest core of the old N/A-caps rule: never claim what wasn't checked. The
+words cap/capped/cap_reason are deleted from code, schema (results.json schema 2), card,
+dashboard, badge and docs; the per-rung table (✔/✘/intentional-skip/unverified) is the SOLE
+carrier of "why isn't the level higher". The big level badges (card corner, dashboard pill,
+/badge/<recipe>.svg) show ONLY number + colour (operator-specified). Old schema-1 artifacts are
+rendered as-is (their stored level, their 4-rung ladder) — no retroactive relabeling.
+
+**The ladder is now five rungs:** install(1) upgrade(2) backup_restore(3) functional(4)
+**lint(5) = `abra recipe lint` passes against the exact ref under test** (PR head on PR builds).
+Lint is a LEVEL RUNG, not a run gate: no lint outcome ever changes the run verdict.
+
+**N/A classification table (derive_rungs, results.py — every N/A source, Adversary-reviewed).
+Default for anything unclassifiable: UNVER (conservative).**
+
+| rung | source of non-pass/fail | class | status |
+|---|---|---|---|
+| install | tier skipped / missing (any reason — install always applies) | unintentional | unver |
+| upgrade | tier skipped by orchestrator AND no upgrade target (`prev is None`: only one published version — structural) | intentional | skip |
+| upgrade | declared `EXPECTED_NA["upgrade"]` (tier not pass/fail) | intentional | skip |
+| upgrade | tier skipped though a target exists (install failed → downstream abort), or tier missing (CCCI_STAGES dev escape) | unintentional | unver |
+| backup_restore | not backup-capable (no backupbot labels / `BACKUP_CAPABLE=False` — structural/declared) | intentional | skip |
+| backup_restore | declared `EXPECTED_NA["backup_restore"]` (tiers not pass/fail) | intentional | skip |
+| backup_restore | backup-capable but either tier did not produce pass/fail (abort, partial run) | unintentional | unver |
+| functional | declared `EXPECTED_NA["functional"]` (no custom tests / tier skipped) | intentional | skip |
+| functional | no custom tests / tier skipped, undeclared — absent functional coverage is a GAP, not a property | unintentional | unver |
+| lint | executor could not produce pass/fail (timeout, abra/script missing, env FATA, unparseable output) — NO escape hatch, `EXPECTED_NA["lint"]` is ignored | unintentional | unver |
+
+EXPECTED_NA never overrides an exercised rung: pass/fail always stand.
+
+**Lint executor mirror-context decision (plan-phase-lvl5 §2.3).** Probed on cc-ci 2026-06-11
+(JOURNAL-lvl5): (a) abra lint globs every `compose*.yml` in the recipe tree, so the CI's
+untracked install_steps overlays (e.g. compose.ccci.yml) FATA it — harness artifact; (b) abra
+lint force-fetches tags from `origin`, so a PR run's private-mirror origin (token never written
+to .git/config) FATAs "unable to fetch tags" — harness artifact; (c) `abra recipe lint` exits
+non-zero ONLY on FATA — rule verdicts live in its table (error-severity ❌ rows + a trailing
+"WARN critical errors present" sentinel, rc still 0). Decision: the executor (harness/lint.py)
+lints a PRISTINE SCRATCH CLONE of the per-run recipe tree checked out at the exact tested sha —
+origin becomes a local path (offline tag fetch, no auth) and the run's true tag set rides along
+(fetch_recipe already fetches the canonical upstream version tags into the per-run tree, so
+R014 evaluates the recipe's real tags). **No lint rule is filtered or ignored** — the
+plumbing pollution is solved by context, not by exemptions. Classifier: fail iff an
+error-severity rule is unsatisfied (or the FATA is content-attributable: "unable to validate
+recipe"); pass iff the table rendered clean; anything else unver + loud log. Hard 60s budget
+(observed ~0.7s); executor runs before the tiers (tree at tested ref), double-wrapped, R7
+verdict-neutral. Full output → run artifact `lint.txt` (dashboard-served); status + failing
+rule ids → results.json `lint`.
+
+**bluesky-pds re-pin decision (phase bsky, 2026-06-11).** The recipe pinned the moving tag
+`ghcr.io/bluesky-social/pds:0.4`, which upstream now republishes with main-branch builds
+(currently @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the
+recipe's entrypoint override (`exec node --enable-source-maps index.js`). Fix: pin the
+newest RELEASED exact tag `0.4.219` (Node 20.20, `/app/index.js`, CMD identical to the
+recipe's exec line — entrypoint stays valid unchanged) and bump the version label
+`0.2.0+v0.4` → `0.3.0+v0.4.219` (minor bump for an upstream pin change, immich-PR#2
+precedent). REJECTED: tracking 0.5.1 (only exists as moving/sha- tags built from main —
+no release tag; would also require entrypoint `index.ts` migration against an unreleased
+version); digest-suffix pinning (abra survey/upgrade tooling chokes on tag@digest — see
+immich standing note). When upstream cuts real 0.5.x release tags, upgrade properly
+(entrypoint will then need the index.ts/Node-24 migration — recorded in
+cc-ci-plan/upstream/bluesky-pds.md). Never re-pin to `:0.4`/`latest`/minor tags.
+
+**EXPECTED_NA["upgrade"] suppresses the upgrade-tier base deploy (phase bsky, 2026-06-11).**
+The deploy-once design deploys the upgrade BASE (previous published version) and only the
+upgrade tier chaos-redeploys the PR head — so a recipe whose published versions ALL became
+undeployable (bluesky-pds: every tag pins moving `ghcr.io/bluesky-social/pds:0.4`, which
+upstream republished with incompatible main builds) fails INSTALL at the base before the PR
+head is ever exercised, and no UPGRADE_BASE_VERSION value can help (it must be a published
+tag — they're all broken). Decision: declaring the upgrade rung in EXPECTED_NA (the existing
+intentional-skip mechanism) now ALSO makes upgrade_base() return None → the single deploy is
+the PR head itself; the upgrade tier records "skip"; derive_rungs classifies it as the
+DECLARED intentional skip with the recipe's reason (results.json skips.intentional). NOT a
+gate weakening: the rung is never reported pass, the skip + reason are fully visible, and the
+declaration is evidence-backed in the recipe_meta comment + upstream registry; it is the only
+way to exercise a PR at all for a recipe in this state. Re-enable path documented per-recipe
+(bluesky: drop EXPECTED_NA + set UPGRADE_BASE_VERSION="0.3.0+v0.4.219" once merged+published).
+Locked by tests/unit/test_upgrade_base.py.
+
+## 2026-06-11 — uptime-kuma: Playwright (option b) for monitor-wizard test (phase kuma)
+
+**Decision:** use Playwright (option b from plan-phase-kuma-monitor.md §1) to implement
+the `tests/uptime-kuma/playwright/test_monitor_wizard.py` test.
+
+**Why not python-socketio (option a):** python-socketio is NOT installed in the cc-ci
+Nix Python environment (site-packages has playwright + pytest only; no socketio wheel).
+Adding it would require modifying `nix/cc-ci.nix` and running `nixos-rebuild switch` on
+cc-ci — extra Nix overhead when Playwright already handles Socket.IO transparently through
+the real browser. The option (a) benefit (speed, headless) is outweighed by the absence of
+the package.
+
+**Why Playwright works here:** uptime-kuma 2.2.1 has stable `data-cy` attributes on the
+setup form and `data-testid` attributes on the monitor form + status badge — confirmed
+present in the compiled bundle (`dist/assets/index-D_mnxLA0.js`). These are the canonical
+Cypress/testing selectors; they do not change without an intentional test-attribute removal.
+The Playwright flow is deterministic: wizard → `/add` form → `/dashboard/:id` detail page.
+
+**Runtime implication:** Playwright adds ~5–10 s overhead vs a headless socketio client,
+but stays well within the ≤90 s budget. Acceptable.
+
+
+## Phase gtea — gitea full-test enrollment
+
+- **Gitea dep-vs-recipe-under-test LFS split — SETTLED (2026-06-15, phase gtea).** The `EXTRA_ENV`
+  callable in `tests/gitea/recipe_meta.py` guards LFS-overlay activation with TWO conditions: (1)
+  `compose.lfs.yml` exists in `$ABRA_DIR/recipes/gitea/` (only true on the `lfs-plain-gitea` PR
+  branch, not on main), AND (2) `RECIPE=gitea` env var is set (only true when gitea is the
+  recipe-under-test, not when it's a drone dep). Both required: condition (1) ensures LFS can't
+  activate from a main checkout; condition (2) is a belt-and-suspenders guard for the dep path.
+  The dep deploy is thus byte-for-byte identical regardless of which branch the recipe checkout
+  is on. Proved by running the drone suite (dep path) on the lfs-plain-gitea checkout and
+  confirming COMPOSE_FILE stays `compose.yml:compose.sqlite3.yml`.
+
+- **Gitea admin user management — SETTLED (2026-06-15, phase gtea).** Gitea has no default admin
+  user after `abra app deploy`. `ops.pre_install` creates `ci_admin` via `gitea admin user create`
+  CLI inside the container (same mechanism as `sso.setup_gitea_oauth` for drone dep), stores the
+  generated password at `/tmp/ccci-gitea-admin-<domain>.json` (mode 600). All subsequent
+  `pre_<op>` hooks read from this file. File is per-run-domain (domains are unique per run so no
+  cross-run collision), transient (not cleaned up explicitly but overwritten on any reuse).
+
+- **Gitea data-integrity marker — SETTLED (2026-06-15, phase gtea).** Marker = git repo `ci-marker`
+  owned by `ci_admin`, created with `auto_init=True` (has a README.md initial commit). API-based
+  (same model as keycloak realm marker). Idempotent creation (409 = already exists → OK).
+  `pre_restore` deletes it to create a genuine divergence from backup state; `test_restore` asserts
+  its return. The sqlite3 DB is the persistence layer being tested.
+
+- **Dynamic upgrade base — SETTLED (2026-06-17, phase prevb).** The upgrade tier's BASE version is
+  resolved at run time, replacing the static `previous_version(vers[-2])` default. Resolution order:
+  (1) **last-green** = the warm-canonical registry record (`canonical.read_registry(recipe).version`,
+  status warm/idle) when present; (2) fallback **target-branch (`main`) tip** = the recipe repo's
+  `main` HEAD (a git ref, chaos-deployed) — the true predecessor the PR merges onto; (3) **else skip**
+  the upgrade tier with a declared reason (new recipe / no predecessor / head==main). EXPECTED_NA[upgrade]
+  and `upgrade∉stages` still short-circuit to skip first. `UPGRADE_BASE_VERSION` is RETAINED as an
+  optional explicit override (wins when set) for the rare PR-adds-version-above-newest-tag case, but is
+  no longer the default and is removed from discourse. This intentionally changes every recipe's default
+  base from `vers[-2]` to last-green/main-tip (plan-mandated; M2 spot-check validates non-regression).
+
+- **Per-recipe `previous/` overlay — SETTLED (2026-06-17, phase prevb).** `tests/<recipe>/previous/`
+  optionally holds the minimal config to deploy the *previous (last-green) version* when it can't deploy
+  as-published (e.g. `compose.previous.yml` for an image relocation). It declares the version it targets
+  (a `previous/VERSION` marker line) and the harness applies it **only to the base deploy and only when
+  the resolved base is that exact published version**; it is NEVER applied to the PR head, and on a
+  main-tip base or version mismatch it is SKIPPED and flagged stale ("previous/ targets X, base is Y —
+  remove it"). The all-deploys `compose.ccci.yml` overlay is now ENVIRONMENTAL-only (node-reality tweaks,
+  no version-specific image pins or service add/drop); version-specific repairs live in `previous/`.
+  Discourse ships NO `previous/` (base bitnamilegacy:3.5.0 deploys clean).
+
+## Phase canon (2026-06-17) — canonical sweep made real
+
+- **Tagged-promote gate (§2.A).** A canonical only ever advances to a PUBLISHED RELEASE TAG.
+  `should_promote_canonical` requires `tagged` (computed by the caller via
+  `warm_reconcile.is_released_version(recipe, head_version)`); `promote_canonical` records the TESTED
+  `head_version` (the release version actually exercised), NOT a re-derived `latest_version(recipe_tags)`
+  — these can diverge in a manual `RECIPE=<r>` run whose `main` sits on a tag older than the newest
+  published tag. An untagged `main` commit never becomes a canonical.
+- **New-release-tag trigger (§2.D).** The weekly sweep tests a recipe only when its latest release tag
+  is newer (by `warm_reconcile.version_key`) than its canonical version — NOT on new commits. No new
+  tag → SKIP (even if `main` has untagged commits). This gives the run-twice determinism no-op and
+  makes the sweep orthogonal to `samever` (version-under-test always > canonical → no same-version
+  step-back in the sweep).
+- **Mirror-sync is a VENDORED `scripts/recipe-mirror-sync.sh`, not the nix-store
+  recipe-upgrade/open-recipe-pr.sh.** Rationale: open-recipe-pr.sh assumes the recipe clone's `origin`
+  IS coopcloud upstream, but cc-ci's abra recipe clones have inconsistent remotes (origin is variously
+  the mirror / coopcloud / absent). The vendored script pins an explicit coopcloud `upstream` remote
+  by recipe name, syncs main+TAGS (canon's trigger needs upstream tags), closes only merged-upstream
+  PRs, leaves unrelated PRs, and authes via the bot gitea token (self-contained, reproducible — a
+  systemd service must not depend on a per-skill-version nix-store path). Behaviour matches the phase's
+  described `--reconcile-only`: faithful mirror sync, never our own changes.
+- **Hollow-sweep root cause + fix.** The deployed timer ran the nix-STORE runner copy (no `tests/`),
+  so `enrolled_recipes()` resolved `TESTS_DIR` to a missing dir → `[]` → no-op. Fix: the sweep runs
+  from `$CCCI_REPO=/etc/cc-ci` (has runner/ AND tests/); deploys `git -C /etc/cc-ci pull` +
+  nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only).
+- **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly
+  `cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled.
+
+## Phase canon (2026-06-17) — enrollment exception: keycloak
+
+**keycloak is NOT enrolled as a data-warm canonical (WARM_CANONICAL=False), by exception (§2.B).**
+keycloak is the project's LIVE-WARM OIDC dep provider: an always-on shared service at
+`warm-keycloak.ci.commoninternet.net` (warm_reconcile SPECS["keycloak"]) that lasuite-docs/-drive/
+-meet and drone consume for SSO. A data-warm canonical uses that SAME stable warm domain, so the
+sweep's promote (deploy/teardown at warm-keycloak) would collide with — and could disrupt — the live
+provider. keycloak is instead kept at latest by the sweep's **roll_warm_infra** step (the health-gated
+warm/infra reconciler, WC1.1, run before the per-recipe loop), so it has full coverage without a
+data-warm canonical. Verified live: a sweep keycloak-promote attempt FAILed cleanly (recipe compose
+mismatch) and left the running live keycloak healthy (200 on /realms/master) — no disruption — but the
+collision is structural, so keycloak is de-enrolled rather than relying on the promote failing safely.
+
+## Phase canon (2026-06-17) — recipe RED exceptions (canonical not promoted; left intact)
+
+These enrolled recipes did NOT get a canonical in the authoritative sweep. Each is a genuine
+recipe/upstream issue, NOT a canon-machinery defect — recorded per §2.B/guardrail ("a red test is
+information; never weaken a test to make a recipe promote"). The sweep correctly left each intact.
+
+- **discourse — UPSTREAM compose defect at the latest release `0.8.1+3.5.0`.** The base recipe
+  compose.yml (`git show 0.8.1+3.5.0:compose.yml`) declares `sidekiq.depends_on: [discourse]` but the
+  main service is named `app` (not `discourse`) → `abra app deploy` FATAs "service sidekiq depends on
+  undefined service discourse: invalid compose project". This is upstream coop-cloud/discourse's bug,
+  not cc-ci's overlay (tests/discourse/compose.ccci.yml does not add that dependency). Cold deploy
+  cannot converge → red → canonical unchanged. (Re-enroll-able once upstream fixes the 0.8.1 compose.)
+- **mattermost-lts — recipe test red at latest.** `tests/mattermost-lts/test_restore.py::
+  test_restore_returns_state` FAILED on the latest release's cold run. The test is UNMODIFIED this
+  phase (last touched in phase "2": 012a477/80ad0a9) — a real restore-state failure, not weakened.
+- **mumble — recipe test red at latest.** `tests/mumble/custom/test_protocol_handshake.py::
+  test_handshake_completes_with_channel_presence` FAILED on the latest release's cold run. Test
+  UNMODIFIED this phase (last touched in phase "cfold": 44e0242) — a real voice-handshake failure.
+- **bluesky-pds — warm-domain routing (recipe-specific).** Cold test GREEN, but the warm-canonical
+  promote deploy never becomes healthy over HTTPS (`/xrpc/_health` → 000) even though the PDS
+  container is healthy internally (200 on localhost:3000) — traefik does not route the caddy-fronted
+  warm domain. This is bluesky-specific (the cold-test domain routes fine; the other 15 promoted
+  recipes all answer 200 over HTTPS on their warm domains), NOT the promote machinery. canonical not
+  written (correct — never promote an unhealthy state).
+
+## Phase canon (2026-06-17) — gitea 3.6.0 warm-ADVANCE exception + determinism framing
+
+- **gitea: canonical valid at 3.5.3+1.24.2-rootless; the 3.5.3→3.6.0 ADVANCE does not promote (recipe
+  issue, not machinery).** The new-release-tag trigger correctly fires (RUN on 3.6.0 > canonical
+  3.5.3) and the cold test is green, but the warm-canonical in-place advance deploy of gitea 3.6.0
+  CRASH-LOOPS: `LoadCommonSettings() [F] ... error saving JWT Secret ... failed to save
+  "/etc/gitea/app.ini": open ... read-only file system` (gitea 3.6.0 tries to persist a JWT secret to
+  a read-only app.ini). This is a gitea-3.6.0 / rootless-config recipe issue (the cold FRESH 3.5.3→3.6.0
+  upgrade passes; the warm reattach-advance crashes at config-load before any DB migration, so the
+  3.5.3 volume stays intact). gitea keeps its known-good 3.5.3 canonical (correct — never promote an
+  unhealthy state). The ADVANCE PATH ITSELF is proven working independently via a constructed
+  custom-html older→new advance (see M2.6 evidence) — so this is gitea-specific, not the promote
+  machinery.
+- **Determinism (M2.3) framing.** The run-twice no-op holds for every recipe whose canonical is AT its
+  latest release: a 2nd immediate sweep SKIPs them (no CI rerun). Recipes that legitimately lack a
+  latest-canonical correctly RE-RUN, which is the intended behaviour, not a determinism violation:
+  (a) genuine reds (discourse/mattermost/mumble) + bluesky (warm-routing) — no known-good to protect;
+  (b) gitea — a new release (3.6.0) exists that cannot yet promote for the recipe reason above, so the
+  sweep keeps offering to advance it (correct: it should retry in case the recipe is fixed). No
+  promoted-at-latest recipe is ever needlessly re-tested. "Skip every recipe" is the all-promoted ideal;
+  the demonstrated property is "no promoted-at-latest recipe re-runs", which is the operative no-op.
+
+## Phase canon (2026-06-17) — warm-volume disk budget (§2.B / M2.7)
+
+All-enrolled is sustainable on the single node; the warm-volume budget is NOT the binding constraint,
+so the fallback (decouple version-record from retained volume) is NOT needed. Measured 2026-06-17 (read
+-only, `ssh cc-ci`):
+- Root fs `/`: 150G total, 107G used, **38G free, 74% used**.
+- `du -sh /var/lib/ci-warm` (registry metadata + small content) = **1.1G**; largest per-recipe dir
+  `immich` 307M, `ghost` 208M, `plausible` 114M; most <50M.
+- `docker system df`: Local Volumes 47 total, **2.024GB**, 929MB (45%) reclaimable; ~50 `warm-*` data
+  volumes (16 retained canonicals + warm-keycloak infra + per-run residue the WC8 `ci-docker-prune`
+  reclaims).
+- 16 retained canonicals total ~2G of volumes + 1.1G metadata against 38G free → ample headroom even
+  at the full 20-enrolled set. WC8 disk-hygiene (`ci-docker-prune`) keeps residue bounded.
+Conclusion: keep all-enrolled with retained volumes; revisit only if `/` free drops below a single
+recipe's largest restore (~1–2G working set). No recipe dropped for disk.
+
+## phase dash — per-recipe history sourced from local run artifacts (2026-06-17)
+The dashboard's per-recipe history page (`/recipe/<recipe>`) sources its run list from the local
+`/var/lib/cc-ci-runs/*/results.json` artifacts (complete: 308 finished runs; durable; already
+bind-mounted read-only), NOT the Drone `…/builds?per_page=100` slice (root cause: that 100-build
+window dropped each recipe's older runs out of view after the regall sweep → most recipes showed 1
+run). Newest-first by the `results.json` `finished` timestamp (run ids are MIXED numeric + named, so
+only a timestamp sort is correct — `int(run_id)` would crash on `m2r-*`/`ab-*`); display-capped at
+`HISTORY_CAP=30`. Status derived from the per-stage `results` map (no top-level status field). The
+OVERVIEW (`/`) and badges keep their Drone latest-per-recipe source unchanged. Deliberately did NOT
+merge Drone live "running" status into history (optional per plan; re-adds the network dependency the
+local source removes; overview already shows live status). Retention: 308 parseable runs present, no
+trim job observed → adequate; revisit only if a cap is ever needed.
+
+---
+
+## Phase `settings` (2026-06-17) — server settings.toml + SKIP_CANONICALS_FOR_UPGRADE + release-tag-first fallback
+
+- **Settings home = `harness/settings.py` (new), file `/etc/cc-ci/settings.toml` (override `$CCCI_SETTINGS`).**
+  No pre-existing cc-ci config module existed to extend (config was scattered `os.environ.get` reads);
+  a minimal stdlib-`tomllib` loader is the minimal+extensible mechanism. `_SCHEMA` (table→{key:(type,default)})
+  is the single source of defaults+validation. Tracked `settings.toml.example`; live file untracked/operator-
+  managed/no-secrets (secrets stay in sops). Default `/etc/cc-ci` chosen over the plan's suggested
+  `/srv/cc-ci` (orchestrator-ambiguous): `/etc/cc-ci` is where the harness already runs (`CCCI_REPO`),
+  absolute so Drone+sweep read the same file, untracked file survives deploy `git pull`.
+- **`SKIP_CANONICALS_FOR_UPGRADE` scope = upgrade BASE only.** Wired into `resolve_upgrade_base`: flag
+  true → skip canonical lookup → no-canonical fallback (behaves as if no canonical). Does NOT touch
+  canonical *promotion* or the `--quick` warm-reattach — those are separate optimizations; a future
+  `SKIP_CANONICAL_SWEEP` / `SKIP_QUICK` could gate them (out of scope here).
+- **No-canonical fallback (always-on, §2.C):** newest release TAG `< head` (reuse
+  `warm_reconcile.newest_older_version`, the single version-ordering source) → raw main-tip (no prior
+  release tag) → skip. Replaces the old jump-straight-to-main-tip path; improves this server too (false
+  flag, un-promoted recipes get a real release base).
+- **Canonical-present path (incl. samever step-back) preserved byte-for-byte.** With flag false + a
+  canonical, behavior is unchanged. The step-back's "no older predecessor → skip" is intentionally NOT
+  routed to main-tip (would reintroduce the same-version no-op samever prevents); the §2.C "==head"
+  routing is satisfied because the step-back already takes the same release-tag helper as fallback step 1.
+- **Validation:** absent/unreadable/malformed-TOML → WARN + all-defaults (cannot crash the harness);
+  unknown table/key → warn-and-ignore; present known key of wrong type → raise TypeError (loud typo).
+- **OBSERVATION (not this phase's defect):** `scripts/lint.sh` (pinned ruff) reports
+  `dashboard/dashboard.py` + `tests/unit/test_dashboard.py` would be reformatted — confirmed pre-existing
+  at HEAD f68f1c5, outside the settings diff. Flagged for the dashboard owner / orchestrator; not fixed
+  here (narrow scope).

machine-docs/DEFERRED.md

@@ -118,6 +118,8 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA:** —
 
 ### 2026-05-28 — uptime-kuma create-a-monitor (§4.3 prescribed)
+- [x] **CLOSED @2026-06-11 (Builder, phase kuma):** `tests/uptime-kuma/playwright/test_monitor_wizard.py` implemented and proven in real CI. Playwright (option b) drives the actual browser; Socket.IO handled transparently. Flow: wizard admin-create → self-probe monitor (→ Up, real heartbeat row) + dead-port monitor (→ Down, proves probe engine). Commits: `8da59cf` (test) + `fe8922c` (M1 claim). Drone builds #460 + #462 both LEVEL 5 with `test_monitor_wizard [pass]`. M1+M2 Adversary PASSes in REVIEW-kuma.md. DEFERRED is closed.
+- [x] **RE-ENTERED @2026-06-11:** operator approved — executing as phase `kuma` (cc-ci-plan/plan-phase-kuma-monitor.md).
 - [ ] **What:** Add a test that completes uptime-kuma's first-run setup wizard via Socket.IO,
       logs in to obtain a JWT, creates a monitor (`monitor add` Socket.IO emit), and asserts the
       monitor appears in the listed-monitors response.
@@ -210,6 +212,7 @@ before the build is called done) — but does **not** force closure.
 (none yet — append `### YYYY-MM-DD — <slug> CLOSED (commit/PR)` here when re-entered.)
 
 ### 2026-05-28 — plausible (Q4.7) recipe enrollment
+- [x] **CLOSED @2026-06-11 (operator housekeeping):** overtaken — plausible is enrolled and running in CI (§4.3 floor `71af595`); the full-lifecycle remainder is the Q4.7b entry below (recipe PR#3 green, operator merge pending).
 - [ ] **What:** Enroll plausible in cc-ci with parity health_check + ≥2 specific tests (per
       plan §4.3: "track a test event, query it back"). `tests/plausible/recipe_meta.py` +
       `tests/plausible/functional/test_health_check.py` are drafted (commit pending) but the
@@ -237,6 +240,7 @@ before the build is called done) — but does **not** force closure.
   Defensible defer; lift when the operator wants the deeper coverage OR Phase-4 reviews.
 
 ### 2026-05-29 — immich recipe needs a pg_dump backup hook for reliable DB restore (P4)
+- [x] **CLOSED @2026-06-11:** cc-ci-authored immich recipe PR#2 (pg_dump hook) verified green; operator confirmed 2026-06-11 — merge pending, no further loop work.
 - [ ] **What:** immich's upstream recipe backs up the LIVE postgres data VOLUME via restic
       (`backupbot.backup=true` on `database`, no pg_dump hook), so a DB row does NOT survive
       `abra app restore` (diagnosed: seed→backup→drop→restore→row absent; app healthy). Real
@@ -256,6 +260,7 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA:** —
 
 ### 2026-05-29 — discourse: upstream recipe pins removed bitnami images (undeployable)
+- [x] **CLOSED @2026-06-11 (operator housekeeping):** superseded — discourse is enrolled and runs the full lifecycle in CI (L4 baseline run 184, 2026-06-05); the bitnami-pin blocker no longer applies.
 - [ ] **What:** discourse (Q4.6) cannot be enrolled/tested because the recipe pins
       `image: bitnami/discourse:<tag>` (app + sidekiq) and **Docker Hub no longer serves any
       `bitnami/discourse:*` tag** (bitnami's 2024/2025 legacy migration). Proven on cc-ci:
@@ -282,6 +287,14 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.6.
 
 ### 2026-05-29 — mailu: no backup config (P4 N/A) — recipe-PR to add backupbot
+- [x] **CLOSED @2026-06-11 (phase mailu, Builder):** Mirror PR#3 (`add-backupbot-labels`, head
+      `edc0201a79d3`) on `git.autonomic.zone/recipe-maintainers/mailu` adds backupbot v2 labels to
+      `admin` service (`/data` SQLite) and `imap` service (`/mail` Maildir). Full lifecycle at PR head
+      = LEVEL 5 (drone build #477): install/upgrade/backup/restore/functional all PASS; both
+      `/data` (SQLite) and `/mail` (Maildir) seeded + wiped + verified restored. Adversary M1 PASS
+      @2026-06-11T21:00Z. PR left open for operator merge. mailu's backup rung is now earned
+      (`backup_capable=True`), not skipped. Phase mailu M1 PASS; M2 claim in progress.
+- [x] **RE-ENTERED @2026-06-11:** operator approved the backupbot recipe-PR route — executing as phase `mailu` (cc-ci-plan/plan-phase-mailu-backup.md).
 - [ ] **What:** mailu (Q4.9) ships **no `backupbot.backup` label** on any service, so cc-ci's
       backup/restore tiers cleanly SKIP (`backup_capable=False`) — P4 (backup data-integrity) is N/A
       for mailu as published (no backup mechanism to exercise). Durable fix = a recipe-PR adding
@@ -296,6 +309,9 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.9.
 
 ### 2026-05-29 — drone (Q4.10) blocked on host /etc/timezone deploy (gitea SCM dep) + scoped integration
+- [x] **RE-ENTERED @2026-06-11:** operator approved — executing as phase `drone` (cc-ci-plan/plan-phase-drone-enroll.md); P0 host /etc/timezone deploy is orchestrator-owned.
+- [x] **MAXIMAL SUBSET COMPLETE @2026-06-11T22:30Z — Adversary M2 PASS, build #506 L5.** All mandatory tiers (install+upgrade+functional+lint) pass; backup structural skip justified in PARITY.md; bridge-triggered !testme CI run confirmed `event:custom`. DEFERRED item progressed: (1) P0 host fix: DONE; (2) Integration MAXIMAL SUBSET: DONE. **Build-creation gap (§4.3) remains open** — deferred sub-item per original filing.
+- **Adversary §7.1 sign-off on build-creation gap @2026-06-11T22:30Z:** The drone API build-creation flow (creating/running CI pipelines via drone's own API — requires drone OAuth token + `.drone.yml` + webhook) is accepted as a genuine, proportionate deferral. It is a harness capability gap, not a recipe gap. Drone boots with gitea SCM wired correctly (proven L5 in build #506); build-creation automation is a follow-on. SIGNED OFF. Remaining DEFERRED: build-creation API automation only.
 - [ ] **What:** drone (Q4.10, LAST §5 recipe) cannot be enrolled until two things land:
       (1) **HOST FIX — operator-deploy needed:** drone is a CI server that REQUIRES a git-provider SCM
       to boot; the only viable dep is **gitea**, which the recipe binds `/etc/timezone:ro` from the
@@ -322,6 +338,7 @@ before the build is called done) — but does **not** force closure.
 - **Linked IDEA / BACKLOG:** Q4.10; JOURNAL-2 f86a58a; commit 3bde76f.
 
 ### 2026-05-30 — plausible Q4.7 full (recipe-PR Q4.7b: fix ClickHouse entrypoint wget restart-storm)
+- [x] **CLOSED @2026-06-11:** recipe PR#3 (ClickHouse entrypoint + backup fixes) verified GREEN at PR head; operator confirmed 2026-06-11 — merge pending. Post-merge follow-up: full lifecycle on main to formally claim Q4.7.
 - [ ] **What:** Fix the recipe `entrypoint.clickhouse.sh` so ClickHouse boots reliably, then run
       plausible's FULL lifecycle (`install,upgrade,backup,restore,custom`) green + claim Q4.7. Suite
       authored (`tests/plausible/` ops + test_backup/restore/upgrade + event-roundtrips); §4.3 floor
@@ -335,3 +352,78 @@ before the build is called done) — but does **not** force closure.
 - **Re-entry trigger:** Builder authors recipe-PR Q4.7b (cache tarball on a volume / wget
   retry+backoff / drop `2>/dev/null` / `set +e` w/ fallback), then runs plausible-full green + claims.
 - **Linked:** REVIEW-2 `e850281` (root-cause + DENY), `71af595` (§4.3 floor); DECISIONS 2026-05-30.
+- [RE-ENTERED @2026-06-11 → phase `dstamp` (cc-ci-plan/plan-phase-dstamp-discourse-drift.md)] discourse upgrade-HC1 @7ae7b0f stamps prev-base tag commit (eb96de94+U) on BOTH old+new harness since ~06-10 (baseline 184 was L4 on 06-05); harness-neutral (rcust exonerated, M2-closed) but abra stamp-resolution mechanism UNATTRIBUTED — worth a standalone dig outside rcust. Evidence: /var/lib/cc-ci-runs/{m2p-discourse,ab-discourse-7ae7b0f-oldmain}, JOURNAL-rcust 2026-06-11.
+  - ✅ **RESOLVED @2026-06-11 (phase `dstamp`, Builder).** NOT an abra stamp-resolution bug — abra
+    stamps the PR head `7ae7b0f7+U` CORRECTLY (proven: repro2 `--debug` line + 3 bail-at-secrets
+    repros; per-run git HEAD=7ae7b0f at deploy, reflog-verified). **Root cause:** discourse
+    `compose.yml` app service `deploy.update_config: { failure_action: rollback, order: start-first,
+    monitor: 5s }`. On the upgrade chaos redeploy, start-first co-resides OLD+NEW (~2× memory) for
+    the precompile/Rails-heavy app; under host memory pressure the NEW task fails swarm's 5s update
+    monitor → `failure_action: rollback` reverts the app service to PreviousSpec, including the
+    `chaos-version` label (head→base `eb96de94+U`). start-first kept the old task serving so
+    `wait_healthy` passed; HC1 then read the reverted base commit and misreported it as a stamp
+    mismatch. **Direct evidence:** `/var/lib/cc-ci-runs/dstamp-repro4.console.log` — post-redeploy
+    `UpdateStatus.State=updating`, `.Spec chaos-version=7ae7b0f7+U` (head applied), `.PreviousSpec
+    chaos-version=eb96de94+U` (base); the read after the rollback = base. **Fix (commits 0cc31a5 +
+    e9c26c7):** (1) `tests/discourse/compose.ccci.yml` app `update_config.order: stop-first` (new
+    task boots with full memory → no OOM → no spurious rollback; `failure_action: rollback` left
+    intact); (2) general `lifecycle.assert_upgrade_converged` (2-phase StartedAt protocol) detects a
+    swarm rollback/pause and fails the upgrade HONESTLY — HC1 commit-match unchanged, unweakened.
+    **Proven in real CI:** drone `!testme` build **#450** (discourse @7ae7b0f, cc-ci main 2da1f01) =
+    **LEVEL 5**, all tiers PASS (install/upgrade/backup/restore/custom), clean_teardown + no_secret_leak
+    true; PR recipe-maintainers/discourse#2 comment shows ✅ passed. **Blast-radius:** only discourse
+    affected (keycloak/n8n have the same policy but upgrade-PASS L4 across runs; drone/traefik infra);
+    the harness guard covers all rollback-policy recipes. M1+M2 evidence: STATUS-/JOURNAL-/REVIEW-dstamp.
+- [RE-ENTERED @2026-06-11 → phase `bsky`] ✅ **RESOLVED @2026-06-11 (phase bsky, Builder):** root cause = upstream republishes the MOVING tag `:0.4` with main-branch builds (now @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the recipe's entrypoint override. Fix PR open (operator merges): **recipe-maintainers/bluesky-pds PR #2** (`upgrade-0.3.0+v0.4.219`, head f7b6c8df — exact-pin `0.4.219` + version-label bump). Proven green at PR head via real drone CI: run 427 **level 5** (install/backup_restore/functional/lint PASS; upgrade = declared intentional skip — no deployable published base, both old tags pin the republished `:0.4`; negative control run 423). Screenshot real (PDS landing page). The shot-phase deploy-gated N/A is lifted on the PR runs. Upstream registry: cc-ci-plan/upstream/bluesky-pds.md; decisions: DECISIONS.md 2026-06-11 (pin choice + EXPECTED_NA-upgrade base suppression). Both the re-pin follow-up AND the rcust M2 exclusion note are hereby closed with these pointers. Original entry follows: bluesky-pds: UPSTREAM IMAGE BREAKAGE (non-rcust, M2-justified exclusion from baseline match).
+  The app container crash-loops `Error: Cannot find module '/app/index.js'` (MODULE_NOT_FOUND,
+  Node v24.15.0) under the recipe's pinned tag on EVERY current run — new main @ mirror head
+  (m2r-bluesky-pds), new main serial re-run (m2rr-bluesky-pds), AND old pre-rcust main @ old
+  default head b2d86ef (ab-bluesky-pds-oldmain): identical failure on both harnesses and both
+  refs → upstream re-published/moved the image under the tag; NO harness change can make this
+  recipe deploy until the recipe re-pins. Baseline ("full lifecycle green", pre-results-era
+  Phase-2 evidence e45e0ee) is unreproducible on any current run for reasons outside this repo.
+  Evidence: `grep -r MODULE_NOT_FOUND /var/lib/cc-ci-runs/{m2r,m2rr,ab}-bluesky-pds*/abra/logs/
+  default/`; REVIEW-rcust.md 2026-06-11 entries. Follow-up (post-phase): file/propose a re-pin PR
+  against the bluesky-pds recipe mirror.
+- mumble-web client never paints UI for an anonymous browser (phase-shot, 2026-06-11). The recipe's
+  pinned web client (rankenstein/mumble-web:0.5 via compose.mumbleweb.yml, served by websockify)
+  stays at its `loading-container` spinner ≥90s with NO console errors, NO failed asset/requests,
+  connect-dialog DOM elements absent, and no autoconnect overrides in config.local.js (defaults
+  untouched) — so the CI screenshot's best-available frame is the genuine loader view every visitor
+  gets. The voice server itself is fully exercised (protocol handshake/config tests pass; that is
+  mumble's actual function). A harness-side fix is impossible without changing what the recipe
+  deploys (guardrail: prefer upstream over cc-ci overlays). **Operator input needed:** whether to
+  pursue an upstream recipe issue/PR (newer mumble-web image or one that renders its connect dialog)
+  — until then the dashboard shows the loader frame as the recipe's web-surface reality.
+  Evidence: /tmp/mumble-probe{2,3,4}.out + /tmp/mumble-orch{4,5}.log on cc-ci (90s DOM/console/
+  network observation; websockify reachable, /ws & /websocket 404 from websockify itself);
+  /var/lib/cc-ci-runs/shot-proof-mumble/screenshot.png (L4 run, loader frame).
+
+## WC5 promote-on-green-cold ignores stage completeness (filed 2026-06-11, Builder, phase lvl5)
+
+Observed during the lvl5 unver-blocks proof: a GREEN hand-run with `STAGES=install,upgrade,custom`
+(backup/restore excluded) on latest still advanced custom-html's warm canonical —
+`should_promote_canonical` checks green+cold+latest but not that ALL stages ran. Pre-existing
+behavior (not introduced or worsened by lvl5; Adversary concurs it is not a finding). Only
+reachable via the operator/dev STAGES escape — production drone runs always run all stages.
+**Needed from operator:** decide whether promote should additionally require the full stage set
+(one-line guard in `should_promote_canonical`), or whether dev hand-runs promoting is acceptable.
+
+### 2026-06-13 — deploy-proxy health-gate circular dependency (D8 risk)
+- [x] **CLOSED @2026-06-13 (Builder, phase pxgate).** Fixed in `runner/warm_reconcile.py` — traefik health probe changed from `ci.commoninternet.net/` (dashboard, ordered After=deploy-proxy) to `traefik.ci.commoninternet.net/api/version` (Traefik's own API, no backend dependency). Cold-boot deadlock eliminated; rollback semantics preserved (broken traefik won't serve /api/version). Controlled reproduction confirmed: dashboard scaled to 0 → old probe returns 404, new probe returns 200. M1 claimed. Adversary PASS pending for DONE. See DECISIONS.md 2026-06-13 pxgate entry.
+- **Filed by:** Adversary, phase pvfix (cross-filed by Builder)
+
+### 2026-06-17 — discourse mint_admin prints minted ApiKey to the Drone RAW build log (low-sev)
+- **What:** `tests/discourse/custom/_discourse.py::mint_admin` mints a run-scoped Discourse admin ApiKey
+  via `rails runner` which prints `CCCI_API_KEY=<plaintext>` to the container stdout; this can reach the
+  **access-controlled Drone RAW build log** (401 without a token). NOT on the public dashboard/results UI
+  (Adversary independently scanned the public surface — clean), and the key is class-B run-scoped
+  (destroyed at teardown). Flagged by the Adversary as **[F-prevb-C, INFO]** during M2 cold acceptance.
+- **Why deferred (not fixed in prevb):** PRE-EXISTING — the `.key` print predates prevb; prevb only made
+  the container PATH image-agnostic (b66abc4). D6's hard requirement (no secrets on the public results UI)
+  is met. Out of prevb scope (dynamic base + previous/); fixing it is a discourse-custom-test hardening,
+  not a prevb deliverable. Adversary did not VETO / did not block M2 on it.
+- **Needed from operator:** decide whether to harden — e.g. have `mint_admin` avoid emitting the plaintext
+  key on stdout (write to a run-scoped sidecar the test reads), or register the minted key in the harness
+  redaction set so even the RAW log is scrubbed. Low priority (RAW log is access-controlled; key is ephemeral).
+- **Filed by:** Builder, phase prevb (acknowledging Adversary [F-prevb-C]).

machine-docs/JOURNAL-aoeng.md

@@ -0,0 +1,15 @@
+# JOURNAL — phase aoeng (Adversary)
+
+## 2026-06-13T18:23Z — Orientation
+
+Phase aoeng initialized. Builder has not started yet.
+
+Performed pre-build orientation:
+- Read `plan-phase-aoeng-engine.md` (full)
+- Read `plan-agent-orchestrator.md` (full)
+- Read source files: `agents.py` (850 lines), `agents.toml` (155 lines)
+- Confirmed `recipe-maintainers/agent-orchestrator` exists on Gitea but is empty
+- Identified all cc-ci hardcoding points that must be generalized (see REVIEW-aoeng.md)
+- Initialized phase tracking files
+
+Awaiting Builder's first commit/claim. Will poll every 10 min until activity starts.

machine-docs/JOURNAL-aotest.md

@@ -0,0 +1,72 @@
+# JOURNAL — phase aotest (Adversary)
+
+---
+
+## 2026-06-13T18:44Z — Phase orientation + initial files created
+
+- Read plan-phase-aotest-verify.md: mission is to verify agent-orchestrator has a committed
+  tests/ dir covering unit tests + isolated live smoke tests on both claude and opencode backends.
+- Checked agent-orchestrator repo: current state is v0.1.0 (commit 289ef07), no tests/ dir.
+- Created phase-namespaced files: STATUS-aotest.md, REVIEW-aotest.md, BACKLOG-aotest.md,
+  JOURNAL-aotest.md.
+- Builder has not yet pushed any aotest work. Entering polling stance.
+
+Next: poll agent-orchestrator for new commits every ~10 min.
+
+---
+
+## 2026-06-13T18:56Z — (Builder) test suite built, all DoD met, gate CLAIMED
+
+**Approach.** The harness (agents.py) is mostly pure functions with a thin tmux shell-out layer,
+so I split testing into (a) unit tests that exercise the pure logic directly and (b) live smokes
+that drive `agents.py` end-to-end on each real backend.
+
+**Unit tests (`tests/test_unit.py`, stdlib `unittest`, 51 tests).** Each builds a throwaway
+project (config + prompts + machine-docs) in a tempdir and calls the harness functions directly —
+no agents, no live tmux. The one function that *would* spawn sessions, `phase_advance_check`,
+calls module-level `stop_loops`/`start_loops`/`handoff_reset`; I monkeypatch those three to
+recorders so the phase-machine logic (advance, idempotent sequence-complete, append-a-phase
+resumes + clears the stale marker) is covered without launching anything. I also load the shipped
+`agents.example.toml` so an example regression is caught.
+
+- Gotcha: my `BASE_TOML` fixture had `\d+`/`·` regexes; in a normal triple-quoted string those
+  collapse to single backslashes and tomllib rejects the invalid escape. Fixed by making the
+  fixture a raw string (`r"""…"""`) so the on-disk TOML keeps the doubled backslash, like the real
+  `agents.example.toml`.
+
+**Live smokes.** `smoke_claude.sh` / `smoke_opencode.sh` each spin up a throwaway persistent
+"probe" through `agents.py up` in a sandbox with a unique `session_prefix` and temp `log_dir`,
+confirm the session attaches (pane command `claude`/`opencode`), `status` shows RUNNING, `down`
+removes it; a cleanup trap (EXIT INT TERM) kills everything. claude uses the cheap
+`claude-haiku-4-5`. opencode generalizes cc-ci `test-opencode.sh` onto this repo with its own
+server on `:4097` (a guard refuses `4096`).
+
+- Gotcha: the opencode server runs in a subshell `( … serve … ) &`, so `$SERVER_PID` is the
+  subshell, not the listener — killing it left `:4097` held (a DoD-4 leftover-port failure I caught
+  on the first standalone run). Fixed cleanup to also `pkill -f "opencode serve.*--port ${PORT}"`
+  and wait for the port to free. Re-ran: freed.
+
+**Verification.** Cold-cloned to `/tmp/aotest-cold` and ran inside `nix develop` (python311) — the
+Adversary's exact path: `unit=PASS (51) claude=PASS opencode=PASS isolation=PASS`, rc=0; afterwards
+no `aotest-*` sessions, `:4097` free, `cc-ci-orchestrator/watchdog/assistant3` present. Pushed the
+deliverable as `cdcece9`; clean tree; claimed the gate.
+
+---
+
+## 2026-06-13T19:00Z — Adversary cold verification COMPLETE — ALL DoD PASS
+
+Independent cold verification from `/tmp/ao-adv-check` clone (cloned before reading Builder STATUS):
+
+- DoD-1 Unit tests: `Ran 51 tests` … `OK`, rc=0 inside `nix develop` ✓
+- DoD-2 claude smoke: `=== CLAUDE BACKEND SMOKE: PASS ===` — isolated prefix `aotest-c-681472-`,
+  pane command `claude`, TUI alive, status RUNNING, down cleans up ✓
+- DoD-3 opencode smoke: `=== OPENCODE BACKEND SMOKE: PASS ===` — dedicated port `:4097` (not 4096),
+  isolated prefix `aotest-o-681566-`, TUI attached, status RUNNING, down cleans up + port freed ✓
+- DoD-4 Isolation: no `aotest-*` sessions; port 4097 free; `cc-ci-orchestrator/watchdog/assistant3`
+  all present ✓
+- DoD-5 Committed + documented: `tests/` in commit `cdcece9`, README `## Testing` section covers
+  invocation, layers, env vars, skip conditions, and safety ✓
+- Full suite via `run.sh`: `SUMMARY: unit=PASS claude=PASS opencode=PASS isolation=PASS` — rc=0 ✓
+
+Verdict written to REVIEW-aotest.md. Committed with `review(aotest)` prefix → watchdog pings Builder.
+Phase aotest DONE (Adversary side). Awaiting Builder to write `## DONE` to STATUS-aotest.md.

machine-docs/JOURNAL-bsky.md

@@ -0,0 +1,120 @@
+# JOURNAL — phase bsky
+
+## 2026-06-11T11:31Z–11:55Z — bootstrap + root-cause diagnosis (B1, B2)
+
+Phase start. Read plan-phase-bsky-fix.md + plan.md §6.1/§7/§9. Adversary seeded
+REVIEW-bsky.md (8d5bf30) with cold baseline recon — same suspects I confirmed below.
+
+**Diagnosis chain (commands + outputs):**
+
+1. Mirror clone (b2d86ef): `compose.yml` pins `image: ghcr.io/bluesky-social/pds:0.4`,
+   overrides entrypoint (`dumb-init --` + config-mounted `/entrypoint.sh`);
+   `entrypoint.sh.tmpl` ends `exec node --enable-source-maps index.js` — relative path,
+   resolved against image WORKDIR.
+
+2. Live image inspection on cc-ci:
+   `docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Id}} created={{.Created}} workdir={{.Config.WorkingDir}} ... cmd={{.Config.Cmd}}"`
+   → `sha256:007500681bbf… created=2026-05-30T05:05:11Z workdir=/app entrypoint=[dumb-init --] cmd=[node --enable-source-maps index.ts]`
+   `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c 'node --version; ls /app'`
+   → `v24.15.0` / `index.ts node_modules package.json pnpm-lock.yaml` — **no index.js**.
+   `grep @atproto/pds /app/package.json` → `"@atproto/pds": "0.5.1"`; /usr/local/bin/goat present.
+   So `:0.4` is now a main-branch 0.5.1 build → recipe's `index.js` exec = MODULE_NOT_FOUND.
+   This precisely explains the rcust-era crash-loop evidence (Node v24.15.0 in traceback).
+
+3. Upstream research:
+   - ghcr tags/list (paginated): exact tags …0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193,
+     0.4.204, 0.4.208, 0.4.219, plus anomalous 0.4.5001. `:0.4` digest `871194d2…` ==
+     `latest`, ≠ `0.4.219` (`e0b756701c92…`) → :0.4 republished past the release line.
+   - Dockerfile@v0.4.219: node:20.20-alpine3.23, WORKDIR /app, CMD index.js, dumb-init.
+   - Dockerfile@main: node:24.15-alpine3.23, CMD index.ts, + goat binary — matches what
+     `:0.4` now contains. GitHub `releases/latest` 404s (they only push git tags).
+   - service/package.json@v0.4.219: `"@atproto/pds": "0.4.219"`.
+
+4. Candidate-fix image verified on cc-ci:
+   `docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c 'node --version; ls /app; grep @atproto/pds /app/package.json; which dumb-init'`
+   → `v20.20.2` / index.js present / `"@atproto/pds": "0.4.219"` / `/usr/bin/dumb-init`.
+   Image CMD `[node --enable-source-maps index.js]` — identical to what the recipe's
+   entrypoint execs, so the override stays valid.
+
+**Why pin 0.4.219 and not chase 0.5.1 (rationale, summarized in DECISIONS.md):** 0.5.1
+exists only as the moving `:0.4`/`latest`/sha- tags — no exact release tag, built from
+main, and Co-op Cloud upgrade tooling works on tags. Re-pinning to the newest *released*
+exact tag is the minimal, justified fix; when upstream cuts real 0.5.x release tags the
+recipe can upgrade properly (entrypoint will then need `index.ts` + Node 24 — noted in
+upstream registry).
+
+Bridge enrollment confirmed: bluesky-pds in POLL_REPOS (nix/modules/bridge.nix:43) →
+`!testme` works. Mirror has only closed PR#1 (skill smoke test); my fix → PR#2.
+
+Next: DECISIONS entry (B3), mirror branch + PR (B4), !testme (B5).
+
+## 2026-06-11T11:40Z–11:55Z — run 423 red: the upgrade-BASE trap (B5 first attempt)
+
+PR #2 opened (branch upgrade-0.3.0+v0.4.219, head f7b6c8df, 2-line diff) and !testme'd
+(comment 14340) → drone build/run 423. RESULT: install=fail, level 0 — but NOT the PR:
+the run never deployed the PR head. The harness deploys ONCE at the upgrade BASE
+(`previous_version` = vers[-2] = 0.1.1+v0.4 — confirmed: run-423's recipe checkout sat at
+tag 0.1.1+v0.4) and only the upgrade tier chaos-redeploys the PR head. Both published tags
+(0.1.1+v0.4, 0.2.0+v0.4) pin the broken moving `:0.4` → the base crash-loops the SAME
+MODULE_NOT_FOUND (run-423 app log: Node v24.15.0, /app/index.js missing) → install fails
+before my fix is ever exercised. No published version can EVER deploy again (upstream
+republished the tag) — so the upgrade path is structurally unverifiable until a fixed
+version is published post-merge.
+
+Fix (harness, evidence-backed, not a weakening): EXPECTED_NA["upgrade"] (the EXISTING
+declared-intentional-skip mechanism, de-capped levels phase lvl5) now also suppresses the
+base deploy — extracted `upgrade_base()` pure helper in run_recipe_ci.py; single deploy
+becomes the PR head; upgrade tier records "skip"; derive_rungs classifies it intentional
+with the declared reason (visible in results.json skips.intentional — never reported as a
+pass). tests/bluesky-pds/recipe_meta.py declares it with the full reason + the re-enable
+path (UPGRADE_BASE_VERSION="0.3.0+v0.4.219" once published). 6 new unit tests
+(tests/unit/test_upgrade_base.py) lock the decision matrix; meta-key doc regenerated.
+Verified: 253 unit tests pass on cc-ci (was 247), repo lint PASS. Pushed e9745c8.
+
+Re-triggered !testme (comment 14342) → build/run 427. Monitor armed.
+
+## 2026-06-11T12:05Z — run 427 GREEN: level 5 at PR head; M1 claimed (B5, B6, B7)
+
+Run 427 (drone build 427, comment 14342): level 5 — install/backup_restore/functional/
+lint PASS, upgrade = declared intentional skip (reason verbatim in skips.intentional),
+clean_teardown + no_secret_leak true, ref f7b6c8dfb81c. Per-run recipe checkout at PR
+head f7b6c8d with image 0.4.219 (the fix WAS what deployed). Bridge reflected success →
+PR comment 14343 ✅. Screenshot Read and verified: genuine PDS landing page (ASCII
+butterfly, "This is an AT Protocol Personal Data Server", /xrpc/ pointer) — exactly the
+default capture the phase plan predicted would work once deploy works; no hook needed.
+Card (summary.png): 5/5, upgrade shown INTENTIONAL SKIP with reason; badge "level 5"
+green. M1 claimed in STATUS-bsky.md.
+
+## 2026-06-11T12:15Z — records closed (B8) + operator summary drafted (B9)
+
+DEFERRED bluesky entry marked RESOLVED with pointers (f150012) — covers BOTH the re-pin
+follow-up and the rcust M2 baseline-exclusion note.
+
+**Shot-phase N/A disposition update (supersedes the deploy-gated classification):**
+the shot phase classified bluesky-pds's screenshot "deploy-gated N/A — never capturable
+because the app never comes up". With the PR#2 fix deployed (run 427, PR head), the
+DEFAULT landing-page capture works exactly as the phase plan predicted: a real,
+representative, credential-free PDS landing page (ASCII butterfly + "This is an AT
+Protocol Personal Data Server" + /xrpc/ pointer). No SCREENSHOT hook was needed. The
+N/A stands for HISTORICAL runs only; post-merge, bluesky-pds screenshots like any other
+recipe.
+
+Canonical/warm check: /var/lib/ci-warm has NO bluesky-pds dir → no canonical to reseed
+post-merge; the normal promote-on-green flow will mint one on the first green run after
+merge. Operator summary written to STATUS-bsky.md (B9).
+
+## 2026-06-11T15:50Z — M1 PASS received; M2 claimed (B10)
+
+M1 PASS @12:30Z (REVIEW-bsky 369f4f4), no findings, no VETO — every item reproduced cold
+incl. negative-control teeth and the per-recipe scoping of the EXPECTED_NA change. (Gap
+12:30→15:45 was a quota window, not work.) All M2 builder-side items were already in
+place (DEFERRED f150012, operator summary cba53b6); claimed M2 with re-trigger
+instructions for the fresh cold pass. Phase DoD after M2 PASS → ## DONE with PR open.
+
+## 2026-06-11T15:55Z — M2 PASS → ## DONE
+
+M2 PASS @15:48Z (42eabba): Adversary independently re-triggered !testme (comment 14344 →
+build 435, level 5 at f7b6c8df, identical rung profile + screenshot sha to 427) and
+corroborated every handoff item — including that 0.5.x has NO release tag, fully settling
+the §2.2 upgrade-preference question. ## DONE written. Phase ends with PR #2 open for the
+operator; loop stopped.

machine-docs/JOURNAL-canon.md

@@ -0,0 +1,213 @@
+# JOURNAL — phase `canon` (canonical sweep, make it real)
+
+Builder reasoning log. WHY lives here; WHAT/HOW/EXPECTED/WHERE live in STATUS-canon.md.
+
+## 2026-06-17 — bootstrap / code survey
+
+Read the phase canon (`plan-phase-canon-canonical-sweep.md`) + plan.md §6.1/§7/§9. Surveyed the
+existing canonical/sweep machinery before designing. Key findings:
+
+### Clone identity
+`/srv/cc-ci` is a symlink → `/srv/cc-ci-orch`; the env's two "working dirs" are the same directory.
+This IS the Builder clone (reflog shows the `claim(M2)`/`status(samever) ## DONE` commits). The
+Adversary cold-verifies from its own fresh clones. No collision.
+
+### What already works (phase doc is partly stale)
+- The phase doc says "ZERO canonical.json exist". **Not true any more**: a real canonical for
+  `custom-html` exists on the host at `/var/lib/ci-warm/custom-html/canonical.json`
+  (`version 1.13.0+1.31.1`, commit `2b82eba…`, status idle, ts `20260617T050314Z`) with its retained
+  data volume `warm-custom-html_..._content`. It was produced by a **manual** cold run during the
+  `samever` phase, NOT by the timer. So the *promote primitive* (seed_canonical → write_registry +
+  warmsnap) demonstrably works; the **sweep that should drive it is what's hollow.**
+
+### The real "hollow sweep" defect (root cause, confirmed live)
+The deployed `nightly-sweep.timer` fired 2026-06-17 03:09 and logged:
+`===== nightly cold sweep: enrolled canonicals = [] =====` → a true no-op.
+Cause: `nightly_sweep.py` does `REPO = os.environ.get("CCCI_REPO", "/root/cc-ci")` then
+`sys.path.insert(0, REPO/runner); from harness import canonical`. The systemd unit
+(`nix/modules/nightly-sweep.nix`) sets **no `CCCI_REPO`**, and `/root/cc-ci` **does not exist** on the
+host. So the import falls through to the harness packaged in the **nix store** (`runnerSrc=../../runner`
+— runner/ only, NO tests/). `meta.TESTS_DIR = ROOT/tests` then points at a nonexistent dir →
+`enrolled_recipes()` swallows the OSError → `[]`. Even though `custom-html` is enrolled in the repo,
+the deployed timer never sees it. **This is the machinery that was "specified but never doing
+anything."** Fix: point the sweep at a real, current checkout that has `tests/`.
+
+### How current code stays live on the host
+- Normal recipe CI: Drone `exec` pipeline auto-clones cc-ci per build into its workspace, then runs
+  `cc-ci-run runner/run_recipe_ci.py` from that fresh clone → tests/runner always current.
+- `/etc/cc-ci` is a **git clone** (the nixos flake source: `nixos-rebuild --flake /etc/cc-ci#…`).
+  It is currently STALE (`e60415d`, far behind main) because recent phases only touched `runner/`
+  (picked up by Drone's fresh clone) and needed no nixos-rebuild. The sweep is the first thing that
+  needs `/etc/cc-ci` current.
+- Plan: sweep service sets `CCCI_REPO=/etc/cc-ci` and runs `nightly_sweep.py` FROM the checkout
+  (change the nix to exec `$CCCI_REPO/runner/nightly_sweep.py`, not the store copy) → after a deploy
+  that does `git -C /etc/cc-ci pull && nixos-rebuild`, the sweep reads current tests/ + runner. This
+  reuses the flake-source checkout (declarative, reproducible) rather than inventing a new clone.
+
+### Promote path (the core, §2.A)
+- `should_promote_canonical(recipe, ref, overall, quick)` = enrolled & green & cold(not quick) &
+  not-ref (no PR head). `promote_canonical` deploys `latest_version(recipe_tags(recipe))` (the latest
+  git tag) fresh/in-place, waits healthy, undeploys, `seed_canonical` (snapshot + write_registry).
+- **Tagged-promote addition needed:** the green gate currently tests *whatever fetch_recipe checked
+  out* (catalogue `main` HEAD for a cold run), which can be untagged-ahead of the latest tag, while
+  promote always writes the latest TAG. Per operator: a canonical must only ever be a real release.
+  Add a `tagged` requirement: the tested head version (`abra.head_compose_version`, the compose
+  `version` label) must equal a published release tag (`recipe_tags`). When main HEAD == latest
+  release (the common just-cut case) head_version == latest tag → promote; when main is untagged-ahead
+  → no promote.
+
+### Trigger on a NEW RELEASE TAG (§2.D) + test the tag (not main)
+- Version ordering is centralized in `warm_reconcile.version_key` / `latest_version` /
+  `newest_older_version` (already used by samever step-back). Reuse them.
+- Trigger (pure, in the sweep, per recipe): after mirror-sync, `latest = latest_version(recipe_tags)`;
+  `canon = read_registry(recipe).version`. No tag → SKIP (never released). `latest <= canon` (by
+  version_key) → SKIP no-new-version (even if main has untagged commits — we compare tags not
+  commits). `latest > canon` → run cold on the tag.
+- **Test the TAG cold:** to honour "run CI cold on that tagged version" (and so a green gate proves
+  the exact thing that gets promoted), check out the latest tag in `~/.abra/recipes/<recipe>` and run
+  with `CCCI_SKIP_FETCH=1` (the existing staging mechanism) → head_version = tag, head_ref = tag
+  commit, REF empty (so `not ref` still holds → promote allowed). The upgrade-base resolver then sees
+  canonical(older) < head(new tag) → real delta (samever step-back never fires: tag>canon by
+  construction).
+
+### samever orthogonality (operator-required)
+The release-tag trigger guarantees, in the sweep, version-under-test > canonical, so the upgrade
+base is strictly older → `samever`'s same-version step-back never fires. (a) no new tag → SKIP, no
+upgrade-tier run; (b) new tag → canonical(older)→new, real delta, promote. samever's same-version
+behaviour stays owned by the samever phase on the PR path. Will demonstrate both in M2.
+
+### Enroll-all set (§2.B)
+Authoritative inventory = `cc-ci-plan/used-recipes.md` (21 rows: 20 `weekly` + `uptime-kuma`
+`external`). NOT the test fixtures (custom-html-bkp-bad / -rst-bad, concurrency, regression,
+_generic). custom-html-tiny IS in used-recipes (weekly) → enroll it too.
+
+### Disk budget (§2.B watch-item)
+Host `/`: 150G total, 104G used, **40G free (73%)**. `du` of /var/lib/ci-warm today: custom-html 32K,
+keycloak 159M. Retaining ~21 fresh-install data volumes should be a few GB; immich/matrix/mailu are
+the ones to watch. Will measure during the M2 full sweep and record the real budget; raise the VM
+disk (orchestrator) rather than silently drop recipes if it binds.
+
+### §2.G UPGRADE_BASE_VERSION retirement — gated on M2
+`plausible` pins `UPGRADE_BASE_VERSION="3.0.1+v2.0.0"`; `bluesky-pds` only references it in a comment.
+Retirement requires plausible's canonical to actually land at its latest green release so the dynamic
+resolver picks the right base — so this is sequenced AFTER M2 promotes plausible. Keep the pin if
+plausible can't go green dynamically (record why).
+
+## 2026-06-17 — M1 built + live-proven (CLAIMED)
+
+All M1 code landed (HEAD d4cc9e4). Reasoning behind the choices:
+
+- **Tagged-gate computes `tagged` at the call site, not inside the gate** — keeps
+  `should_promote_canonical` pure (the Adversary anti-anchoring + the existing unit-test contract).
+  `is_released_version` lives in warm_reconcile (owns version logic + recipe_tags I/O).
+- **Promote the TESTED version (divergence fix, d4cc9e4):** the Adversary's pre-claim probe flagged
+  that the gate checks `head_version` but promote recorded `latest_version(recipe_tags)`. Live proof-A
+  made this concrete and favourable: the OLD record had commit `2b82eba` (a merge-to-main commit),
+  but the tag `1.13.0+1.31.1` actually points to `df2e273`. Recording the tested version's head_ref
+  now writes the TAG commit — strictly more correct. Sweep path was already safe (head==tag), but the
+  manual `RECIPE=<r>` path needed it.
+- **Why a vendored mirror-sync script, not the nix-store open-recipe-pr.sh:** the recipe clones on
+  cc-ci have INCONSISTENT remotes (n8n: origin=mirror; mumble: origin=coopcloud; ghost/discourse:
+  origin=mirror, no `upstream`). open-recipe-pr.sh assumes origin=coopcloud → would force-sync mirror
+  main to *mirror* main (no-op) for most. The vendored `scripts/recipe-mirror-sync.sh` pins an
+  explicit coopcloud `upstream` remote from the recipe name, syncs main+TAGS (canon needs upstream
+  tags for the trigger), and authes via the bot token (self-contained, not host .git-credentials).
+  Behaviour matches the phase's described open-recipe-pr.sh --reconcile-only (faithful, close
+  merged-upstream PRs, leave unrelated). See DECISIONS.
+- **Why test the TAG via checkout+CCCI_SKIP_FETCH (run_on_tag), not just REF=tag:** REF alone (no SRC)
+  takes fetch_recipe's `abra recipe fetch` branch (ignores REF) AND would set `ref` → should_promote
+  blocks. Staging the tag in the clone + CCCI_SKIP_FETCH makes head=tag with REF empty → promote
+  allowed, and exercises the real "cold on the tagged release" path.
+
+### Live proof evidence (cc-ci, /root/canon-verify @ d4cc9e4)
+- proof-A (promote): canonical.json fresh ts 065027Z, commit df2e273 (=tag commit). Note: because
+  custom-html canonical already == latest, run_on_tag here re-promoted an EQUAL version → the samever
+  step-back fired (base 1.11.0+1.29.0). That is an artifact of bypassing the trigger for the proof;
+  the REAL sweep SKIPs equal-version (sweep_decision), so the step-back never fires in the sweep — to
+  be shown live in M2 (canonical(older)→new tag, base=canonical, no step-back).
+- proof-B (reattach): --quick reattached the retained volume, green (4 tests passed), known-good
+  version+commit UNCHANGED (df2e273); ts re-stamped only by the idle-status write (write_registry
+  stamps ts on every status write) — NOT a promote.
+- proof-C (untagged→no-promote): green cold run (level 5/5) on an untagged head (label 1.13.1+1.31.1)
+  → 0 promote log lines, canonical.json byte-identical before/after. Tagged-gate works live.
+
+## 2026-06-17 — M2 prep recon (non-advancing, while awaiting M1 verdict)
+
+Read-only sweep_decision survey across the 21 enrolled (from existing host clones; the real sweep
+mirror-syncs+fetches first so tags may differ slightly):
+- **20 recipes have NO canonical yet → first sweep RUNs (seed) each**; only custom-html SKIPs.
+- plausible latest tag = **3.0.1+v2.0.0** (== the §2.G UPGRADE_BASE_VERSION pin target) → once the
+  sweep seeds plausible's canonical at 3.0.1, the dynamic base should resolve 3.0.1 and the pin can go.
+
+M2 risks to plan for (when M1 PASSes):
+1. **Runtime:** 20 full cold deploy/test/teardown runs, several heavy (matrix-synapse, immich, mailu,
+   discourse, ghost, mattermost) at 15-25 min each → a single full sweep likely EXCEEDS the timer's
+   6h TimeoutStartSec. Options: run M2.2 in the foreground (not the timer) for the full promote proof,
+   raise TimeoutStartSec, and prove the real-timer-fire (M2.5) on a smaller already-canonical set
+   (so the fire advances at least one canonical, not exit-0 on empty).
+2. **Disk:** 20 retained data volumes on 40G free. Measure as it runs; raise the VM disk
+   (orchestrator) if it binds rather than dropping recipes (per §2.B). Heavy: immich/matrix/mailu.
+3. **Reds are acceptable** (canonical just not advanced) — but maximise greens; investigate any red.
+4. Unusual tag formats (ghost 1.3.0+6.42.0-alpine, gitea 3.5.3+1.24.2-rootless, mumble
+   1.0.0+v1.6.870-0) — version_key parses leading numerics; is_released_version exact-match covers them.
+
+## 2026-06-17 — promote fix validated (DEFECT-1/2 response)
+
+Validated f94de22 on the 3 distinct failure classes via run_on_tag from /etc/cc-ci:
+- custom-html-tiny (install_steps content): PROMOTED 1.2.0+2.43.0 ✓
+- ghost (dirty-tree app-new FATA): PROMOTED 1.4.0+6.45.0-alpine ✓
+- bluesky-pds (special secret): secret now inserted in promote + deploy succeeds, but warm health
+  fails — PDS is healthy INTERNALLY (200 on localhost:3000) yet not routed via traefik on the warm
+  domain (000). This is a bluesky-specific WARM-DOMAIN ROUTING issue (cold-test domain worked),
+  NOT the promote-wiring bug. Documented as a known red pending follow-up (the sweep leaves it
+  intact per guardrails). DEFECT-1 (label) fixed: sweep result now derives from canonical existence.
+Full sweep re-run launched (skips the 7 already-promoted = determinism evidence; runs the rest).
+
+## 2026-06-17 ~13:20 — RESUME reconstruction (post-compaction) + real-timer re-fire in flight
+
+Reconstructed state from cc-ci (not memory): the parity fix (2c61f2f) is DEPLOYED — the deployed
+nix-store sweep script `/nix/store/2q6a27hnnmy0.../cc-ci-nightly-sweep` contains
+`export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"`. A prior iteration committed
+2c61f2f (13:00) → pulled /etc/cc-ci → nixos-rebuild → `systemctl start nightly-sweep.service` (13:01),
+then handed off. So the **DEFECT-3 production-env re-fire is IN FLIGHT** as the real timer service
+(PID 2149231, `TriggeredBy: nightly-sweep.timer`, ppid=1, journald socket).
+
+Parity precondition CONFIRMED real (not asserted): `git-lfs` → `/run/current-system/sw/bin/git-lfs`
+(symlink to git-lfs-3.6.1); Drone exec runner `/proc/<pid>/environ` PATH =
+`/run/current-system/sw/bin:/run/wrappers/bin` — identical head to the sweep's now-prepended PATH.
+
+This fire so far (journalctl -u nightly-sweep.service --since 13:01):
+- custom-html RUN — new release 1.13.0+1.31.1 > canonical **1.11.0+1.29.0** → **PASS (promoted
+  1.13.0+1.31.1)** @13:15:17. A real-timer non-hollow promotion + the constructed older→new advance
+  (M2.6 path 2 / M2.5 non-hollow) under the deployed parity env. (custom-html canonical had been
+  reset to 1.11.0 pre-fire to stage the advance.)
+- cryptpad SKIP, custom-html-tiny SKIP (determinism — promoted-at-latest skip), bluesky-pds
+  GREEN-BUT-PROMOTE-FAILED (documented warm-routing red).
+- Now at discourse (RUN seed, deploying). CRUX still pending: gitea (8th) must flip cold-GREEN under
+  the parity PATH (git-lfs now present) — that is the DEFECT-3 acceptance criterion.
+Polling every ~5 min (single node, fire in flight). Not touching the node until it completes.
+
+## 2026-06-17 ~14:40 — production re-fire COMPLETE; DEFECT-3 closed; launching clean determinism 2nd sweep
+
+The DEFECT-3 re-fire (nightly-sweep.service, 13:01:01→14:37:22, Result=success, status=0, single
+serial) completed cleanly under the deployed Drone-parity PATH. **gitea crux RESOLVED:**
+`test_lfs_roundtrip PASSED` (the test that redded on the missing-git-lfs fire) → gitea cold-GREEN in
+production env, then the documented app.ini warm-advance exception (3.5.3 kept). So the only reason
+gitea redded before was the timer-env git-lfs gap, now fixed by host-PATH parity — confirming the fix
+is the right one (the sweep validates exactly as Drone CI does). No NEW promote failures surfaced that
+the manual env had masked → DEFECT-3 is the LAST env-parity gap, now closed.
+
+custom-html 1.11.0→1.13.0 advance promoted in this real timer fire: this is simultaneously the M2.5
+non-hollow real-fire proof AND the M2.6 constructed older→new advance (canonical(older)→new tagged,
+real delta, samever step-back never fires because tag>canon by construction). 14 promoted-at-latest
+recipes SKIP no-new-version live = determinism preview inside the production fire.
+
+**Why a clean 2nd sweep now (M2.3):** in this fire custom-html was the one promoted recipe that RAN
+(I'd reset its canonical to 1.11.0 pre-fire to stage the advance). Now it's at 1.13.0 = latest, so all
+16 promoted canonicals are at-latest. An immediate 2nd sweep therefore yields the clean run-twice
+result the plan's M2.3 asks for: the 15 promoted-at-latest SKIP (incl. custom-html), and ONLY the 5
+documented exceptions RUN (gitea 3.6.0 advance retry, discourse/mattermost-lts/mumble reds, bluesky
+warm-routing). Reds re-running is the accepted, DECISIONS-recorded deviation from the literal "skip
+every recipe" (cannot weaken a test to force a promote). Launching it as the real service again
+(systemctl start) for max faithfulness; ~96 min (discourse's deterministic 60-min deploy-timeout
+dominates). Disk budget healthy: ci-warm 1.1G / 16 volumes, 38G free.

machine-docs/JOURNAL-cf48.md

@@ -0,0 +1,61 @@
+# JOURNAL — phase cf48 (Opus 4.8 post-cfold coverage-loss review)
+
+## 2026-06-13T05:30Z — Independent cold review complete, M1 claimed
+
+**Model check:** session reports `claude-opus-4-8`, override files
+`/srv/cc-ci/.cc-ci-logs/.loop-model-cf48 = claude-opus-4-8` and `.loop-backend = claude`. Matches the
+phase Model Requirement — proceeded.
+
+**Approach.** Reviewed independently first (formed my own verdict from the diff, the code, and live
+probes), THEN read cf55 to reconcile. The plan named GPT-5.5 for cf55 but cf55 actually ran on
+claude-sonnet-4-6 (launcher mismatch, orchestrator relaunch — documented in its own state files), so the
+"two different models" cross-validation is Sonnet 4.6 vs Opus 4.8. Recorded honestly in STATUS rather
+than pretending it was GPT vs Claude.
+
+**Why I'm confident it's a pure relocation.** The cfold safety argument (discovery globs both old subdirs
+with no branching, both map to the L4 `functional` rung, identical fixtures/failure semantics) was already
+established in the cfold plan §1. My job was to confirm the *execution* matched. Three things made it
+provable rather than "looks right":
+1. The cardinal coverage diff (cmd 6) compares the actual git trees at `44e0242^` and HEAD by
+   `(recipe, filename)`, stripping the folder component — a byte-identical sorted diff means no file was
+   added, dropped, or renamed-away, only re-parented. This is stronger than a count match (counts can
+   coincide while a file is swapped).
+2. `git show --find-renames` collapses the 100%-identical moves so only the 5 content-touched test files
+   surface — and each of those is a docstring/comment/sys.path line, never an assertion. Small surface to
+   eyeball exhaustively.
+3. The whole-repo grep for `functional/`/`playwright/` literals outside the alias handling, plus the
+   `== "functional"` value-branch grep, proves no consumer (manifest, screenshot, dashboard, drone, bridge)
+   silently keys off the old folder name. Only `discovery.py`'s intentional alias lines remain.
+
+**Discrepancy I caught vs cf55.** cf55's narrative claims keycloak's custom tests had a `sys.path` depth
+adjustment `../..` → `../../..`. The diff shows those lines unchanged (only the comment moved). Harmless —
+functional/ and custom/ are equal depth so no adjustment was needed — but it's a factual slip in cf55's
+write-up. Surfaced in the agreement note per the phase's "note where the two disagree" instruction. cf48
+found it; cf55 missed it. No coverage consequence either way.
+
+**Evidence audit stance.** Did NOT rerun the full fleet sweep (guardrail: don't re-sweep unless cfold
+evidence is incomplete — it isn't). Relied on cfold's cold-verified M2 PASS (REVIEW-cfold.md 04:11:00Z):
+all 20 recipes L5, custom-junit counts = baseline per recipe, ghost upgrade junit=2, live_pr_apps=0. That
+is sufficient and independently re-runnable evidence; re-sweeping would be churn.
+
+**Commands run (all green):** unit suite `18 passed`; per-recipe counts all match; cardinal diff
+`IDENTICAL SET`; alias probe `found: ['test_new.py','test_old.py','test_ui.py']` + 2 warnings; stale-
+consumer grep clean; `git status` clean; RUNG name `"functional"` intact.
+
+**Next:** parked at M1 CLAIMED gate awaiting Adversary M1 + M2 PASS in REVIEW-cf48.md. No other unblocked
+cf48 work (review-only phase). Will self-poll with a fallback while the watchdog edge-pings on the
+Adversary's `review(...)` commit.
+
+## 2026-06-13T06:32Z — Resumed to close cf48; M2 claimed
+
+Re-invoked on cf48. Found M1 PASS already recorded (REVIEW-cf48.md @05:29Z, commit `836ab13`) but the
+loop had advanced through pvfix/pvcheck/ghost (all DONE) without an explicit **M2** PASS or a `## DONE`
+here — cf48 was left dangling at M1. The M2 gate (no-loss verdict) was never separately handshaken even
+though the M1 review text already establishes the full no-loss evidence.
+
+Action: re-verified the cheap structural checks (1–6) to confirm no test-tree drift since M1 — canonical=64,
+stale=0, lifecycle_in_custom=0, lifecycle_top=64, cardinal diff still IDENTICAL SET. Then updated STATUS
+to mark M1 PASS received + claim M2, and pushed `claim(cf48-M2)` (commit `61ad356`) to ping the Adversary.
+M2 reuses M1's already-cold-verified evidence — no new build/sweep (review-only phase, cfold evidence
+complete per guardrail; re-sweeping would be churn). Parked awaiting Adversary M2 PASS in REVIEW-cf48.md,
+after which I write `## DONE`.

machine-docs/JOURNAL-cf55.md

@@ -0,0 +1,54 @@
+# JOURNAL — phase cf55
+
+## 2026-06-13 — Phase cf55 bootstrap stopped on model mismatch
+
+Phase requirements checked:
+- Kickoff prompt requires `plan-phase-cf55-gpt55-cfold-review.md` as the single source of truth for this phase.
+- That phase plan requires both Builder and Adversary to run on `GPT-5.5` and to record their model in the first phase entry.
+
+Observed session state:
+- Current OpenCode session model: `openai/gpt-5.4`
+- This does not satisfy the phase requirement, so no review work was started.
+
+Actions taken:
+- Read the kickoff prompt and required plan documents.
+- Confirmed there were no existing `machine-docs/*cf55*` state files.
+- Seeded `STATUS-cf55.md`, `BACKLOG-cf55.md`, and `JOURNAL-cf55.md` with the blocked state.
+
+Next required action:
+- Orchestrator must relaunch the Builder for phase `cf55` on `openai/gpt-5.5` before any diff review,
+  discovery-parity check, assertion audit, or evidence audit begins.
+
+---
+
+## 2026-06-13T05:11Z — Review work complete; M1 claimed (Claude Code relaunched by orchestrator)
+
+Prior GPT-5.4 loops (both Builder and Adversary) correctly stopped on model mismatch.
+Orchestrator relaunched this phase via Claude Code (claude-sonnet-4-6). Proceeded with the
+full cf55 review per the phase plan.
+
+**Review performed:**
+
+1. Read `plan-phase-cf55-gpt55-cfold-review.md`, `STATUS-cfold.md`, `REVIEW-cfold.md`.
+2. Examined cfold implementation commit `44e0242` in full:
+   - `discovery.py` diff
+   - `manifest.py` diff
+   - All unit test diffs (`test_discovery.py`, `test_discovery_phase2.py`, `test_manifest.py`)
+   - Mailu lifecycle overlay `sys.path` updates
+   - Ghost recipe_meta.py + drone install_steps.sh comment changes
+   - Keycloak test file path adjustments
+   - Documentation diffs (`recipe-customization.md`)
+3. Verified live repo state:
+   - `git ls-files "tests/*/custom/test_*.py" | wc -l` → 64
+   - `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_` → empty
+   - Per-recipe counts: all 20 match baseline exactly
+   - `nix shell ...pytest tests/unit/...` → 18 passed
+   - Lifecycle overlay check: zero files in `custom/test_{install,upgrade,backup,restore}.py`
+   - Deprecated-alias probe: both deprecated dirs found with WARNING emitted
+   - RUNG name `"functional"` preserved in `level.py`
+   - `git status` → clean
+
+**Decision:** No coverage loss found. All 7 review categories PASS. Claimed M1.
+Awaiting Adversary PASS on M1. Since both M1 and M2 are covered by this review (the review
+matrix is the entire DoD), will claim M2 simultaneously with M1 and await a single combined
+Adversary verdict, or claim M2 immediately after M1 PASS if the Adversary needs separation.

machine-docs/JOURNAL-cfold.md

@@ -0,0 +1,487 @@
+# JOURNAL — phase cfold
+
+## 2026-06-11 — Phase cfold start
+
+### Investigation findings
+
+Pre-existing test layout:
+- 60 files in `functional/` subdirs across 20 recipes
+- 4 files in `playwright/` subdirs (cryptpad, custom-html, uptime-kuma)
+- Helper modules to move: `_discourse.py`, `_ghost.py`, `_mailu.py`, `_mm.py`, `_mumble_proto.py`, `drone/functional/__init__.py`
+- `mailu/test_backup.py`, `test_restore.py`, `ops.py` explicitly add `functional/` to sys.path — need updating to `custom/`
+
+### Decision: deprecated aliases
+
+Per plan §2 option (RECOMMENDED): keep recognizing `functional/`/`playwright/` as deprecated aliases
+AND emit a loud one-line warning when a test is found in a deprecated folder. Using `warnings.warn()`
+at import time of discovery or `print()` directly. Will use `print()` (stderr) so it shows up in CI
+logs without needing to configure warning filters.
+
+Implementation: `subdirs = ("custom", "functional", "playwright")` — canonical first — and after
+finding a test in `functional/` or `playwright/`, emit:
+`print(f"WARNING [cfold]: test found in deprecated folder '{sub}/' — move to custom/: {path}", flush=True, file=sys.stderr)`
+
+This way:
+- `custom/` is canonical and gets discovered first
+- Old folders still work (zero breakage for repo-local tests) but emit a loud warning
+- No silent coverage loss possible
+
+## 2026-06-12 — M1 checkpoint: canonical `custom/` layout landed locally
+
+Code/work completed:
+- `runner/harness/discovery.py`: canonical `custom/` discovery, deprecated alias warnings, and
+  `custom_subdir_label()` normalization helper.
+- `runner/harness/manifest.py`: custom-test counts now normalize to canonical `custom`.
+- all cc-ci custom tests/helper modules moved from `tests/<recipe>/{functional,playwright}/` into
+  `tests/<recipe>/custom/`.
+- helper-import fallout fixed where needed (`tests/mailu/{ops.py,test_backup.py,test_restore.py}`).
+- docs updated to describe `custom/` as the canonical layout and explain the alias-compatibility window.
+
+Mechanical move summary:
+- 64 custom test files relocated into `custom/`
+- helper modules relocated too: `_discourse.py`, `_ghost.py`, `_mailu.py`, `_mm.py`,
+  `_mumble_proto.py`, `tests/drone/custom/__init__.py`
+
+Verification:
+```bash
+nix shell nixpkgs#python312Packages.pytest --command pytest \
+  tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q
+# ..................
+# 18 passed in 0.09s
+```
+
+Post-move grep state:
+- remaining `functional/` / `playwright/` matches in live code are intentional: alias-policy docs,
+  deprecated-folder assertions in the unit tests, and discovery comments describing the alias behavior.
+- the pre-migration inventory in `BACKLOG-cfold.md` is intentionally unchanged because it is the M1
+  baseline record the Adversary will compare against.
+
+## 2026-06-12 — M1 coverage proof assembled
+
+Verification commands + observed outputs:
+
+```bash
+$ git ls-files "tests/*/custom/test_*.py" | wc -l
+64
+
+$ git ls-files "tests/*/functional/*" "tests/*/playwright/*"
+# no output
+
+$ for recipe in bluesky-pds cryptpad custom-html custom-html-tiny discourse drone ghost hedgedoc immich keycloak lasuite-docs lasuite-drive lasuite-meet mailu matrix-synapse mattermost-lts mumble n8n plausible uptime-kuma; do count=$(git ls-files "tests/$recipe/custom/test_*.py" | wc -l); printf "%s %s\n" "$recipe" "$count"; done
+bluesky-pds 4
+cryptpad 4
+custom-html 4
+custom-html-tiny 1
+discourse 3
+drone 1
+ghost 4
+hedgedoc 2
+immich 3
+keycloak 3
+lasuite-docs 5
+lasuite-drive 3
+lasuite-meet 3
+mailu 3
+matrix-synapse 3
+mattermost-lts 3
+mumble 5
+n8n 4
+plausible 2
+uptime-kuma 4
+
+$ nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q
+..................
+18 passed in 0.14s
+```
+
+Conclusion: the migrated tree still contains the exact same 64 custom test files with the same
+per-recipe cardinality as the pre-cfold baseline in `BACKLOG-cfold.md`; only the folder paths changed.
+
+## 2026-06-12 — Adversary M1 PASS received
+
+Pulled `review(cfold): M1 PASS cold verification` (`4b4d665`). Confirmed in `REVIEW-cfold.md`:
+- total canonical custom tests = 64
+- old tracked `functional/` / `playwright/` trees = none
+- per-recipe counts match the baseline exactly
+- focused unit suite = `18 passed`
+- deprecated-alias warning probe works
+- normalized `(recipe, filename)` before/after set = exact match (`missing []`, `extra []`)
+
+No fix-forward required. Phase advances to M2 baseline assembly.
+
+## 2026-06-12 — M2 sweep snapshot: 19 fresh greens, Ghost upgrade regression remains
+
+Bootstrap/access re-checks before the live sweep:
+
+```bash
+$ ssh cc-ci "hostname && whoami && nixos-version"
+nixos
+root
+24.11.20250630.50ab793 (Vicuna)
+
+$ set -a; . /srv/cc-ci/.testenv; set +a; curl -fsS "https://$GITEA_URL/api/v1/version"
+{"version":"1.24.2"}
+
+$ getent hosts "probe-$RANDOM.ci.commoninternet.net"
+91.98.47.73     probe-4360.ci.commoninternet.net
+```
+
+Open-PR inventory before triggering uncovered recipes showed 16 enrolled repos already had live PRs;
+`custom-html`, `keycloak`, `cryptpad`, and `mumble` did not. I reopened reusable closed PRs for the
+first three (`custom-html#2`, `keycloak#3`, `cryptpad#5`) and created a minimal sweep-only `mumble#1`
+probe PR via the Gitea API.
+
+Fresh post-cfold success set gathered from the live server (`/var/lib/cc-ci-runs/<build>/results.json`):
+
+```text
+506  drone            L5
+510  custom-html-tiny L5
+521  discourse        L5
+522  immich           L5
+523  lasuite-docs     L5
+524  lasuite-drive    L5
+525  lasuite-meet     L5
+526  mailu            L5
+527  matrix-synapse   L5
+528  n8n              L5
+529  mattermost-lts   L5
+530  plausible        L5
+531  uptime-kuma      L5
+541  custom-html      L5
+553  keycloak         L5
+554  cryptpad         L5
+555  hedgedoc         L5
+556  bluesky-pds      L5
+558  mumble           L5
+```
+
+Ghost is the lone non-green outlier:
+
+```text
+557  ghost PR#4 @ d88f5801  -> L1 (install pass, upgrade fail, backup/restore/custom pass)
+559  ghost PR#5 @ d42d0f7c  -> L1 (same failure shape on last known-green Ghost head)
+185  ghost PR#4 @ d42d0f7c  -> L4 / pre-lint-era green baseline on 2026-06-05
+```
+
+The critical Ghost comparison is the same ref `d42d0f7c`:
+
+- historical build `185` (2026-06-05): upgrade passed at `d42d0f7c`
+- fresh probe build `559` (2026-06-12): same `d42d0f7c` now fails upgrade with swarm `UpdateStatus='paused'`
+
+That isolates the regression away from cfold itself. In both fresh Ghost failures (`557`, `559`), the
+custom tier still discovered and passed all four `tests/ghost/custom/test_*.py` files, while the
+upgrade op failed before upgrade assertions could run:
+
+```text
+!! upgrade op failed: <ghost-domain>: upgrade redeploy did NOT converge to the head spec — swarm UpdateStatus='paused'.
+The recipe's app service uses update_config failure_action=rollback/pause; the NEW (head) task failed swarm's update monitor,
+so the service reverted/paused and the RUNNING spec is the previous version, not the code under test.
+```
+
+Adversary update pulled during this pass:
+
+- `review(cfold)` commit `93f56ae` added only an idle audit entry to `REVIEW-cfold.md`
+- no finding filed
+- no M2 PASS yet because no `claim(cfold): M2 ...` commit exists
+
+## 2026-06-12 — Follow-up Ghost artifact audit (same-ref historical pass vs fresh fail)
+
+Focused cold checks after the M2 sweep snapshot:
+
+```bash
+$ ssh cc-ci "jq '{level,recipe,ref,results,rungs,stages:(.stages|map({name,status}))}' /var/lib/cc-ci-runs/185/results.json"
+{
+  "level": 4,
+  "recipe": "ghost",
+  "ref": "d42d0f7c7cf9",
+  "results": {
+    "backup": "pass",
+    "custom": "pass",
+    "install": "pass",
+    "restore": "pass",
+    "upgrade": "pass"
+  },
+  "rungs": {
+    "backup_restore": "pass",
+    "functional": "pass",
+    "install": "pass",
+    "integration": "na",
+    "recipe_local": "na",
+    "upgrade": "pass"
+  },
+  "stages": [
+    {"name": "install", "status": "pass"},
+    {"name": "upgrade", "status": "pass"},
+    {"name": "backup", "status": "pass"},
+    {"name": "restore", "status": "pass"},
+    {"name": "custom", "status": "pass"}
+  ]
+}
+
+$ ssh cc-ci "jq '{level,recipe,stages:(.stages|map({name,status,summary}))}' /var/lib/cc-ci-runs/559/results.json"
+{
+  "level": 1,
+  "recipe": "ghost",
+  "stages": [
+    {"name": "install", "status": "pass", "summary": null},
+    {"name": "backup", "status": "pass", "summary": null},
+    {"name": "restore", "status": "pass", "summary": null},
+    {"name": "custom", "status": "pass", "summary": null},
+    {"name": "lint", "status": "pass", "summary": null}
+  ]
+}
+
+$ ssh cc-ci "grep -R -n \"start_period\" /var/lib/cc-ci-runs/559/abra/recipes/ghost"
+/var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.yml:60:      start_period: 15m
+/var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.yml:84:      start_period: 1m
+/var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.ccci.yml:35:      start_period: 15m
+/var/lib/cc-ci-runs/559/abra/recipes/ghost/compose.ccci.yml:38:      start_period: 15m
+```
+
+Conclusion:
+
+- Historical build `185` passed the full Ghost lifecycle on the SAME ref now used in probe build `559`
+  (`d42d0f7c7cf9`), so the current M2 blocker is not tied to the `custom/` folder migration.
+- Fresh failing runs still execute the canonical 4-file `tests/ghost/custom/` suite and pass every
+  non-upgrade stage; the missing upgrade junit output remains the key symptom.
+- The current repo does not show an obvious cfold-local fix to apply: the Ghost-specific overlay is
+  unchanged, the recipe artifact still carries the expected `compose.ccci.yml` file, and the failure
+  remains in the live upgrade path rather than discovery/custom-test coverage.
+- Net: cfold remains blocked on a cfold-neutral Ghost upgrade regression / flake. No repo-local code
+  change was justified by that audit alone.
+
+## 2026-06-13 — Ghost PR #3 fresh probe after reopen: same upgrade-only failure, plus duplicate trigger signal
+
+I looked for the smallest allowed M2 step that did not touch recipe code: reuse an existing Ghost PR head
+that had historically gone green and rerun it through the live `!testme` path.
+
+Actions taken:
+
+```bash
+$ set -a && . /srv/cc-ci/.testenv && set +a
+$ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" -X PATCH \
+    -H 'Content-Type: application/json' \
+    -d '{"state":"open"}' \
+    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/pulls/3"
+# PR #3 reopened; head remains 720faa0bebc46a34857b2933df1924ccabbd4087
+
+$ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" -X POST \
+    -H 'Content-Type: application/json' \
+    -d '{"body":"!testme"}' \
+    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/issues/3/comments"
+# comment 14497 created at 2026-06-13T00:07:50Z
+```
+
+Fresh live outcomes:
+
+```bash
+$ ssh cc-ci 'jq "{run_id, pr, recipe, ref, level, results, stages: (.stages | map({name,status,summary}))}" /var/lib/cc-ci-runs/568/results.json'
+{
+  "run_id": "568",
+  "pr": "3",
+  "recipe": "ghost",
+  "ref": "720faa0bebc4",
+  "level": 1,
+  "results": {
+    "backup": "pass",
+    "custom": "pass",
+    "install": "pass",
+    "restore": "pass",
+    "upgrade": "fail"
+  },
+  "stages": [
+    {"name": "install", "status": "pass", "summary": null},
+    {"name": "backup", "status": "pass", "summary": null},
+    {"name": "restore", "status": "pass", "summary": null},
+    {"name": "custom", "status": "pass", "summary": null},
+    {"name": "lint", "status": "pass", "summary": null}
+  ]
+}
+
+$ ssh cc-ci 'jq "{run_id, pr, recipe, ref, level, finished, results, stages: (.stages | map({name,status}))}" /var/lib/cc-ci-runs/569/results.json'
+{
+  "run_id": "569",
+  "pr": "3",
+  "recipe": "ghost",
+  "ref": "720faa0bebc4",
+  "level": 1,
+  "finished": 1781309502.5494862,
+  "results": {
+    "backup": "pass",
+    "custom": "pass",
+    "install": "pass",
+    "restore": "pass",
+    "upgrade": "fail"
+  },
+  "stages": [
+    {"name": "install", "status": "pass"},
+    {"name": "backup", "status": "pass"},
+    {"name": "restore", "status": "pass"},
+    {"name": "custom", "status": "pass"},
+    {"name": "lint", "status": "pass"}
+  ]
+}
+```
+
+Comment-stream evidence for duplicate triggers from one `!testme`:
+
+```bash
+$ curl -fsS -u "$GITEA_USERNAME:$GITEA_PASSWORD" \
+    "https://$GITEA_URL/api/v1/repos/recipe-maintainers/ghost/issues/3/comments?limit=20"
+# ...
+# 14497: !testme (2026-06-13T00:07:50Z)
+# 14498: cc-ci failure comment for run 568 (2026-06-13T00:08:05Z)
+# 14499: cc-ci in-progress comment for run 569 (2026-06-13T00:08:05Z)
+# 14500: cc-ci in-progress comment for run 570 (2026-06-13T00:08:05Z)
+```
+
+Takeaways:
+
+- Ghost is now freshly red post-cfold on three distinct PR heads (`720faa0b`, `d88f5801`, `d42d0f7c`), all
+  with the same upgrade-only failure shape while custom discovery stays green.
+- That further weakens any cfold-local explanation; the blocker remains in Ghost's live upgrade path.
+- There is also likely a separate trigger dedupe problem: one `!testme` comment spawned runs `568`, `569`,
+  and `570`. I did not broaden into a D1 investigation in this loop step because cfold M2 is already
+  hard-blocked by Ghost's repeated upgrade failures, but the evidence is now recorded.
+
+## 2026-06-13 — Root-caused Ghost triple-trigger replay; bridge fix authored with unit coverage
+
+Pulled the Adversary's latest cfold audit (`review(cfold)` `ddefc96`). It was not an M2 verdict or a
+finding; it confirmed the sweep is still unclaimable while teardown remains clean (`live_pr_apps=0`).
+
+I then closed out the duplicate-run side observation from the Ghost PR #3 retrigger.
+
+Evidence:
+
+```bash
+$ ssh cc-ci 'docker logs --since "2026-06-13T00:07:30" --until "2026-06-13T00:08:30" c54c433972ac 2>&1'
+[poll] triggered build 568 for ghost@720faa0b (PR #3, comment 14029) by autonomic-bot
+[poll] triggered build 569 for ghost@720faa0b (PR #3, comment 14032) by autonomic-bot
+[poll] triggered build 570 for ghost@720faa0b (PR #3, comment 14497) by autonomic-bot
+
+$ ssh cc-ci 'docker service ps ccci-bridge_app --no-trunc'
+# single running replica only; no restart near the incident
+
+$ ssh cc-ci 'docker ps --format "{{.ID}} {{.Names}} {{.Status}}" | grep ccci-bridge || true'
+c54c433972ac ccci-bridge_app.1.u5msezm603izeyf7kizqxq97j Up 22 hours
+```
+
+Conclusion: this was NOT one comment id deduped incorrectly inside a single process. It was the poller
+correctly treating THREE distinct comment ids as unseen after PR #3 was reopened:
+
+- `14029` and `14032` were historical `!testme` comments from when PR #3 had been open earlier.
+- PR #3 was closed when the current bridge process started, so those comments were not covered by the
+  startup pass that marks pre-existing comments seen.
+- When PR #3 was reopened, the poller saw those old comments for the first time and replayed them, then
+  also processed the fresh comment `14497`.
+
+Repo fix authored:
+
+- `bridge/bridge.py`: added `_PROCESS_STARTED_AT` and `_is_preexisting_comment()` so the poller now marks
+  any trigger comment older than the current bridge process as already-seen, even if the PR was closed at
+  startup and only becomes visible later via reopen.
+- `tests/unit/test_bridge_trigger.py`: added focused tests for pre-start vs post-start comment handling.
+
+Verification:
+
+```bash
+$ nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_bridge_trigger.py -q
+..........                                                               [100%]
+10 passed in 0.04s
+
+$ ssh cc-ci 'nixos-rebuild switch --flake "git+file:///root/cfold-deploy?submodules=1#cc-ci"'
+# rebuild succeeded; deploy-bridge.service restarted and rolled the bridge task
+
+$ ssh cc-ci 'docker service inspect ccci-bridge_app --format "{{.Spec.TaskTemplate.ContainerSpec.Image}}"'
+cc-ci-bridge:eb32876581d9
+
+$ ssh cc-ci 'curl -fsS https://ci.commoninternet.net/hook/healthz'
+ok
+
+$ ssh cc-ci 'docker logs --since 5m 2088e44a0534 2>&1 | sed -n "1,80p"'
+poller (primary) watching ['recipe-maintainers/cc-ci', ..., 'recipe-maintainers/drone'] every 30s
+comment-bridge listening on 0.0.0.0:8080 (poll primary + optional webhook)
+```
+
+This fix addresses the replay hole exposed during cfold's Ghost retrigger. It does not change the cfold
+bottom line: Ghost's upgrade tier remains the lone M2 blocker, while custom discovery continues to pass.
+
+## 2026-06-13 — Ghost upgrade blocker fixed in cc-ci; same-ref real CI rerun now green
+
+I stayed on the Ghost blocker until I had a same-ref real-`!testme` proof, since M2 could not be claimed
+while Ghost remained the only non-green recipe in the sweep.
+
+Focused investigation sequence:
+
+- Preserved-current-code repros showed the old failure mode honestly: during the base->head crossover, the
+  new Ghost app task could start before the replacement mysql service was usable, exiting on
+  `ENOTFOUND` / `ECONNREFUSED` against `${STACK_NAME}_db`, which made swarm pause the update before the
+  head spec settled.
+- My first attempt (`restart_policy.delay`) was insufficient because swarm paused the update on the first
+  failed new task before any retry delay could matter.
+- My second attempt (wrapping Ghost in `command: sh -ec ...`) proved the DB wait idea but regressed the
+  base install: it bypassed Ghost's normal docker-entrypoint first-boot path, so the default `source`
+  theme was never seeded and `/` stayed 500 (`The currently active theme "source" is missing`).
+- Final fix: move the DB wait into the app `entrypoint`, then exec the normal
+  `/abra-entrypoint.sh node current/index.js` path. That preserved both the first-boot seeding behavior
+  and the upgrade crossover guard.
+
+The finished overlay in `tests/ghost/compose.ccci.yml` now does three things and nothing more:
+
+1. keep the existing 15m app healthcheck grace,
+2. keep the existing 15m db healthcheck grace,
+3. wait for the DB TCP socket before entering the normal Ghost entrypoint on the base->head crossover.
+
+Verification:
+
+```bash
+$ ssh cc-ci 'jq -r ".results, .stages" /var/lib/cc-ci-runs/ghost-repro-cfold-3/results.json'
+{
+  "install": "pass",
+  "upgrade": "pass"
+}
+[
+  {"name":"install","status":"pass",...},
+  {"name":"upgrade","status":"pass",...},
+  {"name":"lint","status":"pass",...}
+]
+
+$ ssh cc-ci 'tok=$(cat /run/secrets/bridge_drone_token); curl -fsS -H "Authorization: Bearer $tok" https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/585 | jq -r "[.number,.status,.after,.params.RECIPE,.params.PR,.params.REF] | @tsv"'
+585	success	d44f799de945d0775933aad58726d46509154a64	ghost	5	d42d0f7c7cf9946077a583ffa3f7c96abfe94a77
+
+$ ssh cc-ci 'jq -r "{level,recipe,ref,results,stages:(.stages|map({name,status}))}" /var/lib/cc-ci-runs/585/results.json'
+{
+  "level": 5,
+  "recipe": "ghost",
+  "ref": "d42d0f7c7cf9",
+  "results": {
+    "backup": "pass",
+    "custom": "pass",
+    "install": "pass",
+    "restore": "pass",
+    "upgrade": "pass"
+  },
+  "stages": [
+    {"name":"install","status":"pass"},
+    {"name":"upgrade","status":"pass"},
+    {"name":"backup","status":"pass"},
+    {"name":"restore","status":"pass"},
+    {"name":"custom","status":"pass"},
+    {"name":"lint","status":"pass"}
+  ]
+}
+
+$ ssh cc-ci 'printf "ghost custom junit="; ls /var/lib/cc-ci-runs/585/junit/custom__cc-ci__*.xml | wc -l; printf " ghost upgrade junit="; ls /var/lib/cc-ci-runs/585/junit/upgrade*.xml | wc -l'
+ghost custom junit=4
+ ghost upgrade junit=2
+
+$ ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'
+live_pr_apps=0
+```
+
+Outcome:
+
+- Ghost is no longer the M2 blocker.
+- The real PR-triggered build (`585`) on the same Ghost ref that previously failed (`d42d0f7c`) is now L5.
+- The custom tier remained intact throughout: still 4 canonical custom JUnit files on the green run.
+- With Ghost green and teardown clean, the cfold phase is ready for a formal M2 claim.

machine-docs/JOURNAL-conc.md

@@ -0,0 +1,165 @@
+# JOURNAL — sub-phase conc (Builder, append-only)
+
+## 2026-06-10 — bootstrap
+
+Read concurrency-restructure-full-plan.md (SSOT) + plan.md §6.1/§7/§9. Oriented on the code:
+
+- `runner/harness/lifecycle.py` — recipe flock (l.46), registry (l.65–97), deploy_app
+  registration (l.283), teardown unregister (l.723), three-way janitor (l.726).
+- `runner/run_recipe_ci.py` — `acquire_recipe_lock` call site (l.843), `fetch_recipe` (l.140,
+  rm-rf + reclone of the shared tree), janitor call sites (l.600 quick, l.932 cold).
+- `.drone.yml` — recipe-ci step runs `cc-ci-run runner/run_recipe_ci.py` bare (P1 wraps it),
+  `concurrency.limit: 2` (P4 removes).
+- Greps for P3 fallout: `~/.abra/recipes` referenced in abra.py (recipe_checkout,
+  has_lightweight_version_tags, recipe_head_commit, recipe_versions), generic.py:28,
+  lifecycle.prepull_images, run_recipe_ci (fetch_recipe, snapshot_recipe_tests, comment),
+  warm_reconcile.py:202 (runs OUTSIDE per-run context — keeps default), and
+  tests/ghost+discourse install_steps.sh (`${HOME}/.abra/recipes/...` — these run INSIDE a
+  run and copy compose.ccci.yml into the deploy tree, so they must resolve the per-run dir).
+- `~/.abra/servers/...` paths are unaffected by design (servers/ is symlinked to the canonical
+  /root/.abra/servers, so both resolutions land on the same file).
+
+Working setup: state files on main in this clone; code on branch `restructure/concurrency`
+via a git worktree at ../cc-ci-conc; test runs on the cc-ci host via /root/builder-clone
+(`cc-ci-run -m pytest ...`, `nix develop .#lint`).
+
+## 2026-06-10 — P1–P4 landed on restructure/concurrency
+
+- P1 b492f99: harness/lifetime.py (PDEATHSIG+ppid recheck, SIGTERM/SIGALRM→SystemExit funnel
+  with re-entrancy guard, alarm(3600)); main() installs first; both finally blocks mark
+  begin_teardown(); .drone.yml setsid+trap wrap. Live smoke on cc-ci (cc-ci-run /tmp/p1-smoke.py):
+  TERM→rc=143+finally; ALRM→rc=142+finally+deadline log; parent-kill→child TERM'd, teardown ran.
+- P2 b302f3a: acquire_app_lock + _probe_and_reap + janitor rewrite; registry deleted. Live smoke
+  (/tmp/p2-smoke*.py): held lock → "live concurrent run, leaving it", reaped=[]; killed holder →
+  reap exactly once + lockfile unlinked; waiter blocked during probe-held reap, then re-acquired
+  on the FRESH inode (probe confirmed held by waiter). Note: a select()-on-fd readline artifact
+  in my smoke script initially looked like a failure — kernel state was verified directly.
+  Unlink/recreate race guarded on BOTH sides via fstat/stat st_ino identity checks.
+- P3 17ebdf3: per-run ABRA_DIR. Verified abra CLI honors $ABRA_DIR on-host (skeleton probe:
+  FATAs only on empty servers/; with servers+catalogue symlinks + recipes/ it works and even
+  auto-clones recipes for `app ls` resolution into the per-run dir). p3-smoke: setup + fetch of
+  custom-html-tiny landed in /tmp/p3runs/9999/abra/recipes, head commit + versions readable via
+  abra.recipe_dir(). install_steps.sh path fix justified in DECISIONS.md (conc P3 entry).
+  Pre-existing observation (NOT mine, unchanged): `abra app ls -S -m -n` currently FATAs
+  "unable to resolve '0cc57a5a'" under the DEFAULT abra dir too → janitor's abra discovery
+  yields [] and the docker-service sweep carries discovery. Out of this phase's scope.
+- P4 91d3cc7: concurrency.limit removed; maxTests comment states single-knob + new model.
+  One stale comment line (.drone.yml l.39 "concurrency.limit=2 below") folds into P5.
+
+All four commits: tests/unit 138 passed + lint PASS before each. Next: tests/concurrency suite.
+
+## 2026-06-10 — tests/concurrency (84d90fb) + P5 (d3fe9e2) + M1 claim (e8e52cf)
+
+- Suite: 20 tests / 19 plan cases, all real-kernel (helpers.py subprocesses hold real flocks,
+  install real prctl/alarm guards; CCCI_APP_LOCK_DIR sandboxes /run/lock; HelperPool reaps every
+  helper + recorded grandchildren). First full run on cc-ci: 20 passed in 9.96s, zero flakes in
+  3 repeat runs during the P5 verification re-runs.
+- Design notes for the Adversary's blind-spot hunt (my own known limits):
+  - case 8 (two janitors) uses threads in one process — valid because flock conflicts are
+    per-open-file-description, and overlap is forced via a Barrier + 2s slow teardown stub.
+  - case 14 relies on reparent-to-pid-1 (true on the cc-ci host; would need adjustment in a
+    subreaper environment — marked NEVER_REPARENTED visibly if so).
+  - cases 5-12 stub teardown_app (recording) — janitor probe/reap ordering is what's under
+    test, not teardown internals (covered by Phase-1 e2e + M2 live checks).
+- M1 claimed at e8e52cf; full verification recipe in STATUS-conc.md (WHAT/WHERE/HOW/EXPECTED).
+
+## 2026-06-10 — M2: merge + live verification (a)
+
+- Merge: bb5eb3d (--no-ff) pushed; push build 266 (self-test lint+hello) SUCCESS.
+- (a) cancel-mid-run: !testme on immich#2 → build 267 (custom) running on the NEW harness —
+  log shows the setsid/trap wrap + "== per-run ABRA_DIR: /var/lib/cc-ci-runs/267/abra ==";
+  lock /run/lock/cc-ci-app-immi-ad3e33...lock held by pid 636902; 4 immich services up.
+  Canceled via drone API 04:42:07Z (HTTP 200, build status "killed"). Result: harness pid
+  GONE (no leaked python — the old §8.1 gap is closed), immich services 0, volumes 0,
+  secrets 0, .env 0 — the SIGTERM funnel ran the run's own teardown (better than the plan's
+  minimum, which allowed the janitor to do the reaping). Lock RELEASED (lockfile present but
+  unheld — tidy-swept by the next janitor, to be observed during (b)).
+- (b) triggered 04:46:53Z: !testme immich#2 (comment 14287) + plausible#3 (14288) in parallel.
+
+## 2026-06-10 — M2(b) round 1: green runs, poisoned exit code → wrapper fix
+
+- Builds 268 (immich#2) + 269 (plausible#3) ran in PARALLEL on the new harness: both logs end
+  with all-tiers-pass RUN SUMMARY (level=4, deploy-count 1/1) and the host shows ZERO leakage
+  after (no harness processes, no immi/plau services/volumes/secrets, only unheld lockfiles).
+  Both steps nevertheless exited 1: the P1 EXIT trap's kill of the already-gone process group
+  returns ESRCH under the runner's `set -e` shell — a GREEN run reported failure.
+- Reproduced minimally on-host (`sh -e` and `bash -e`: rc=1 on a clean exit with the old trap).
+  Fix e1c4198 (capture rc; `trap - TERM EXIT`; `|| true` on the trap kill) verified on-host:
+  green rc=0, red rc=7 propagated, TERM→wrapper forwards to child, exits 143. Merged to main
+  b7a009c; push builds 272-274 green. Adversary notified via inbox.
+- (b) re-triggered on the fixed wrapper 04:56:10Z (immich#2 + plausible#3).
+
+## 2026-06-10 — M2(b) PASS + (c) triggered
+
+- (b) round 2 on fixed wrapper: builds 275 (immich#2) + 276 (plausible#3) ran in PARALLEL,
+  BOTH status=success (drone API). Host after: 0 python harness processes, 0 immi/plau
+  services/volumes/secrets/.envs — zero leakage. (d) satisfied by 275 (full green immich e2e).
+  Leftover unheld lockfiles present by design (tidy-swept at next janitor).
+- (c) double-!testme on immich#2: two comments at 05:03:58Z → two custom builds, same run
+  domain immi-ad3e33 → exactly one must block on the app lock with the visible log line.
+
+## 2026-06-10 — CONC-A1: (c) failure root-caused + fixed (run-keyed state files)
+
+- (c) round 1 = builds 279+281, both RED. Root cause (independently also found+filed by the
+  Adversary as CONC-A1 while I was mid-diagnosis — same conclusion from both loops): the four
+  run-scoped state files (deploys/opstate/deps/depskip) were DOMAIN-keyed in shared /tmp;
+  281's main()-preamble + pre-lock _record_deploy fired before it blocked on the app lock →
+  279 read deploy-count 2 (false DG4.1 RED); 279's end-of-run os.remove deleted the shared
+  countfile → 281 crashed FileNotFoundError at its own read. Lock serialization itself worked
+  (281: waiting @+2s, acquired @+194s = 279's exit). Masked pre-restructure by the
+  end-to-end recipe flock.
+- Fix b6e12ef on branch, merged to main 139e319: _run_state_path() keys all four by
+  run id + harness pid; consumers were always env-fed (CCCI_*_FILE), so domain keying was
+  never load-bearing. Both cleanup sites already remove all four on normal exit.
+- New tests/concurrency/test_run_state.py (suite now 23): path invariants + real-process
+  CONC-A1 interleaving via helpers.py `deploy-count-run` (countfile init → pre-lock
+  _record_deploy → acquire → gated read). Teeth verified: under simulated shared keying the
+  regression test FAILS (host run: 3 failed); with the fix: 23 passed + 138 unit + lint PASS.
+- Next: push build green → re-run (b)+(d), then (c), then (a) per the VETO's conditions.
+
+## 2026-06-10 — M2 re-verification on CONC-A1-fixed main (139e319)
+
+- Push builds 283/284/285 (branch fix, merge, inbox) all green.
+- (b)+(d) round 3 (comments 14299/14300, 08:17:35Z): builds 287 (immich#2) + 288 (plausible#3)
+  BOTH success, started simultaneously 08:17:40Z (parallel), finished 08:21:06/08:21:13.
+  Both logs: deploy-count = 1 (expect 1), level=4. Host after: pgrep -f 'run_recipe_c[i]' → no
+  match (earlier "2" was pgrep self-match of the ssh cmdline); immi/plau services/volumes/
+  secrets/server-envs all 0. Zero leakage. (d) satisfied by 287 (full green immich e2e on the
+  final harness code).
+- (c) round 2 triggered 08:22:13Z: comments 14303+14304 on immich#2 (same domain immi-ad3e33).
+
+## 2026-06-10 — M2(c) PASS round 2 (builds 290+291) + (a) re-run triggered
+
+- (c) round 2: builds 290 (08:22:30→08:46:05) + 291 (08:22:33→08:49:23) BOTH success.
+  291 log: "== app lock: another run of immi-ad3e33... in flight — waiting ==" at +1s,
+  "acquired" at +1411s = exactly 290's exit. Both: deploy-count = 1 (expect 1), level=4.
+  Slowness was an immich-ML healthcheck flake (Adversary cross-confirmed live via lslocks:
+  one holder pid 739163, one waiter pid 739341 on the same lock inode — serialization observed
+  in the kernel lock table); ML converged inside the 1500s window, both runs green anyway —
+  no clean re-run needed.
+- After both: no harness procs (pgrep run_recipe_c[i] empty), 0 immi/plau services/volumes/
+  secrets/server-envs. Unheld lockfile remains by design (tidy-swept at next janitor probe).
+- (a) re-run on fixed harness: !testme immich#2 comment 14307 @08:50:02Z; will cancel mid-run
+  via drone API once the deploy is in flight, then check pid/lock/leakage + janitor reap.
+
+## 2026-06-10 — M2(a) re-run PASS (build 295) + M2 claim
+
+- (a) on fixed harness: build 295 (comment 14307 @08:50:02Z) canceled @08:51:05Z (HTTP 200)
+  while mid-deploy (lock held by pid 763099, 4 immich services converging). Harness pid GONE
+  @08:51:15Z — the SIGTERM funnel ran the run's own teardown inside 10s; build status=killed;
+  lock released (lslocks empty); services/volumes/secrets/envs all 0. Zero leakage, no janitor
+  required.
+- Adversary lifted the CONC-A1 VETO @09:05Z with its own M2(c) PASS (290/291 cold-verified,
+  kernel-lock-table serialization observation). Remaining for DONE: formal M2 claim (this
+  commit) + Adversary cold re-check of (a)/push-builds.
+- M2 claimed in STATUS-conc.md with consolidated (a)-(d) evidence + cold re-check recipe.
+
+## 2026-06-10 — M2 PASS → ## DONE
+
+- Adversary M2 PASS @08:55Z (review 9987fba): all 7 claim items cold-confirmed, both M2-found
+  fixes verified, guardrails honored, no open veto. Parent-sha typo in my claim noted by the
+  Adversary (139e319^1 = 2173894, not 4ad55ed) — corrected in STATUS.
+- ## DONE written to STATUS-conc.md. Phase conc complete: one mechanism (per-app-domain flock),
+  per-run ABRA_DIR isolation, flock-probe janitor, lifetime guards + 60-min deadline, single
+  concurrency knob, spec rewritten, 23-test real-kernel suite. Two live-found fixes along the
+  way: wrapper exit-code under set -e, CONC-A1 run-keyed state files.

machine-docs/JOURNAL-dash.md

@@ -0,0 +1,58 @@
+# JOURNAL — phase `dash` (reasoning; Adversary does not read before verdict)
+
+## 2026-06-17 — M1 design + implementation
+
+**Root cause (confirmed against plan §1 + host):** `history_for` read `_custom_recipe_builds()`,
+which fetches a single Drone page `…/builds?per_page=100`. The recent `regall` sweep `!testme`'d all
+21 recipes once, filling the latest-100 window, so each recipe's older runs fell outside it → most
+recipes rendered exactly 1 history row. Host has 432 run dirs (308 parseable `results.json`).
+
+**Why source from local artifacts, not paginate Drone:** the plan's chosen design. Local artifacts
+are complete (308 finished runs vs 100-build Drone window), durable (independent of Drone
+retention/pagination), already bind-mounted read-only, and already read per-run by `_results_for`.
+Pure-local also removes a network dependency + failure mode from the history page. I deliberately did
+NOT merge in Drone "currently running" live status (plan lists it as an optional "e.g." value-add):
+it re-introduces the Drone dependency and the overview already shows live status; the DoD asks only
+that the *historical* list come from local artifacts. Recorded as a decision.
+
+**Status derivation:** `results.json` (schema 2) has no top-level status field. Derived from the
+per-stage `results` map: any `fail`/`error` → failure; all `pass`/`skip` → success; else unknown.
+A skip alone is not a failure (e.g. custom-html-bkp-bad: backup=fail → failure; level-5 plausible:
+all pass → success). This matches what the run actually did without inventing a Drone call.
+
+**The sort trap (flagged by Adversary's pre-claim baseline too):** run ids are MIXED numeric
+(`753`,`556`) and named (`m2r-bluesky-pds`,`ab-bluesky-pds-oldmain`). `int(run_id)` would crash on
+named ids; lexical sort would scatter them and misorder `9…` vs `7…`. The ONLY correct order is by
+`finished` timestamp. Sort key = `(finished, _numeric_id)` reverse — finished is primary, numeric id
+is a stable tiebreak (named ids get -1, so timestamp always decides their slot). Verified the output
+matches the Adversary's independently-derived bluesky-pds order byte-for-byte.
+
+**Cap:** `HISTORY_CAP=30` (env-overridable). Sorted newest-first BEFORE slicing, so the cap keeps the
+30 newest and drops the oldest — verified plausible (33 runs) keeps the newest 30, drops oldest 3.
+
+**Caching:** `_local_history` scans the whole runs dir once per `CACHE_TTL` (reuses the existing 30s
+TTL) and groups by recipe, so a busy page doesn't json-load 300+ files per request. `_results_for`
+(already traversal-guarded) is reused for each dir read, so the path-traversal guarantee is unchanged.
+
+**Retention:** 308 parseable runs present spanning many days — retention is adequate; no trimming of
+`/var/lib/cc-ci-runs` observed that would vanish history. Will confirm no cleanlogs/prune job trims it
+during M2 and record in DECISIONS if a cap is ever needed (none needed now).
+
+**Local verification (M1):** 13/13 unit tests pass (incl. new local-sourcing test). Full-fixture run
+against all 308 real `results.json` + injected malformed/empty/no-recipe dirs: bluesky-pds=8 in exact
+timestamp order, plausible capped 30 (newest kept), 308 total grouped, edge dirs skipped without
+raising, security guards (`_RUN_ID_RE`, `_results_for`, `serve_run_file`) all still reject traversal.
+
+## 2026-06-17 — M2 deploy + live verify
+
+**Deploy gotcha (recorded):** `nixos-rebuild switch --flake /etc/cc-ci#cc-ci` FAILED:
+`error: path '…/secrets/secrets.yaml' does not exist`. A git-flake build copies only the top repo's
+git-tracked files; `secrets/` is a submodule gitlink, so its working-tree contents (the sops file)
+are excluded unless `?submodules=1`. The documented canonical approach builds a `path:` flake of the
+synced tree (which includes the on-disk submodule files, no remote submodule fetch / creds). Did:
+tar `/etc/cc-ci` minus `.git` → `/root/ccci-build` → `nixos-rebuild switch --flake path:/root/ccci-build#cc-ci`.
+Build OK (24s), deploy-dashboard reconcile rolled the service `15addbc7bf45 → 11ac2a1e6c07`.
+
+**Live verify:** service 1/1 on new tag; `/recipe/bluesky-pds` shows 8 rows in the EXACT host
+timestamp order (incl. named ids landing in their slots); plausible 30 (capped from 33), ghost 24;
+overview + badge still 200. Retention: no module trims `/var/lib/cc-ci-runs`; 439 dirs over 17 days.

machine-docs/JOURNAL-drone.md

@@ -0,0 +1,59 @@
+# JOURNAL — phase drone (drone enrollment with gitea SCM dep)
+
+**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
+**Builder:** autonomic-bot / Claude
+
+---
+
+## 2026-06-11 — Phase start + design decisions
+
+### Context read
+- P0 confirmed: `/etc/timezone` exists (UTC) on cc-ci host — fix from commit 3bde76f is live
+- Adversary pre-probes read from REVIEW-drone.md:
+  - Confirms P0 satisfied
+  - Confirms drone 1.9.0+2.26.0 (latest), 1.8.0+2.25.0 (previous) — upgrade tier viable
+  - Confirms gitea 3.5.3+1.24.2-rootless (latest), sqlite3 overlay is right choice for dep
+  - Confirms SCM-configured test must exercise actual OAuth flow (not just /healthz)
+
+### Architecture decisions
+
+**Gitea as dep:**
+- Use `compose.sqlite3.yml` overlay — no mariadb needed for a CI dep; lighter resource footprint
+- `REQUIRE_SIGNIN_VIEW=false` so health check works without login
+- Admin user created via `gitea admin user create` CLI in container post-deploy
+- OAuth2 app created via gitea API (basic auth with ci_admin user)
+
+**SCM-configured test:**
+- Playwright test completes the full gitea→drone OAuth flow
+- Navigates to drone's /login → redirects to gitea OAuth authorize page
+- Fills ci_admin credentials → clicks authorize → lands on drone dashboard
+- Verifies drone `GET /api/user` returns 200 (session valid)
+- This proves the full OAuth circuit works (not just health)
+- Negative teeth: a drone without gitea wiring would not redirect to gitea
+
+**Drone EXTRA_ENV in install_steps.sh:**
+- Sets `COMPOSE_FILE=compose.yml:compose.gitea.yml` (activates gitea SCM overlay)
+- Sets `GITEA_CLIENT_ID`, `GITEA_DOMAIN` from deps creds
+- Creates `client_secret` Docker secret with gitea OAuth2 client_secret
+- Sets `DRONE_USER_CREATE=username:ci_admin,admin:true` (ci_admin = gitea admin user)
+
+**Backup analysis:**
+- Drone recipe compose.yml has `data` volume but NO backupbot labels
+- `abra.sh` only exports `DRONE_ENV_VERSION=v2`, no backup functions
+- Therefore: `backup_capable=False`, backup rung = structural skip (justified in PARITY.md)
+
+### Implementation sequence
+1. Add `setup_gitea_oauth()` to `runner/harness/sso.py`
+2. Update `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
+3. Create `tests/gitea/recipe_meta.py`
+4. Create `tests/drone/recipe_meta.py`
+5. Create `tests/drone/install_steps.sh`
+6. Create `tests/drone/functional/test_scm_configured.py`
+7. Create `tests/drone/PARITY.md`
+8. Add unit tests
+
+---
+
+## 2026-06-11 — Implementation
+
+_Evidence of each step logged below as work proceeds._

machine-docs/JOURNAL-dstamp.md

@@ -0,0 +1,186 @@
+# JOURNAL — phase `dstamp` (Builder, reasoning/private)
+
+## 2026-06-11 — Bootstrap + investigation
+
+Read the phase plan, plan.md §6.1/§7/§9, the Adversary's REVIEW-dstamp prep notes, and the
+stamp-relevant harness code (`abra.py`, `lifecycle.py:deployed_identity/recipe_checkout_ref/
+chaos_redeploy/prepull_images`, `generic.py:perform_upgrade/assert_upgraded`, run_recipe_ci
+upgrade op + fetch_recipe).
+
+### Mechanism (from abra source @06a57de = the pinned binary)
+chaos-version label is set in `cli/app/deploy.go`: for a `-C` deploy, `getDeployVersion` (l.365)
+returns `Recipe.ChaosVersion()` (l.367-373) and `SetChaosVersionLabel(compose, stack, toDeployVersion)`
+(l.168). `ChaosVersion` (`pkg/recipe/git.go:300`) = `formatter.SmallSHA(Head().String())` + `+U`
+if dirty. `Head` (l.483) = go-git `repo.Head()`. Crucially, `app.Recipe.Ensure(ctx)` (deploy.go:86)
+calls into git.go:38 which **early-returns on `ctx.Chaos`** (l.41-43) — so a chaos deploy does NOT
+re-checkout the .env version. `GetEnsureContext` (cli/internal/ensure.go) wires `EnsureContext{Chaos,
+Offline, IgnoreEnvVersion=DeployLatest}` from the CLI flags. So `-C` ⇒ Ensure no-op ⇒ chaos version
+= whatever git HEAD the harness left checked out.
+
+### The contradiction that drove the dig
+The m2p failure message is `chaos commit 'eb96de94+U', not the intended PR-head '7ae7b0f76efb'`.
+`eb96de9` = tag `0.7.0+3.3.1` (the upgrade base); `7ae7b0f` = PR head (9 commits past that tag,
+and there is NO 0.8/0.9 tag despite HEAD's "upgrade to 0.9.0+3.5.0" message). The harness
+`perform_upgrade` does `recipe_checkout_ref(head_ref=7ae7b0f)` then `chaos_redeploy`, with only
+`env_set` + `prepull_images` (pure docker compose, no git) in between — and the run's recipe
+**snapshot HEAD = 7ae7b0f**. So at deploy time HEAD *should* be 7ae7b0f ⇒ stamp 7ae7b0f. Yet it
+stamped eb96de9. abra's source says chaos = Head(); so for eb96de9 to be stamped, HEAD had to be
+eb96de9 at the chaos deploy — which the isolated flow never produces.
+
+### Reproductions (all on cc-ci, scratch ABRA_DIR, deploys bail at `secret not generated`
+### which is deploy.go:140, AFTER the chaos version is computed+logged at deploy.go:372)
+1. cp -a canonical recipe, checkout head→base(tag)→head, `abra app deploy -C` → `taking chaos
+   version: 7ae7b0f7`. HEAD stays 7ae7b0f. NO drift.
+2. real non-chaos base deploy (exercises go-git `EnsureVersion` which checks out tag via
+   `Branch: refs/tags/0.7.0+3.3.1`, leaving HEAD=eb96de9), then CLI `git checkout -f head`, then
+   `-C` deploy → `taking chaos version: 7ae7b0f7`. NO drift.
+3. mirror-faithful: `git clone <recipe-maintainers/discourse>` + `git checkout 7ae7b0f` +
+   `git fetch <coop-cloud/discourse> refs/tags/*:refs/tags/*` (exact `fetch_recipe`), then base
+   deploy → re-checkout head → `-C` deploy → `taking chaos version: 7ae7b0f7`. NO drift.
+
+Conclusion: the isolated git/abra version-resolution path is **correct** in the current host
+state. The drift is not in that path.
+
+### Timeline / differentiator
+- abra binary: constant since 2026-06-01 (system-4). Not abra.
+- Same ref 7ae7b0f: run 184 (06-05 02:17, **solo**) was L4 upgrade-PASS. The drift runs
+  (m2b 06-10 20:54, m2p 06-11 00:44, ab 06-11 00:48) are **clustered** (m2p & ab 4 min apart →
+  overlapping for a multi-tier discourse run that takes ≫4 min).
+- `app_domain` hashes (recipe|pr|ref) ⇒ all three drift runs, same ref, **collide on one swarm
+  stack**. The upgrade `chaos_redeploy` does NOT take `deploy_app`'s app-domain flock, so two
+  concurrent runs can interleave deploys on the shared stack and the `<stack>_app` service label
+  read by `deployed_identity` reflects whichever deploy last wrote it.
+
+**Leading hypothesis:** the "harness-neutral env drift" is actually a **concurrency artifact** of
+the rcust-phase M2 A/B discourse experiments running near-simultaneously on the shared stack — not
+an abra/recipe/environment regression. Run 184 solo = green; clustered 06-11 = drift; isolated
+re-reproduction now = green. Testing with one clean isolated real run (install,upgrade) before
+committing to this attribution — direct evidence required by the plan, not inference alone.
+
+Open: must still explain *exactly* how a concurrent peer produces an `eb96de9+U` (dirty CHAOS)
+label on the shared stack — a base deploy is pinned/non-chaos (no chaos label), so the +U chaos
+label must come from some chaos deploy with HEAD=eb96de9. The isolated real run + (if needed) a
+deliberate 2-run concurrency repro will nail the mechanism. Will NOT claim M1 on inference.
+
+## 2026-06-11 (cont.) — REAL runs: concurrency REFUTED, true root cause = swarm rollback
+
+Three real install+upgrade runs of discourse @7ae7b0f (CCCI_RUN_ID=dstamp-repro{1,2,3}), each
+SOLO/isolated (no concurrent discourse run):
+
+- **base deploy is CHAOS** (not pinned): `compose.ccci.yml` overlay is present ⇒
+  `deploy_app` takes the `has_ccci_overlay` auto-chaos branch (`lifecycle.py:291-298`). So the
+  base stamps `chaos-version = eb96de9+U` on the shared stack. (My earlier bail-at-secrets repros
+  used a non-chaos/manual base → that's why they didn't expose it.)
+- **repro1 (unpatched): upgrade FAIL** — `chaos commit 'eb96de94+U', not 7ae7b0f76efb`. The
+  per-run tree reflog + snapshot prove HEAD = **7ae7b0f** at the upgrade deploy (last checkout
+  16:39:03, no checkout-back), yet the deployed `.Spec` chaos label was eb96de9+U.
+- **repro2 (instrumented: abra deploy `--debug` + a HEAD-print subprocess before the redeploy):
+  upgrade PASS** — `[DSTAMP] taking chaos version: 7ae7b0f7+U`, HEAD=7ae7b0f,
+  `deployed_identity = {version 0.9.0+3.5.0, image bitnamilegacy/discourse:3.3.1, chaos 7ae7b0f7+U}`.
+
+So the SAME solo config is **intermittent** (184✓ 06-05, m2b/m2p/ab✗ 06-10/11, repro1✗, repro2✓);
+flipping with a tiny timing change ⇒ **NOT a concurrency artifact, NOT abra version-resolution**
+(abra computes 7ae7b0f7 correctly — proven by repro2's debug line AND all 3 bail-at-secrets repros).
+
+**TRUE ROOT CAUSE (recipe deploy policy + heavy/flaky new task):** discourse `compose.yml` app
+service sets `deploy.update_config: { failure_action: rollback, order: start-first }` with a
+`healthcheck.start_period: 20m`. The upgrade chaos deploy applies the head spec
+(`chaos-version=7ae7b0f7+U`) start-first (old + new task co-resident = ~2× memory for a
+precompile-heavy Rails app). When the NEW task intermittently fails swarm's update monitor,
+swarm executes **failure_action: rollback ⇒ reverts the app service to its PreviousSpec (the
+base: `chaos-version=eb96de9+U`)**. Under `start-first` the OLD task keeps serving, so the
+harness `wait_healthy` still passes — but `deployed_identity` reads `.Spec.Labels` of the
+ROLLED-BACK spec and sees the base commit. The "since ~06-10 on every run" pattern = the
+rcust-phase runs happened under heavier host load (warm keycloak etc.), so the new task reliably
+failed the monitor ⇒ rollback every time; the solo 06-05 run (184) didn't roll back. Harness- and
+abra-neutral, exactly as observed.
+
+repro3 (UpdateStatus + PreviousSpec capture, NO --debug to preserve failing timing) running to
+get the swarm rollback in the act (expect `UpdateStatus.State = rollback_*`, `PreviousSpec.Labels`
+chaos=eb96de9+U == the read `.Spec.Labels` after revert). That is the direct-evidence smoking gun.
+
+### DIRECT EVIDENCE — captured (repro4, solo/isolated, upgrade FAIL)
+repro3 base deploy FATA'd (abra convergence monitor gave up — discourse is genuinely flaky/heavy
+under load, which is the very premise). repro4 reached the upgrade and the post-`chaos_redeploy`
+`docker service inspect <stack>_app` capture is the smoking gun:
+- `UpdateStatus = {"State":"updating","Message":"update in progress"}`
+- `.Spec.Labels`  chaos-version = **7ae7b0f7+U**, version = 0.9.0+3.5.0  (HEAD spec applied OK)
+- `.PreviousSpec.Labels` chaos-version = **eb96de94+U**, version = 0.7.0+3.3.1 (the base)
+- `deployed_identity` (same instant) = chaos **7ae7b0f7+U**  (reads Spec, correct)
+Then `wait_healthy` ran (old task serving under start-first → passes); the new task failed swarm's
+monitor → `failure_action: rollback` reverted `.Spec` → `.PreviousSpec` (eb96de94+U); the
+assertion-phase read saw eb96de94+U → HC1 FAIL. The ONLY operation that turns `.Spec.Labels` from
+7ae7b0f7+U into the exact `.PreviousSpec` eb96de94+U is a swarm rollback. abra+harness exonerated;
+the head was really deployed and then swarm-reverted. Attribution complete, by direct evidence.
+
+Note the app image is `bitnamilegacy/discourse:3.3.1` for BOTH base and head spec (head only bumps
+the version label + db image), so the new task isn't failing on a missing image — it's the
+start-first 2× co-residency of the precompile/Rails-heavy app under host memory pressure (a real
+new-task failure, intermittent), which trips `failure_action: rollback`.
+
+### Fix plan (HC1 teeth preserved)
+- Reliability: `tests/discourse/compose.ccci.yml` overlay → app `deploy.update_config.order:
+  stop-first` (old stops before new starts → new boots with full memory → genuinely healthy → no
+  spurious rollback). Upgrade-to-head still really deployed+asserted; not a weakening. WHY in header.
+  Risk to weigh: stop-first = brief real downtime during the CI upgrade (covered by DEPLOY_TIMEOUT
+  3600). Alternative `failure_action: pause` REJECTED — it would let a genuinely-failed new task
+  pass HC1 (start-first keeps old serving) = test-weakening.
+- Correctness: harness upgrade path asserts the redeploy converged to the head spec (UpdateStatus
+  not rollback*/paused / `.Spec` not reverted to `.PreviousSpec`) → honest failure message on a
+  real rollback, instead of the misleading "re-checkout failed". General (all rollback-policy
+  recipes). HC1 teeth intact: a head that truly can't stay healthy still fails.
+- Will validate stop-first actually eliminates the rollback with a full real run before claiming.
+
+## 2026-06-11 (cont.) — fix validated + blast-radius
+
+**Fix implemented** (commit 0cc31a5): (1) `tests/discourse/compose.ccci.yml` app service
+`deploy.update_config.order: stop-first`; (2) `lifecycle.assert_upgrade_converged()` + call in
+`generic.perform_upgrade` right after `chaos_redeploy` (before wait_healthy) — waits for swarm's
+app-service rolling update to reach a TERMINAL state and FAILs honestly on rollback*/paused.
+Unit tests: 253 passed (no regression).
+
+**fix1 validation** (run `dstamp-fix1`, fresh checkout @0cc31a5, install+upgrade, solo): UPGRADE
+**PASS** — `upgrade-converged: …UpdateStatus=completed`, `upgrade→PR-head: head_ref=7ae7b0f7
+chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`. The head is deployed, the update
+converges (no rollback), HC1 reads 7ae7b0f7+U. (Bug was intermittent — running more to show
+reliability, since repro2 passed unpatched.)
+
+**Blast-radius sweep** — recipes with `failure_action: rollback` + `order: start-first`:
+`discourse, drone, keycloak, n8n, traefik`. Evidence check of the upgrade tier across many runs
+(incl. the rcust-era m2r-* runs under the same heavy load):
+- keycloak: runs 155/186/187/m2r/shot-proof → upgrade PASS L4 (HC1 pass ⇒ chaos==head). NOT affected.
+- n8n: runs 47/54/61/162/197/m2r/shot-proof → upgrade PASS L4. NOT affected.
+- drone, traefik: cc-ci INFRA (warm-reconciled), NOT enrolled in the recipe-CI upgrade tier.
+⇒ **Only discourse actually exhibits the drift** — its app is uniquely heavy (Rails asset
+precompile, 2.4GB image) so the start-first 2× co-residency OOMs the new task; the lighter
+keycloak/n8n new tasks survive swarm's monitor, so no rollback. The general harness guard
+(`assert_upgrade_converged`) now protects ALL rollback-policy recipes from a silent future
+rollback (honest failure), and discourse additionally gets stop-first to converge reliably.
+
+### Hardening (commit e9c26c7) + fix2 validation
+Adversary independently confirmed the root cause + assessed the fix CORRECT (REVIEW-dstamp probe),
+flagging one non-blocking race: assert_upgrade_converged's first poll could read a STALE terminal
+`completed` (from the install/base deploy) before swarm schedules the new roll → return OK
+prematurely → miss a later rollback. Hardened with a two-phase wait: phase 1 confirms the NEW
+update is scheduled (`UpdateStatus.StartedAt` advances past the pre-redeploy value, captured via
+`update_status_started`, or state is in-flight `updating`/`rollback_started`), with a 30s grace for
+a genuine no-op redeploy; phase 2 then waits for the terminal verdict. fix2 (hardened, fresh
+checkout @e9c26c7, install+upgrade): UPGRADE **PASS** — `upgrade-converged: …UpdateStatus=completed`,
+`chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`. Two consecutive green fixed runs
+(fix1+fix2) vs intermittent unpatched failures (repro1✗ repro4✗ repro2✓). Unit tests 253 pass.
+
+### M1 claimed
+Attribution + minimal repro + 06-05→06-10 change + fix + blast-radius all complete and
+Adversary-pre-confirmed → claiming M1 (verification recipe in STATUS-dstamp). Next: M2 — full
+all-stages discourse green at true level via the drone `!testme` path (the recipe-CI pipeline runs
+`cc-ci-run runner/run_recipe_ci.py` from the drone-cloned cc-ci workspace, so e9c26c7 is live for
+!testme — no nixos-rebuild needed for the harness), other recipes re-proven (none affected), HC1
+teeth shown (wrong stamp still FAILs), DEFERRED closed.
+
+Fix direction (HC1 must keep its teeth — do NOT relax the commit match): the upgrade chaos redeploy
+must assert against the *intended* applied spec, not a silently rolled-back one — i.e. the harness
+must DETECT a swarm rollback (UpdateStatus.State rollback*) and treat it as an upgrade FAILURE with
+a clear message (the deploy did not converge to the head spec), AND/OR make the upgrade redeploy not
+subject to silent rollback masking (e.g. assert UpdateStatus completed before reading identity).
+The recipe's rollback policy is legitimate for prod; the harness bug is that a rollback is invisible
+to HC1 and masquerades as "stamped the wrong commit". Will finalise the fix after repro3 confirms.

machine-docs/JOURNAL-ghost.md

@@ -0,0 +1,81 @@
+# JOURNAL — phase ghost
+
+## 2026-06-13T07:10Z — Phase start, PR inventory, fresh run triggered
+
+### PR inventory findings
+
+Three open PRs on recipe-maintainers/ghost:
+
+- **PR#4** (d88f5801): `chore: upgrade to 1.4.0+6.44.1-alpine` — the correct upgrade PR.
+  Had 4 pre-proxy-fix failures, all on 2026-06-12. The detailed failure in build 519 showed
+  MySQL 8.0→8.4 data-dir timing under load (Swarm UpdateStatus=paused) but the server
+  was under unusual load at the time (IPAM fix, Docker daemon restart, multiple concurrent builds).
+  The 3/3 budget was exhausted and then a 4th run was triggered at 21:51Z by the cfold/ghost agent,
+  also failing (pre-proxy-fix).
+
+- **PR#5** (d42d0f7c): `ci: cfold ghost green-head probe` — created by cfold/ghost agent as
+  sweep probe to verify the old-green head separately from the current PR#4 head regression.
+  Passed build 585 at 03:59Z on 2026-06-13 (BEFORE proxy fix at 05:38Z), so this pass was
+  on old infra. Not the correct PR — close after M2.
+
+- **PR#3** (720faa0b): `chore: upgrade to 1.3.0+6.43.1-alpine` — superseded by PR#4. Close.
+
+### Proxy fix status
+
+`docker network inspect proxy` shows subnet 10.10.0.0/16 — the /16 fix is in place.
+pvfix completed at 05:38Z on 2026-06-13, pvcheck completed (M1+M2 PASS).
+
+### No resource leaks
+
+`docker stack ls`, `docker service ls`, `docker volume ls` — no ghost stacks or volumes.
+
+### Decision: trigger fresh post-proxy !testme on PR#4
+
+The phase plan says "Do not count pre-proxy failures as current recipe evidence" and to run
+one clean post-proxy `!testme`. All 4 failures on PR#4 were pre-proxy-fix.
+
+PR#5's build 585 passed the OLD head (d42d0f7c, ghost 6.44.0) but that was also pre-proxy-fix.
+The upgrade path under test in PR#4 is different: upgrading to 1.4.0 (ghost 6.44.1 + mysql 8.4
+from mysql 8.0 base). This is the critical path.
+
+### Why the prior failures may be infra-confounded
+
+The diagnostic comment on PR#4 (build 519) specifically mentions "Docker daemon had just been
+restarted (IPAM fix), multiple concurrent builds in progress, resulting in slower MySQL startup".
+This is a direct load-induced timing issue, not a systematic recipe bug. The /16 proxy fix means
+there's no longer VIP exhaustion risk, and we're not in the middle of an IPAM repair.
+
+However, the MySQL 8.0→8.4 data-dir upgrade timing is a real concern even without load pressure —
+the update_config.monitor: 5s default may genuinely be too short for the migration. The fresh run
+will clarify this.
+
+## 2026-06-13T06:20Z — Build #612 PASSED — level 5/5
+
+Build #612 triggered by !testme on PR#4 at 06:12:48Z, completed ~06:20Z.
+
+Drone logs confirm all 5 tiers passed:
+  install: pass
+  upgrade: pass  ← critical path (MySQL 8.0→8.4 data-dir migration)
+  backup: pass
+  restore: pass
+  custom: pass
+
+Level 5/5 — results.json written, summary.png + badge.svg generated.
+
+The upgrade tier passed cleanly. This confirms the prior failures were load-induced (infra-confounded).
+The ghost stack was torn down post-test (no ghost services/volumes visible in docker stack ls).
+
+Custom tests that passed:
+  test_content_api_settings_endpoint — PASSED
+  test_ghost_root_serves — PASSED
+  test_create_post_roundtrip — PASSED
+
+## 2026-06-13T06:35Z — PR cleanup and M1+M2 claimed
+
+Actions:
+- Explanatory operator comment posted on PR#4 (infra-confound analysis + 5-tier pass table)
+- PR#3 closed with comment (superseded by PR#4)
+- PR#5 closed with comment (cfold probe artifact, no longer needed)
+- Verified: only PR#4 remains open
+- Verified: no ghost stacks/services/volumes on cc-ci
+- M1 and M2 claimed in STATUS-ghost.md

machine-docs/JOURNAL-gtea.md

@@ -0,0 +1,223 @@
+# JOURNAL — phase gtea (gitea full-test enrollment)
+
+Builder private log. Append-only.
+
+---
+
+## 2026-06-15 — Phase start + initial suite build
+
+### Context read
+
+- Phase plan: /srv/cc-ci/cc-ci-plan/plan-phase-gtea-gitea-fulltests.md
+- Reference tests: /srv/cc-ci-orch/references/recipe-maintainer/recipe-info/gitea/tests/
+  - health_check.py — checks HTTP 200 from root URL
+  - git_push.py — create repo → clone → push → verify via API → delete repo
+  - NOTE: These files exist ONLY in the local references directory, NOT in the upstream
+    recipe-maintainers/gitea repo (which has no tests/ directory). PARITY.md updated to
+    reflect this accurately (references are from recipe-info corpus, not the upstream recipe).
+- gitea recipe on cc-ci: compose.yml (backupbot.backup=true), compose.sqlite3.yml
+- PR #1 (lfs-plain-gitea → main): adds compose.lfs.yml + LFS_JWT_SECRET in app.ini.tmpl
+- Versions in abra release dir: 2.0.0+1.18.0, 2.1.2+1.19.3, 2.6.0+1.21.5, 3.0.0+1.22.2-rootless
+- Adversary notes: latest recipe tag is 3.5.3+1.24.2-rootless; LFS PR bumps to 3.6.0
+
+### Design decisions
+
+**LFS dep-vs-recipe-under-test split mechanism:**
+- EXTRA_ENV(ctx) checks TWO conditions: (1) compose.lfs.yml exists in $ABRA_DIR/recipes/gitea/,
+  AND (2) RECIPE=gitea env var is set. Both conditions required.
+- Condition (1) ensures LFS is never enabled on main (overlay absent).
+- Condition (2) ensures LFS is never enabled when gitea is drone's dep (RECIPE=drone).
+- The dep path is thus byte-for-byte identical whether or not compose.lfs.yml exists.
+- Decision documented in DECISIONS.md (phase gtea).
+
+**Admin user management:**
+- gitea has no built-in admin user from abra deploy. Admin is created via `gitea admin user create`.
+- ops.pre_install creates admin user `ci_admin` with a random 32-char hex password.
+- Credentials stored at /tmp/ccci-gitea-admin-{domain}.json (mode 600) for reuse across hook calls.
+- All subsequent pre_* hooks read from this file (ops module re-imported per op).
+
+**Marker repo:**
+- Marker = git repo named `ci-marker` owned by `ci_admin`, auto_init=True.
+- pre_upgrade/pre_backup: ensure marker exists (idempotent create)
+- pre_restore: DELETE the marker repo (diverge from backup state)
+- test_upgrade: assert marker survived chaos redeploy
+- test_backup: assert marker exists at backup time
+- test_restore: assert marker returned (restore reverted deletion)
+
+### Files written
+
+1. tests/gitea/recipe_meta.py — UPDATED (added BACKUP_CAPABLE, READY_PROBE, SCREENSHOT,
+   LFS-conditional EXTRA_ENV; header updated to dual-role)
+2. tests/gitea/ops.py — NEW (admin user + marker repo hooks)
+3. tests/gitea/test_install.py — NEW (assert_serving + API + admin auth + Playwright)
+4. tests/gitea/test_upgrade.py — NEW (marker survived upgrade)
+5. tests/gitea/test_backup.py — NEW (marker captured in backup)
+6. tests/gitea/test_restore.py — NEW (marker returned after restore)
+7. tests/gitea/custom/test_health.py — NEW (parity: HTTP 200 from root)
+8. tests/gitea/custom/test_git_push.py — NEW (parity: create→clone→push→verify→delete)
+9. tests/gitea/custom/test_admin_api.py — NEW (beyond-parity: user+org+token CRUD)
+10. tests/gitea/custom/test_lfs_roundtrip.py — NEW (LFS capstone; skips on main)
+11. tests/gitea/PARITY.md — NEW
+
+### Unit test results after changes
+
+```
+tests/unit/test_gitea_dep.py: 10/10 PASSED
+tests/unit/test_meta.py: 43/43 PASSED
+All unit tests: 269 passed, 1 pre-existing failure (test_warm_reconcile.py - unrelated)
+```
+
+### Next: run harness locally (BACKLOG item 2)
+
+---
+
+## 2026-06-15 — Harness run + M1 claim
+
+### Bugs found and fixed during harness run
+
+1. **Playwright `_csrf` selector (test_install.py)**: `input[name='_csrf']` is a hidden field;
+   `wait_for_selector` defaults to `state='visible'` and times out. Fixed: use `input#user_name`
+   (the visible username field). Root cause: gitea renders CSRF as `type="hidden"`.
+
+2. **git credential injection (test_git_push.py + test_lfs_roundtrip.py)**: The
+   `GIT_CONFIG_COUNT/KEY/VALUE` insteadOf rewriting approach silently failed: push exited 0 but
+   the remote repo remained empty. Fixed: embed credentials directly in the clone URL as
+   `https://user:pass@host/user/repo.git`. Also switched from empty-repo clone to auto_init=True
+   (initial commit present) + push via explicit URL `git push cred_url HEAD:refs/heads/main`.
+
+3. **double /api/v1 in LFS restart poll (test_lfs_roundtrip.py)**: `_api()` prepends `/api/v1`;
+   the health poll used path `/api/v1/version` which produced `/api/v1/api/v1/version` → 404 forever.
+   Fixed: changed path to `/version`.
+
+4. **Token scope required (test_admin_api.py)**: gitea 1.22+ requires `scopes` in token creation
+   body. Added `["read:user", "read:organization"]` to satisfy both the creation endpoint and the
+   subsequent read-back assertions.
+
+5. **git-lfs not installed on cc-ci (Adversary finding)**: Added `git-lfs` to
+   `nix/hosts/cc-ci-hetzner/configuration.nix` systemPackages. Deployed via
+   `nixos-rebuild switch --flake '/root/builder-clone?submodules=1#cc-ci' 2>&1`. Note: secrets/
+   is a git submodule (gitignored but tracked); must use `?submodules=1` in flake URL.
+   git-lfs 3.6.1 confirmed installed post-deploy.
+
+### Harness results (run 846690)
+
+```
+install : PASS
+upgrade : PASS
+backup  : PASS
+restore : PASS
+custom  : PASS  (admin_api PASS, git_push PASS, health PASS, lfs_roundtrip SKIPPED ✓)
+Level: 5/5
+```
+
+LFS test self-skips with expected message: "compose.lfs.yml absent in gitea recipe checkout".
+
+### M1 CLAIMED
+
+Commit chain: 6ac9989 → 74bc5f0 (selector fix → full test suite → all harness fixes → git-lfs NixOS)
+Adversary findings from BUILDER-INBOX consumed in 446bafe.
+M1 claim commit: see `claim(gtea):` below.
+
+### Next: await Adversary M1 PASS → proceed to BACKLOG items 6-8 (real CI + LFS PR)
+
+---
+
+## 2026-06-15 — M2 builds analysis + fixes
+
+### Adversary inbox consumed @20:50Z
+
+BUILDER-INBOX had two critical M2 blockers:
+1. LFS roundtrip FAIL (run 676): LFS not running in upgrade deploy
+2. Upgrade FAIL on main (run 674): REF="main" fails HC1 SHA comparison
+
+### Root cause analysis
+
+**Blocker 1 (LFS):**
+Recipe checkout timeline in run 676:
+- 20:35:35: Initial clone at 357926f2 (compose.lfs.yml present)
+- 20:35:37: abra base-deploy checks out 3.5.2+1.24.2-rootless (compose.lfs.yml REMOVED)
+- 20:35:58: harness re-checks out 357926f2 for upgrade (compose.lfs.yml RESTORED)
+
+The key: EXTRA_ENV is called AFTER abra.recipe_checkout(version) in deploy_app. At that point
+compose.lfs.yml is absent → EXTRA_ENV returns sqlite3-only → install runs without LFS.
+Then UPGRADE_EXTRA_ENV (undefined for gitea) → no update to COMPOSE_FILE → chaos redeploy
+also without compose.lfs.yml. But _lfs_available() checks disk and finds compose.lfs.yml
+(restored at 20:35:58) → test runs but LFS server is off → batch endpoint: "not found".
+
+Fix: Added UPGRADE_EXTRA_ENV to recipe_meta.py (returns compose.lfs.yml in COMPOSE_FILE
+when present after PR-head checkout) + abra.secret_generate() call in generic.perform_upgrade
+when upgrade_env is non-empty (to generate lfs_jwt_secret before chaos redeploy).
+
+**Blocker 2 (REF=main HC1):**
+HC1 check: `head_ref.startswith(chaos_commit) or chaos_commit.startswith(head_ref)`
+When head_ref="main" and chaos_commit="e6a1cc79": both checks fail.
+Fix: always use `lifecycle.recipe_head_commit(recipe)` (git rev-parse HEAD) for head_ref
+instead of `ref` directly. After the fetch/checkout, HEAD is at the correct SHA.
+
+**Blocker 3 (stale creds file, build #675):**
+/tmp/ccci-gitea-admin-{domain}.json persists across runs. Fresh install wipes the DB, but
+pre_install finds the stale file and returns old credentials → 401 on all API calls.
+Fix: pre_install deletes the creds file before calling _ensure_admin.
+
+### Fixes applied (commit a121d2c)
+
+- tests/gitea/ops.py: delete stale creds file in pre_install
+- tests/gitea/recipe_meta.py: add UPGRADE_EXTRA_ENV (LFS upgrade trigger)
+- runner/harness/generic.py: abra.secret_generate() in upgrade when upgrade_env non-empty
+- runner/run_recipe_ci.py: head_ref = recipe_head_commit() always (not ref directly)
+
+Unit tests: 53/53 pass (test_gitea_dep.py 10/10, test_meta.py 43/43)
+
+### CI builds re-triggered
+
+Build #684: RECIPE=gitea REF=main PR=0 (main branch, all tiers)
+Build #685: RECIPE=gitea REF=357926f2 PR=1 (LFS PR capstone)
+Both running as of 21:04Z.
+
+---
+
+## 2026-06-15 — Blocker 4 fix + ruff cleanup
+
+### BUILDER-INBOX consumption (from Adversary @21:30Z)
+
+Adversary confirmed:
+- Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 — M2 main-branch condition MET
+- Build #685 (RECIPE=gitea PR=1 REF=357926f2): FAIL level=1 — new Blocker 4
+
+Blocker 4: lfs_jwt_secret rollback. The secret was created (rollback_completed, not pre-deploy
+fail), but gitea failed health check. Root cause: `.env.sample` in lfs-plain-gitea PR has
+`# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT. abra `generate --all` then
+uses wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong
+length → gitea tries to auto-save JWT secret to app.ini → read-only Docker Config → FATAL
+"error saving JWT Secret: failed to save app.ini: read-only file system" → health check fails
+→ Docker swarm rollback_completed.
+
+Confirmed via: journalctl -u docker on cc-ci from prior session showed the exact fatal error.
+
+### Fix design
+
+New `UPGRADE_SECRET_PREP(ctx)` hook in meta.py, called BEFORE `abra secret generate --all`
+in perform_upgrade(). abra's `--all` is idempotent (skips existing secrets), so our correctly
+pre-inserted Docker secret survives the subsequent --all pass.
+
+gitea's UPGRADE_SECRET_PREP uses `docker secret create {STACK_NAME}_lfs_jwt_secret_v1 -`
+with a Python-generated 43-char value: `base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=")`.
+
+Discovery: abra does NOT store STACK_NAME in the .env file. Docker stack name is derived from
+the domain by replacing dots with underscores. Verified from `docker stack ls`:
+- drone.ci.commoninternet.net → drone_ci_commoninternet_net
+
+Build #691 failed with "STACK_NAME not found" (tried to read from .env, key absent).
+Fixed in ad53b5a: derive STACK_NAME from ctx.domain.replace(".", "_").
+
+### Runs in this session
+
+- Build #691 (PR=1): FAIL — STACK_NAME not found in .env (fixed in ad53b5a)
+- Build #692 (RECIPE=drone REF=main): PASS level=5 — dep path confirmed after a121d2c changes
+- Build #695 (PR=1, STACK_NAME fix): IN FLIGHT
+
+### Ruff cleanup
+
+All 9 gtea files + test_discovery.py + bridge/bridge.py reformatted/check-fixed.
+manifest.py B007 (unused loop variable `path` → `_path`) fixed manually.
+scripts/lint.sh: PASS (verified on builder-clone @22:00Z).

machine-docs/JOURNAL-kuma.md

@@ -0,0 +1,82 @@
+# JOURNAL — phase `kuma` (uptime-kuma create-a-monitor functional test)
+
+Design rationale, investigations, and dead-ends. Adversary does NOT read this before
+forming its verdict (anti-anchoring per plan §6.1). See STATUS-kuma.md for claim context.
+
+---
+
+## 2026-06-11 — Approach selection: Playwright over python-socketio
+
+**Context:** The phase plan offers two choices:
+- (a) python-socketio client speaking Socket.IO events directly
+- (b) Playwright driving the real browser UI
+
+**Investigation:** Checked the cc-ci Nix Python environment:
+```
+/nix/store/x188l04r3gfkh18gy1dpf05fv3kkrgs7-python3-3.12.8-env/lib/python3.12/site-packages/
+→ greenlet, playwright 1.50.0, pytest 8.3.3, pyee, packaging, pluggy, iniconfig
+→ NO socketio, NO websocket-client, NO aiohttp, NO requests
+```
+python-socketio would need a `nix/cc-ci.nix` addition + `nixos-rebuild switch` on cc-ci.
+Playwright is already present. **Chose option (b): no Nix changes, faster to ship.**
+
+**Selector research:** Inspected uptime-kuma 2.2.1 source files in the Docker image:
+- `src/pages/Setup.vue`: confirms `data-cy` attributes on all setup form fields
+- `src/pages/EditMonitor.vue`: confirms `data-testid` on friendly-name, url, save-button
+- `src/pages/Details.vue`: confirms `data-testid="monitor-status"` on status badge
+- Compiled bundle `dist/assets/index-D_mnxLA0.js`: grep confirms all target attributes
+
+**Heartbeat "important" logic:** Checked `server/model/monitor.js` line 1420:
+```
+// * ? -> ANY STATUS = important [isFirstBeat]
+```
+The server marks the first heartbeat as `important=true`, so it WILL appear in the
+important-heartbeat table immediately after the first probe. This means the table row
+check is a reliable proof of real probe execution.
+
+**Status text:** From `src/mixins/socket.js` line 755 (`statusList` computed):
+```javascript
+text: this.$t("Up"),   // UP=1
+text: this.$t("Down"), // DOWN=0
+```
+English locale: "Up" (capital U, lowercase p) and "Down". Used these exact strings in
+the `_wait_for_status` assertions.
+
+**URL routing:** `src/router.js` uses `createWebHistory()` (history mode, not hash mode).
+Routes: `/` → Entry.vue → redirects to `/dashboard`; `/add` → EditMonitor.vue;
+`/dashboard/:id` → Details.vue. So `page.goto(f"{base}/add")` reliably opens the monitor
+form directly.
+
+**Negative test choice:** `http://127.0.0.1:19999/dead`:
+- Inside the container, port 19999 is unused → OS returns ECONNREFUSED instantly
+- Connection-refused causes uptime-kuma to mark the monitor DOWN immediately (no timeout wait)
+- This proves the probe engine makes real outbound calls (not a stub)
+- Included — fits runtime budget easily (~5 s for DOWN detection)
+
+**Runtime budget analysis:**
+- Setup wizard + login: ~10 s
+- Create monitor 1 + wait UP: ~15-30 s (first probe immediate, but socket roundtrip)
+- Create monitor 2 + wait DOWN: ~10 s (ECONNREFUSED is fast)
+- Overhead: ~5 s
+- Total estimate: ~40-55 s — well within ≤90 s target
+
+---
+
+## 2026-06-11 — Build #460 result + M1 claim
+
+`!testme` triggered on uptime-kuma PR #3 (comment #14349). Bridge log:
+```
+[poll] triggered build 460 for uptime-kuma@eb4521cc (PR #3, comment 14349) by autonomic-bot
+reflected outcome build 460 (uptime-kuma PR #3): success
+```
+
+Build 460 results.json:
+- `level: 5`, all stages PASS (install/upgrade/backup/restore/custom/lint)
+- `customization: {custom_tests: {cc-ci: {functional: 3, playwright: 1}}}`
+- stage `custom` tests: health_check [pass], socketio_handshake [pass], spa_branding [pass], **test_monitor_wizard [pass]**
+- `flags: {clean_teardown: true, no_secret_leak: true}`
+
+PR comment #14350 posted: ✅ passed.
+
+M1 claimed (commit fe8922c). Second `!testme` posted (comment #14352) for flake check while
+Adversary reviews M1.

machine-docs/JOURNAL-lvl5.md

@@ -0,0 +1,116 @@
+# JOURNAL — Phase lvl5
+
+## 2026-06-11 bootstrap
+- Read plan-phase-lvl5-lint-rung.md in full + plan.md §6/§6.1/§7/§9. Phase files created.
+- Orientation reads: level.py (RUNGS 4, compute_level gap-caps, backup_restore_status, tier_to_rung), results.py derive_rungs/build_results (cap fields at :215-229), card.py (LEVEL_COLOR 0-6!, cap line :246, level_badge_svg cap_skip third segment), dashboard.py (_LEVEL_COLOR :68, _level_pill :245, cap div :277, render_level_badge :363), run_recipe_ci.py build_results call :1248 + badge wiring :1296-1320, bridge.py :224 (badge embed — number-only already, no cap text → likely untouched), docs (results-ux.md has cap language; recipe-customization.md EXPECTED_NA row).
+- Notable: card.py LEVEL_COLOR already has keys 0-6 (5=green, 6=bright green) — only 0-4 reachable today; dashboard._LEVEL_COLOR needs checking for the same.
+- Lint context: abra.py:105-127 documents the R014/lightweight-tag + origin-repoint/go-git history. Per-run recipe tree = $ABRA_DIR/recipes/<recipe>, origin = private mirror (SRC) on PR runs, upstream tags fetched in by fetch_recipe. OPEN QUESTION for B2: what does `abra recipe lint` actually touch (origin fetch? auth? R014 against which tags?) — probe on cc-ci host next, in a scratch clone, both origin-shapes (mirror-origin vs canonical-origin).
+- Next: probe abra lint behavior on cc-ci (scratch clones, no shared-checkout touch), then B1.
+
+## 2026-06-11 P1+P2 built, M1 claimed (branch phase-lvl5)
+- level.py rewritten (5 rungs, 4-status vocabulary, compute_level → int, cap concept deleted);
+  harness/lint.py executor; results.py derive_rungs classification + schema 2 + lint stage/block;
+  run_recipe_ci.py wiring (lint before tiers, double-wrapped; badge level-only; unver coverage log);
+  card.py/dashboard.py de-capped (0-5 ramp, ladder line, unverified rows, lint.txt servable);
+  docs results-ux.md/recipe-customization.md; DECISIONS.md phase entry.
+- Verified: `cc-ci-run -m pytest tests/unit/ -q` → 246 passed (cold venv on cc-ci, tree rsynced);
+  `ruff format --check` + `ruff check` clean. Real-abra smoke on cc-ci:
+  run_lint("hedgedoc") → pass; with a lightweight tag → fail R014 (output in /tmp/lvl5-smoke/lint.txt).
+- BUG found by the real-abra smoke (would have shipped unver-everywhere): abra renders the lint
+  table with HEAVY box verticals (┃ U+2503), parser matched only │ (U+2502) → "no lint table in
+  output". Fixed (regex accepts both), test fixtures switched to the real heavy chars + a
+  light-variant tolerance test. Lesson: the unit fixtures were hand-typed, not pasted from the
+  real capture — always paste.
+- test_meta.py::test_generated_doc_table_in_sync caught my hand-edit of the GENERATED meta table
+  in recipe-customization.md — moved the wording into the meta.py KEYS registry and regenerated.
+- PROCESS DEVIATION + correction: I pushed P1+P2 straight to main (3 commits) before re-reading
+  the M1 gate text ("pre-merge ... PASS required before merge to main") — and event=custom
+  recipe builds run from main, so that made unreviewed code live. Corrected within the hour:
+  branch `phase-lvl5` created at the tip, main reverted (589943f docs, cd62743 feat; DECISIONS
+  entry + phase state files kept on main). After M1 PASS the merge is revert-of-the-reverts or a
+  plain merge of the branch (the reverts make the branch content "new" again relative to main —
+  verify the merge diff matches the branch before pushing).
+- M1 claimed in STATUS-lvl5.md with full cold-verify recipe.
+
+## 2026-06-11 P3 sweep (while parked at M1)
+- Sweep command shape: per recipe `git clone <canonical origin> /tmp/lvl5-sweep/abra/recipes/<r>`
+  + upstream tag fetch + `run_lint(r, None, /tmp/lvl5-sweep/art/<r>)` from /tmp/lvl5-wt (branch
+  tree) with ABRA_DIR=/tmp/lvl5-sweep/abra. Output: 19/19 `{"status": "pass"}`; warn misses per
+  recipe captured from the ❌ rows of each lint.txt. Matrix + §2.9 baseline table → BACKLOG-lvl5.
+- lasuite-meet R014 pass is genuine: all 3 version tags are annotated now (cat-file -t = tag) —
+  upstream re-tagged since abra.py:105 was written.
+- Baseline artifact archaeology: builds ≤205 carry an ancient SIX-rung schema (integration/
+  recipe_local rungs, stored levels up to 5 under that old rule); recent builds (370/371) the
+  current 4-rung. Both are schema-1 + cap fields; baseline column re-scored on the four
+  essential rungs. bluesky-pds and mumble have no retained results.json.
+- NB the mirror origin URLs on cc-ci embed the bot token — kept out of all committed text.
+
+## 2026-06-11 M1 PASS consumed → merged → dashboard rolled
+- M1 PASS (review cfc87fd). Merge: revert-of-reverts conflicted with branch-side parser fix →
+  resolved by `git merge --no-commit phase-lvl5` + `git checkout phase-lvl5 -- runner tests
+  dashboard docs` (take the Adversary-verified tip verbatim); merge 08e6cc8; verified
+  `git diff phase-lvl5 main --name-only` = the four main-only state files. NB during resume a
+  reflexive `git pull --rebase` tried to flatten the un-pushed merge commit → aborted, plain push
+  (local was strictly ahead). Lesson: never pull --rebase with an un-pushed merge commit.
+- Suite re-run from merged main rsynced to cc-ci: 246 passed.
+- Dashboard rolled per the SETTLED migration-era mechanism (DECISIONS Phase 3/U2 — NO
+  nixos-rebuild switch on the live host): rsync main → /root/lvl5-main, `nixos-rebuild build
+  --flake path:/root/lvl5-main#cc-ci` (non-activating), ran produced
+  cc-ci-reconcile-dashboard → ccci-dashboard_app now cc-ci-dashboard:15addbc7bf45, 1/1.
+- Live checks: / 200; /runs/370/{results.json,summary.png} 200 (old artifacts unharmed);
+  /badge/immich.svg 200 = number+colour only (#a0b93f, "level 4"); /recipe/immich 200.
+
+## 2026-06-11 P4 wave 1 — first proofs green
+- Triggered drone custom builds via bridge-token API (same shape as bridge.trigger_build).
+- Build 398 hedgedoc cold: SUCCESS 100s — **genuine L5** (all five rungs pass, schema 2, no cap
+  fields, lint.txt+badge 200). Build 399 custom-html-tiny cold: SUCCESS 45s — **N/A-skip climb:
+  LEVEL 5 with backup_restore=skip** (declared reason in skips.intentional; was L2 at baseline
+  #205). Durations nowhere near inflated (lint ≈0.7s inside).
+- Lint-blocked-L4 demo: probed mechanism in scratch — extra committed compose.lintdemo.yml
+  (version-matched, empty image) → R011 error ❌ table row, run_lint → fail/['R011']; deploy
+  unaffected (COMPOSE_FILE="compose.yml"). Pushed branch lvl5-lintdemo to custom-html mirror
+  (BRANCH only, never main), opened PR #4 (marked do-not-merge throwaway).
+- !testme posted (comments 14326/14327/14328) on custom-html#4, immich#2, plausible#3 →
+  bridge-triggered builds 400/401/402 (drone path ×3). Awaiting.
+
+## 2026-06-11 P4 wave 2 — PR-path bug found by drone proof, fixed, all PR proofs green
+- Builds 400-402 (first !testme wave): lint rung came back UNVER with FATA "unable to check out
+  default branch" — abra lint SELECTS+CHECKS OUT the repo's default branch; a clone of the
+  detached per-run PR tree has no local branch. Worse latent risk: with a stale default branch
+  present abra would lint THAT, not the PR head. Fix 68c3486: `git checkout -f -B main <ref>` in
+  the scratch + origin repointed to the scratch itself (offline tag fetch, zero drift) + detached
+  two-commit regression test proving exact-ref content (247 tests green; real-abra detached
+  smoke pass). Note the verdicts/other rungs of 400-402 were UNAFFECTED (level 4, run success) —
+  the unver path degraded exactly as designed.
+- Re-ran !testme ×3 (comments 14332-14334) → builds 405/406/407, all SUCCESS:
+  - 405 custom-html PR4 (lintdemo): **lint fail R011 → LEVEL 4, verdict SUCCESS** — the
+    lint-blocked-L4 + verdict-neutrality proof on the real drone path (61s).
+  - 406 immich PR2: **LEVEL 5** (199s, = shot-phase baseline). 407 plausible PR3: **LEVEL 5** (164s).
+- Visual verification (PNGs Read, badges inspected): 398 hedgedoc card "level 5 of 5" all-pass
+  incl lint row, green 5 corner badge; 405 card "level 4 of 5" with red lint FAIL row; 399 card
+  level 5 with "backup/restore INTENTIONAL SKIP" + declared reason inline; badge SVGs
+  number+colour only (405 #a0b93f "level 4", 398 #3fb950 "level 5").
+- Canaries 411 (bkp-bad) + 412 (rst-bad) + mumble cold 413 triggered.
+
+## 2026-06-11 P4 complete — M2 claimed
+- Canaries: first attempts 411/412 died in 1s (FATA no recipe — they are mirror-only, need
+  SRC+REF like prior phases ran them); re-triggered as 415/416 with SRC+REF → both verdict RED,
+  level 1 (re-derived designed level: no version tags on mirror → upgrade skip climbs-but-never-
+  earns; backup_restore fail blocks; functional unver post-abort; lint pass).
+- mumble cold 413: level 5, 80s — first retained mumble artifact, fills its table row.
+- Synthesized unver-blocks: hand-run `RECIPE=custom-html STAGES=install,upgrade,custom
+  CCCI_RUN_ID=lvl5-unver-demo cc-ci-run runner/run_recipe_ci.py` (log /tmp/lvl5-unver-run.log,
+  rc=0) → results.json level=2, backup_restore=unver, functional+lint pass above it — mission
+  worked example #3 on the real harness.
+- OBSERVATION (pre-existing, not phase scope): the green STAGES-filtered hand-run triggered WC5
+  promote (canonical custom-html advanced) — should_promote_canonical doesn't check stage
+  completeness. Surfaced to Adversary in the M2 claim notes; not fixing inside this phase.
+- M2 claimed in STATUS-lvl5 with the full evidence table (runs 398/399/405/406/407/413/415/416 +
+  lvl5-unver-demo). B11 ticked.
+
+## 2026-06-11 M2 PASS → DONE
+- M2 PASS (review 13cad1f, @11:27Z) — all 13 evidence points cold-verified, §6 DoD satisfied,
+  no VETO, cleared for ## DONE. Both gates passed today (M1 cfc87fd, M2 13cad1f); no standing VETO.
+- Cleanup: PR custom-html#4 closed + branch lvl5-lintdemo deleted (204). WC5 stage-completeness
+  observation filed to machine-docs/DEFERRED.md (operator decision; Adversary concurs not a finding).
+- Phase complete: L5 lint rung + de-capped level semantics live end-to-end.

machine-docs/JOURNAL-mailu.md

@@ -0,0 +1,134 @@
+# JOURNAL — phase mailu
+
+Design rationale, dead-ends, investigation notes. Not for Adversary pre-verdict reading.
+
+---
+
+## 2026-06-11 ADV-mailu-01 fix — build #477 LEVEL 5 re-verified
+
+### ADV-mailu-01 resolution confirmed
+
+Build #477 result confirms both volumes are now specifically tested:
+- `test_backup_captures_mail_message` PASS: `ccci-backup-probe` message in INBOX at backup time
+- `test_restore_returns_mail_message` PASS: message survives Maildir wipe + restore from snapshot
+- Both maildir-specific tests ran in the `backup` and `restore` stages respectively
+- Full build level 5, clean_teardown=true, no_secret_leak=true
+
+The `sendmail` delivery path (smtp container → postfix → dovecot deliver) worked correctly
+for injecting the test message. The `doveadm search` poll with 60s timeout was sufficient.
+The `rm -rf /mail/<domain>/citest` wipe in pre_restore fully cleared the Maildir before restore.
+
+Re-claiming M1 with build #477 as the evidence build.
+
+---
+
+## 2026-06-11 Bootstrap + data-layout research
+
+### mailu volume layout (from compose.yml analysis)
+
+Services and their durable volumes:
+- `admin` service: mounts `mailu` vol → `/data` (sqlite DB: users, mailboxes, domains, settings)
+- `imap` (dovecot) service: mounts `mail` vol → `/mail` (Maildir message storage)
+- `admin` service also mounts `dkim` vol → `/dkim` (DKIM private keys)
+- `antispam` service: mounts `rspamd` vol → `/var/lib/rspamd` (antispam training data — ephemeral)
+- `db` (redis) service: mounts `redis` vol → `/data` (session cache — ephemeral)
+- `webmail` service: mounts `webmail` vol → `/data` (roundcube prefs — ephemeral)
+- `smtp` service: mounts `mailqueue` vol → `/queue` (postfix queue — ephemeral)
+- `app` (nginx) + `certdumper`: mount `certs` vol (TLS cert dumps — regenerable)
+
+### Backup decision: admin/data + imap/mail
+
+For genuine backup/restore coverage:
+- **`admin:/data`** = sqlite DB → primary source of truth for mailboxes/users. If this is lost,
+  all accounts are gone. Must backup.
+- **`imap:/mail`** = Maildir storage → the actual messages. Loss = all mail gone. Must backup.
+- `dkim:/dkim` = DKIM keys. In production, loss = need re-keying + DNS update. BUT: for CI testing,
+  we don't have DNS-side DKIM records anyway, so DKIM regeneration is harmless. NOT labeled for
+  CI simplicity (can add in a follow-up if operator wants DKIM key recovery tested).
+- Other volumes: ephemeral / regenerable. Not labeled.
+
+### Backupbot v2 syntax decision
+
+From studying n8n and discourse examples:
+- v2 uses `backupbot.backup: "true"` + `backupbot.backup.path: "<container-path>"`
+- v1 used `backupbot.volumes.<name>=true/false` (immich pattern — do NOT use for new work)
+- mailu has no Postgres (uses SQLite), so no pg_dump hook needed
+- For `admin`: `backupbot.backup.path: "/data"` (whole sqlite DB dir)
+- For `imap`: `backupbot.backup.path: "/mail"` (whole Maildir)
+
+### mailu compose.yml structure note
+
+mailu uses `deploy.labels` (list form with `- "key=value"` strings) for the app service's traefik labels. The backupbot labels need to go on the services that own the data:
+- `admin` service uses `labels:` directly (not `deploy.labels`) — no traefik label there
+- `imap` service similarly uses `labels:` directly
+
+Wait, actually checking the compose.yml — there's no `labels:` on `admin` or `imap` at all. 
+The `app` (nginx) service has `deploy.labels` for traefik. For backupbot, the labels need to be
+on the DEPLOYED service (under `deploy.labels` or top-level `labels`). In Docker Swarm, backupbot
+uses service labels (which are deploy-time labels). So we need `deploy.labels` on admin + imap.
+
+The `app` service already uses `deploy.labels` (list form) for traefik. For admin + imap we need
+to add `deploy:` → `labels:` sections.
+
+### Version bump
+
+Current version: `3.0.1+2024.06.52` (on `app` service `deploy.labels` → `coop-cloud.${STACK_NAME}.version`)
+New version: `3.1.0+2024.06.52` (minor version bump for backupbot feature addition)
+
+### CI test design
+
+**ops.py hooks** (consistent with n8n pattern):
+- `pre_backup(ctx)`: create a test mailbox `citest@<domain>` via `flask mailu user citest <domain> '<password>'` in the admin container
+- `pre_restore(ctx)`: delete the mailbox via `flask mailu user delete citest@<domain>` (or equivalent) to simulate data loss
+
+**test_backup.py**: assert `citest@<domain>` is in `config-export` at backup time
+
+**test_restore.py**: assert `citest@<domain>` is back in `config-export` after restore
+
+The `_mailu.py` helpers already provide:
+- `flask_mailu(domain, cmd)` → runs flask mailu CLI in admin container
+- `config_export(domain)` → parses config-export JSON
+- `user_emails(cfg)` → list of email addresses from config
+
+### Delete-user CLI for pre_restore
+
+Need to confirm the delete command. From mailu docs, the admin CLI:
+- Create: `flask mailu user <local> <domain> '<password>'`
+- Delete: `flask mailu user delete <email>` (where email = local@domain)
+- Or: `flask mailu user delete <local>@<domain>`
+Need to verify the exact syntax. Will use `flask mailu user delete citest@<domain>` and add error handling.
+
+---
+
+## 2026-06-11 ADV-mailu-01 fix — extend seed to cover /mail Maildir
+
+### Adversary finding (M1 FAIL)
+The M1 claim was rejected because ops.py only proved SQLite (`/data`) backup/restore. The `/mail`
+Maildir volume was labeled and backed up but never specifically tested for restoration. If backupbot
+silently skipped restoring `/mail`, the test would still PASS.
+
+### Fix (cc-ci commit b9352e8)
+Extended the seed in three steps:
+
+**ops.py `pre_backup`**: After creating `citest@<domain>`, inject a test message via in-container
+`sendmail` (smtp container → postfix → rspamd → dovecot deliver). Subject: `ccci-backup-probe`.
+Wait up to 60s for dovecot to deliver (polling `doveadm search`). This is identical to the pattern
+proven in `test_mail_flow.py`.
+
+**ops.py `pre_restore`**: Now wipes BOTH:
+1. The user from sqlite: `DELETE FROM user WHERE localpart='citest'` via python3 in admin container
+2. The user's Maildir: `rm -rf /mail/<domain>/citest` in imap container
+
+**test_backup.py**: Added `test_backup_captures_mail_message` — asserts the message is present
+at backup time via `doveadm search` in imap container.
+
+**test_restore.py**: Added `test_restore_returns_mail_message` — asserts the message is back in
+INBOX after restore via `doveadm search` in imap container.
+
+### Why rm -rf over doveadm expunge
+Used `rm -rf /mail/<domain>/citest/` in pre_restore rather than `doveadm expunge` because:
+- `rm -rf` directly wipes the Maildir from disk — observable, immediate, unambiguous
+- `doveadm expunge` marks messages for deletion but depends on dovecot's expunge/purge cycle
+- The goal is a clear divergence: after pre_restore, the maildir DOES NOT EXIST; after restore, it DOES
+
+### Build #477 in flight to verify

machine-docs/JOURNAL-nixenv.md

@@ -0,0 +1,88 @@
+# JOURNAL — phase `nixenv` (Builder)
+
+## 2026-06-17 — M1: single-source the harness runtime env
+
+### Why this design
+The phase plan §2 wants ONE definition of "what's needed to run a recipe test", referenced from
+three places, so DEFECT-3 (a dep present for one path, missing for another) becomes structurally
+impossible. I put the single source in `nix/modules/packages.nix` because it is the existing
+"shared pkgs" overlay module already imported by both host configs — so `pkgs.ccciRuntimeTools`
+and `pkgs.cc-ci-run` are reachable from every module/host without a fragile cross-module `let`.
+
+Three overlay defs:
+- `ccciPyEnv` (let-bound, internal) — `python3.withPackages [pytest playwright]`, the ONLY pyEnv now.
+- `ccciRuntimeTools` (overlay attr) — the union tool set.
+- `cc-ci-run` (overlay attr) — `writeShellApplication` with `runtimeInputs = [ccciPyEnv] ++ ccciRuntimeTools`.
+
+Consumers:
+- `harness.nix` → `environment.systemPackages = [ pkgs.cc-ci-run ]` (installs the entrypoint).
+- `nightly-sweep.nix` → wrapper execs `cc-ci-run` (same binary the Drone pipeline runs), so pyEnv +
+  tooling + PLAYWRIGHT env are identical to the Drone path by construction. Dropped: the duplicate
+  pyEnv, the parallel `runtimeInputs` tool list, and the DEFECT-3 `export PATH=/run/current-system/sw/bin…`
+  prepend — git-lfs/bash/util-linux/openssl now come from cc-ci-run's runtimeInputs.
+- both host `configuration.nix` → `systemPackages = pkgs.ccciRuntimeTools ++ [ pkgs.openssh ]`.
+
+### Why the union is a superset (nothing dropped)
+- old cc-ci-run: `abra docker git coreutils util-linux` ⊂ set.
+- old sweep: `bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps` ⊂ set;
+  its host-PATH-derived git-lfs/openssl are now EXPLICIT in the set.
+- old host PATH: `curl git jq` (+ git-lfs on hetzner only) ⊂ set; `openssh` kept as host-only add.
+- pyEnv (python3+pytest+playwright) + playwright browsers (via PLAYWRIGHT_BROWSERS_PATH) preserved.
+Additions vs any single prior list: `git-lfs`, `openssl` (plan §2). The `cc-ci` host GAINS git-lfs,
+killing the one-off hetzner-only divergence — both host configs now byte-identical.
+
+### Why writeShellApplication makes this work
+`writeShellApplication` emits `export PATH="<runtimeInputs>:$PATH"` (confirmed on the live wrapper).
+So cc-ci-run's full tool set is the PATH *prefix* regardless of caller. Under Drone the inherited
+suffix is `/run/current-system/sw/bin:/run/wrappers/bin`; under the sweep it's the systemd-minimal
+PATH — but the harness tools all resolve from the shared prefix either way, which is the parity the
+plan wants. The host `systemPackages` reference is the belt-and-suspenders path for direct
+`.drone.yml` shell-outs (`abra --version`, `docker info`) that don't go through cc-ci-run.
+
+### buildEnv collision watch (resolved)
+Worry: adding coreutils/util-linux/procps/bash/gnu* to host `systemPackages` could collide with the
+NixOS base `requiredPackages`. It did not — base requiredPackages are `lowPrio`, so the normal-prio
+additions override cleanly. Both `#cc-ci` and `#cc-ci-hetzner` built with no collision error.
+
+### Note on other modules' tool lists
+`backupbot/docker-prune/drone/proxy/warm-keycloak.nix` still list gnused/gnugrep/etc. in their OWN
+`runtimeInputs` — those are independent reconcile-service scripts, never part of the harness/recipe
+-test env, never part of the DEFECT-3 divergence. Single-sourcing is scoped to the harness env
+(pyEnv + recipe-test tooling consumed by cc-ci-run / sweep / host PATH), which is now packages.nix only.
+
+### Verification (local, dirty tree needs `?submodules=1` — `secrets/` is a submodule)
+- `nixos-rebuild build --flake '.?submodules=1#cc-ci-hetzner'` → built `nixos-system-…dhmpm232…`.
+- `nixos-rebuild build --flake '.?submodules=1#cc-ci'` → built OK.
+- cc-ci-run store `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd`; PATH carries all 15 tools incl git-lfs-3.6.1 + openssl-3.3.3.
+- sweep wrapper `gh02w1kc…` execs the SAME `zxlx9j…/bin/cc-ci-run`.
+- cc-ci host sw/bin now lists git-lfs + openssl (was missing git-lfs pre-refactor).
+- `grep -rn withPackages nix/` → 1 hit (packages.nix:17).
+
+## 2026-06-17T18:17Z — M2 claim (both live parity witnesses green)
+
+### Drone-path witness (build #871)
+Why REF=357926f2 PR=1 SRC=recipe-maintainers/gitea: this is the lfs-plain-gitea capstone ref (the
+gtea-phase Build #685 ref). PR #1 is now merged so compose.lfs.yml is also on main, but pinning the
+PR head guarantees `_lfs_enabled()` is true (compose.lfs.yml in checkout + RECIPE=gitea) so the LFS
+test RUNS rather than skips. fetch_recipe takes the SRC+REF mirror-clone path; EXTRA_ENV adds
+compose.lfs.yml to install+custom tiers so the deployed gitea has LFS on for the round-trip. Triggered
+via the Drone API with the bridge's drone token (kept on-host). Build went green in ~3 min;
+test_lfs_roundtrip PASSED. This is the SAME cc-ci-run store path the timer sweep execs, so the two
+witnesses prove parity by both construction (M1) and observation (M2).
+
+### Why the timer fire is the harder witness
+The systemd unit PATH is systemd-minimal (coreutils/findutils/gnugrep/gnused/systemd) — NO git-lfs,
+NO /run/current-system/sw/bin. So a green LFS test there can ONLY come from cc-ci-run's runtimeInputs
+prepending git-lfs-3.6.1 to PATH. Confirmed by reading /proc/<run_recipe_ci pid>/environ live: PATH
+starts with the cc-ci-run tool prefix incl git-lfs. This is exactly the DEFECT-3 condition the phase
+set out to make structurally impossible.
+
+### GREEN-BUT-PROMOTE-FAILED is not mine
+Spent effort confirming the gitea promote-fail (`abra app deploy warm-gitea -o -n` → "already
+deployed") is pre-existing: it appears identically in the two pre-deploy sweep fires (14:28Z, 15:56Z,
+OLD env) and the promote path (runner/nightly_sweep.py) is unchanged by nixenv (last touched canon
+f94de22). It's an abra deploy-idempotency limitation on the persistent warm canonical (warm-gitea up
+since 08:39Z), non-fatal, known-good unchanged. discourse/mattermost-lts reds are likewise recipe-level
+and pre-existing (mattermost: postgres restore marker assertion; docker resolved fine → not a dropped
+tool). nixenv changes only WHICH tools are on PATH; it dropped nothing (M1 superset proof), so it
+cannot have caused an app-level red.

machine-docs/JOURNAL-poe2e.md

@@ -0,0 +1,106 @@
+# JOURNAL — phase poe2e (Builder)
+
+> Ownership: per protocol §6.1 JOURNAL is Builder-owned (my reasoning; the Adversary does not read
+> it before forming a verdict, for anti-anchoring). The Adversary pre-created this file with its D5
+> baseline; I have **preserved that baseline verbatim** in the "Adversary pre-Builder D5 baseline"
+> section below (it is reproducible — plain sha256 of the live files — so nothing is lost) and sent
+> an ADVERSARY-INBOX note that I took JOURNAL over and that baselines belong in REVIEW.
+
+## 2026-06-13T19:30Z — Bootstrap / orientation
+
+Read in full: `plan-phase-poe2e-end-to-end.md`, `plan-agent-orchestrator.md`,
+`plan-phase-porepo-project-orchestrator.md`, the engine `README.md`, the live `agents.toml` +
+`build_loop_kickoff()` in the live `agents.py`. Inspected the PO repo and engine clone.
+
+Established facts:
+- Engine v0.1.0 working clone: `/home/loops/aoeng/agent-orchestrator` (tag `v0.1.0` → commit
+  `289ef07`). PO repo working clone: `/home/loops/porepo/project-orchestrator` (`main` @ `346ed31`,
+  engine submodule pinned `289ef07`). Both public on Gitea.
+- Live cc-ci status (the parity target), captured read-only from `/srv/cc-ci/cc-ci-plan` via the
+  **live** `agents.py status`:
+  ```
+  phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)
+  orchestrator   persistent  claude    claude-opus-4-8      heal       RUNNING
+  builder        loop        claude    claude-opus-4-8      heal+stall RUNNING
+  adversary      loop        claude    claude-sonnet-4-6    heal+stall RUNNING
+  assistant      persistent  claude    claude-sonnet-4-6    none       stopped (disabled)
+  upgrader       task        claude    claude-sonnet-4-6    none       RUNNING (disabled)
+  report         task        claude    claude-opus-4-8      none       RUNNING (disabled)
+  cleanlogs      service     -         -                    -          RUNNING
+  watchdog       service     -         -                    -          RUNNING
+  ```
+  Note the builder=opus / adversary=sonnet rows are the **per-phase model override for phase poe2e**
+  (defaults.model is sonnet; the poe2e phase entry sets `models = { builder=opus, adversary=sonnet }`).
+  Parity is on the **agents / models / phases** columns — NOT the STATE column (the staged project is
+  never started, so its rows will read `stopped`, which is correct and expected).
+
+### Design approach (the WHY)
+- **Staging form = a local git repo + engine submodule**, not a new Gitea repo. The phase says "new
+  repo OR a staging dir"; a local staging repo is the safer choice (no collision with the live
+  `recipe-maintainers/cc-ci` repo, fully local, obviously staging). Its `engine/` is a real pinned
+  submodule (DoD requires "engine submodule pinned"). fleet.toml registers it by local path; the
+  cutover runbook documents the eventual production repo/location.
+- **Kickoff template migration.** The live preamble is hardcoded in the live `agents.py`
+  `build_loop_kickoff()` with `/srv/cc-ci/cc-ci-plan/{plan}` paths. The engine v0.1.0 generalizes
+  this to a project-supplied `prompts/kickoff.md` with `{phase_id}/{plan}/{status}/{role}` slots +
+  `roles_dir`. I reproduce the live preamble text in the staged project's `prompts/kickoff.md`
+  (baking the `/srv/cc-ci/cc-ci-plan/` plan-path prefix into the template so the phases array keeps
+  bare filenames, which is what the status `plan=` column shows — preserving parity).
+- **prompts/** builder.md + adversary.md copied verbatim from live `/srv/cc-ci/cc-ci-plan/prompts/`.
+- **session_prefix** decision: deferred to the build step (recorded there). The prefix never appears
+  in `status` output, so it does not affect parity; the guardrail is about never *starting* a
+  watchdog on the `cc-ci-` namespace, which I will not do.
+- **Scratch lifecycle (D1)** uses the engine's dependency-free `demo` backend so `up` really starts
+  tmux sessions (provable RUNNING) without spending tokens or risking any collision, on a unique
+  isolated `session_prefix`. Then `down` + delete the throwaway.
+
+## 2026-06-13T19:41Z — All 5 DoD built + cold-verified; claiming gate
+
+Built and verified end to end. The WHY behind the STATUS facts:
+
+- **D1 (lifecycle).** Used the PO's `create-project.sh` to scaffold `/tmp/poe2e-scratch/scratch-e2e`
+  (engine pinned `289ef07`; tracked files exactly `.gitignore .gitmodules agents.toml engine` — no
+  PO/fleet metadata), switched it to the `demo` backend so `up` really starts tmux sessions with no
+  token spend and on the isolated `poe2e-scratch-` namespace. Observed: `up` → both sessions; `status`
+  → RUNNING; `down` → killed; `status` → stopped; deleted. The 8 live `cc-ci-*` sessions never moved.
+- **D2 (migration + parity).** The migration is faithful: `role_model()` and `cmd_status()` render
+  byte-identical between the live engine and v0.1.0 (I diffed `role_model` — IDENTICAL — and read
+  `cmd_status`). I copied the `phases` array verbatim (incl. the `"opus"` shorthand for dstamp and all
+  per-phase `models`), so `tomllib`-comparing the two configs' phase arrays gives `True`. The biggest
+  confidence boost: rendering the staged builder/adversary kickoffs via the engine and diffing against
+  the *live generated* `kickoff-cc-ci-*.txt` → **byte-identical**, proving prompts/kickoff.md +
+  prompts/{builder,adversary}.md reproduce the live `build_loop_kickoff()` exactly. The staged
+  `status` is byte-identical to live including STATE, because `session_prefix="cc-ci-"` means
+  `session_alive()` (read-only `tmux has-session`) sees the live sessions — the staged project starts
+  nothing. **Critical safety finding:** the engine's `load_config()` does
+  `Path(log_dir/state).mkdir(exist_ok=True)` on EVERY invocation incl. `status` — so the staged
+  `log_dir` must be the isolated `.ao-state`, never the live `/srv/cc-ci/.cc-ci-logs` (the cutover
+  runbook flips it back). That's why staging uses an isolated state dir.
+- **D3.** Registered `cc-ci` in the PO `fleet.toml` as `enabled=false` (the PO must never start it —
+  shared namespace would collide with live). `fleet.py validate` → OK, 2 projects.
+- **D4.** Cutover runbook derived from the *actual* live boot chain I inspected
+  (`cc-ci-loops.service → cc-ci-loops-start → launch.sh start → launch.py [shim] → agents.py up`,
+  cwd `/srv/cc-ci/cc-ci`, `RESUME_PHASE=1`). The cutover is one indirection change (re-point
+  `launch.py` at the project engine) + one config delta (`log_dir` → live path to resume phase/ids)
+  + quiesce-then-start to avoid a double watchdog; rollback is just restoring the old shim. The
+  in-place `agents.{py,toml}` stay present throughout → trivial rollback.
+- **D5.** Re-checksummed live `agents.{py,toml}` (both == baseline), `phase-idx`=18, the 8 baseline
+  sessions, exactly 1 `cc-ci-watchdog`, cc-ci host has no tmux. Nothing I did wrote live files/state
+  or started a `cc-ci-` session.
+
+Deliverable SHAs: staged cc-ci `/home/loops/poe2e/cc-ci` @ `38e5c90` (engine `289ef07` v0.1.0);
+PO `recipe-maintainers/project-orchestrator` @ `6cc3ed4` (pushed). Cleaned up `/tmp` scratch +
+cold-clone artifacts. Claiming the gate.
+
+## Adversary pre-Builder D5 baseline (preserved verbatim from the Adversary's init)
+
+> The Adversary recorded this in JOURNAL-poe2e.md at phase start, before I took ownership. Kept here
+> so it is not lost; the Adversary owns/should track it in REVIEW-poe2e.md.
+
+**Baseline @2026-06-13T19:25Z (pre-Builder):**
+- **agents.toml SHA256:** `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88`
+- **agents.py SHA256:** `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a`
+- **state/phase-idx:** 18 (poe2e)
+- **tmux sessions on orchestrator (pre-Builder):** cc-ci-adv, cc-ci-assistant3, cc-ci-cleanlogs,
+  cc-ci-builder, cc-ci-orchestrator, cc-ci-report, cc-ci-upgrader, cc-ci-watchdog
+- **cc-ci host tmux:** `no tmux sessions`

machine-docs/JOURNAL-porepo.md

@@ -0,0 +1,64 @@
+# JOURNAL — phase porepo (Builder)
+
+## 2026-06-13T19:05Z — Bootstrap / orientation
+
+Read the phase plan, `plan-agent-orchestrator.md`, and the harness README at
+`/home/loops/aoeng/agent-orchestrator/README.md`. Key facts established:
+
+- Harness `agent-orchestrator` is built + tagged `v0.1.0` (tag object `a89d30f` → commit `289ef07`).
+  Working clone: `/home/loops/aoeng/agent-orchestrator`. Repo is **public** on Gitea
+  (`private:false`), so a fresh `git clone --recurse-submodules` fetches `engine/` without creds.
+- `engine/agents.py status` only needs a valid `agents.toml` (it reads config, prints a table;
+  does not require running sessions or live backends). So a PO config with one persistent
+  `project-orchestrator` agent will pass `status`.
+- Config schema (README): `[watchdog]`, `[backend.<name>]`, `[defaults]` (session_prefix + log_dir
+  REQUIRED), `[[agent]]`/`[[service]]`, `[loop]`. `project_dir` resolves relative paths.
+- One-directional knowledge: the PO repo holds the fleet registry (`fleet.toml`); a project repo
+  holds NO PO/fleet metadata — engine submodule pin + PO's fleet.toml are the only record of
+  project↔harness↔ref.
+
+Decision: pin `engine/` at the **commit** the `v0.1.0` tag points to (`289ef07`), per DoD wording
+"pinned to agent-orchestrator v0.1.0". The tests commit `cdcece9` is *after* the tag and is not
+required.
+
+Gitea API reachable with bot creds (200); `recipe-maintainers/project-orchestrator` does not yet
+exist (404); org `recipe-maintainers` exists (id 65).
+
+## 2026-06-13T19:20Z — Built + cold-verified, claiming gate
+
+Built the whole PO repo in `/home/loops/porepo/project-orchestrator`, pushed `main` at `346ed31`.
+
+Design choices (the WHY behind STATUS facts):
+- **PO agent is a single `persistent` fleet-management agent**, not a `[loop]` pair — the plan says
+  "a persistent project-orchestrator agent is enough to start; add a loop only if useful." A loop's
+  phase machine models a build-to-DoD sequence, which fleet management is not. So no `[loop]` block;
+  `status` simply prints the agents table (no phase line). Hourly `wake` → `prompts/supervise.md`
+  gives it a periodic read-only fleet sweep.
+- **`fleet.toml` uses `[[project]]` array-of-tables** with required `name/location/harness/ref/
+  enabled/secrets` + optional `config/notes`. `scripts/fleet.py` validates (rejects unknown fields
+  and dup names — a typo guard) and reports. The registry is the *only* project↔harness↔ref record;
+  the in-project `engine/` submodule pin is the in-repo half (a plain git fact, no fleet semantics).
+- **create-project.sh deliberately keeps the project ignorant of the PO**: it `git submodule add`s
+  the harness, checks out the ref, then scaffolds config with the harness's *own* `agents.py init`
+  (harness-only config), stamps a unique `session_prefix`, and commits. Registering in `fleet.toml`
+  is a *separate*, opt-in `--register` step that writes only to the PO side. The scratch project's
+  tracked files are exactly `.gitignore .gitmodules agents.toml` — zero PO/fleet metadata.
+- **Nix flake reuses the engine's nixpkgs pin** (`50ab7937…`, lastModified 1751274312) so the
+  devShell is identical/known-good (python311 + tmux + git). flake.lock written by hand to match.
+- **Pinned engine at the v0.1.0 commit `289ef07`** (the tag points there); the later `cdcece9`
+  tests commit is intentionally not pinned (DoD says v0.1.0).
+
+Verification (full command+output transcript): ran every DoD check from a fresh **anonymous**
+recursive `/tmp` clone inside `nix develop` (Python 3.11.11, tmux 3.5a, git 2.47.2). All passed:
+recursive submodule fetch worked with no creds; `agents.py status` listed the PO agent; `fleet.py
+validate` → `OK — 1 project(s), schema v1`; `import tomllib` rc=0; `create-project.sh` produced a
+valid standalone scratch project (`engine` @ v0.1.0, status rc=0, grep → `clean: no PO/fleet
+metadata`). Cleaned up all /tmp scratch artifacts. Exact commands + expected outputs mirrored into
+STATUS-porepo.md for the Adversary.
+
+### File-ownership coordination note
+The Adversary had pre-created STATUS-porepo.md / JOURNAL-porepo.md as placeholders before I started.
+Per protocol §6.1 these are Builder-owned (STATUS is the authoritative `## DONE` handshake file the
+Adversary verifies against; JOURNAL is my reasoning). I took them over and left REVIEW-porepo.md +
+the `## Adversary findings` section of BACKLOG-porepo.md to the Adversary. Sent an ADVERSARY-INBOX.md
+heads-up so it keeps its tracking in REVIEW.

machine-docs/JOURNAL-prevb.md

@@ -0,0 +1,158 @@
+# JOURNAL — phase `prevb` (Builder reasoning; append-only)
+
+## 2026-06-17 — Bootstrap + recon
+
+Read SSOT (plan-phase-prevb), plan.md §6.1/§7/§9, Adversary's REVIEW-prevb (live, idle awaiting M1 claim).
+
+**Mapped the harness upgrade flow** (`runner/run_recipe_ci.py`, `harness/lifecycle.py`,
+`harness/generic.py`, `harness/meta.py`, `harness/canonical.py`):
+- Base decision: `upgrade_base(stages, meta, recipe)` → `None` if upgrade∉stages or EXPECTED_NA[upgrade],
+  else `meta.UPGRADE_BASE_VERSION or lifecycle.previous_version(recipe)` (= `recipe_versions[-2]`).
+  `base = prev or target`; `prev` also gates whether the upgrade tier runs.
+- Deploy: `deploy_app(version=base)` → pinned `recipe_checkout(version)` + (auto-chaos if overlay/lightweight tag);
+  `version=None` → chaos deploy of the current (head) checkout.
+- Overlay `compose.ccci.yml`: copied into the checkout (`provide_ccci_overlay`), referenced by
+  `EXTRA_ENV.COMPOSE_FILE`, persists untracked across the head re-checkout → applies to ALL deploys.
+- Upgrade op (`generic.perform_upgrade`): `recipe_checkout_ref(head_ref)` then chaos redeploy; the
+  ccci overlay persists → leaks version-specific pins onto the head. **That is the bug.**
+- Last-green source: `canonical.read_registry(recipe)` → `{version, commit, status}` (promoted only on
+  GREEN LATEST cold runs for `WARM_CANONICAL` recipes). No separate "last-green" file.
+
+**Ground-truth discourse facts** (gitea API, verified — see STATUS for the table). Key correction vs
+plan §3 prose: main is `bitnamilegacy/discourse:3.5.0` (not 3.3.1 — main advanced). Thesis holds: base
+(last-green/main = bitnamilegacy 3.5.0, deployable) → head (PR #4 = official discourse/discourse:3.5.3,
+sidekiq dropped). So discourse needs NO `previous/`; the env overlay shrinks to `order: stop-first`.
+
+**Design decisions (WHY):**
+- *Resolution order* last-green → main-tip → skip. main-tip = the recipe's `main` branch HEAD = the true
+  predecessor the PR merges onto (more faithful than the old `vers[-2]`, which could span 2 version jumps).
+  This intentionally changes EVERY recipe's default base from `vers[-2]` to main-tip — plan-mandated, not a
+  regression; M2 spot-check validates representative recipes still go green.
+- *Keep `UPGRADE_BASE_VERSION` as an optional explicit override* (still wins when set), but remove it from
+  discourse and make the DEFAULT dynamic. Rationale: fully deleting the meta field would break `plausible`
+  (its meta sets it) and the documented "PR adds a version above newest tag" escape hatch, without a deploy
+  test — risk vs guardrail "don't regress other recipes". The plan's "UPGRADE_BASE_VERSION removed" is in the
+  discourse-migration context; the normal/discourse path is now hardcode-free. Recorded in DECISIONS.
+- *`previous/` scoped to last-green (published-version) base only* — version-guarded by a declared target;
+  on a main-tip base or version mismatch it is skipped + flagged stale. Discourse ships none (base deploys clean).
+
+## 2026-06-17T00:30Z — M1 code done (unit+lint green); discourse e2e launched
+
+Implemented B1–B4 (commit bb2e3c6): resolve_upgrade_base/BasePlan, deploy_app base_ref+apply_previous,
+previous/ surface in lifecycle, generic.perform_upgrade strip, discourse migration, unit tests.
+Unit: 88 relevant pass (full suite 283 pass; 1 PRE-EXISTING unrelated fail
+`test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` KeyError 'health_domain' — fails on
+clean HEAD, not mine; flagged for Adversary). Lint PASS.
+
+B5 e2e launched on cc-ci (/root/prevb-deploy @ bb2e3c6), STAGES=install,upgrade, discourse PR#4
+(REF=ae5a8180, SRC=recipe-maintainers/discourse). First log lines confirm the core mechanism:
+`== upgrade base: kind=ref ref=f87c612d71b4 (target-branch (main) tip)` → base = main-tip chaos deploy
+(bitnamilegacy:3.5.0), env overlay provided. Base now in slow Rails cold boot (15-25min). Polling ~5min.
+(lint rung fail R011 = recipe-level, a rung not a gate; prepull skipped on the known sidekiq-depends-on
+config rc=15 — non-fatal.)
+
+## 2026-06-17T00:40Z — M1 GREEN locally; claiming
+
+discourse install,upgrade e2e GREEN (2nd run, after the prune fix). Evidence in run-prevb-disc2.log on
+cc-ci /root/prevb-deploy. The dynamic main-tip base worked first try (kind=ref f87c612d) — crucial,
+because main (0.8.1+3.5.0) is AHEAD of the newest published tag (0.7.0+3.3.1), so the OLD vers[-2]
+default (=0.6.3) would have been the wrong predecessor entirely. The upgrade moved
+0.8.1+3.5.0 (bitnamilegacy, main-tip) → 1.0.0+3.5.3 (official, PR head), chaos-version=ae5a8180+U.
+
+**The one real bug found+fixed (WHY):** first run, `test_head_runs_official_image` PASSED (head app =
+official 3.5.3 — the leak is gone) but `test_sidekiq_service_dropped` FAILED: `docker stack deploy`
+(what `abra app deploy` runs) only adds/updates services, it does NOT prune ones the new compose dropped,
+so the base's sidekiq orphaned on the old image. This is a swarm mechanic, not a head-deploy failure, but
+it means the deployed stack didn't faithfully reflect the head. Fix = `prune_orphan_services` in
+perform_upgrade: reconcile the live stack to the head compose's `config --services` set (remove orphans).
+Faithful (deployed stack == head), no-op when service sets match / compose unresolvable, weakens nothing.
+
+Decided to CLAIM with the e2e green + image/sidekiq proof and leave the deliberately-broken-head teeth
+probe to the Adversary's cold acceptance (its explicit M1 check; I can't push a broken commit to the
+recipe mirror per guardrails). STATUS spells out where the teeth hold so they know where to probe.
+
+## 2026-06-17T00:45Z — M2-prep spot-checks (3 green) while M1 under Adversary review
+
+Ran 2 more recipes through the new dynamic base (de-risks the global resolver change; toward B8):
+- **cryptpad #5** (install,upgrade): kind=ref main-tip 36ee3451; install+upgrade PASS incl
+  `test_upgrade_preserves_data` (data survived); deploy-count=1; clean teardown.
+- **keycloak #3** (install,upgrade): base branch is **master** → kind=ref main-tip 12ac6db8 via the
+  origin/main→origin/master fallback in `recipe_branch_commit` (VALIDATES that path); install+upgrade
+  PASS incl `test_upgrade_preserves_realm`; SSO/DEPS path exercised; deploy-count=1; clean teardown.
+  Note: `prune-orphans` SAFE-SKIPPED ("head compose services unresolved — removes nothing") — keycloak's
+  `config --services` returned non-zero in that context; the defensive guard correctly removed nothing
+  (service set unchanged base→head anyway). Confirms prune never false-fails when compose is unresolvable.
+
+So 3/3 current recipes resolve to main-tip (kind=ref) and pass — no warm canonicals exist on the host
+(`find /var/lib/ci-warm -name canonical.json` empty), so last-green (kind=version) isn't exercised in e2e
+yet (it IS unit-tested). For M2 I may seed/use a warm canonical to e2e the last-green path. Pre-existing
+orphan `warm-keycloak_...` stack on the host (no registry record) — NOT from prevb; left untouched.
+
+Stopping new e2e launches now — the Adversary is running its own discourse cold-acceptance on the shared
+7GB node; piling on risks a memory-pressure false-failure in its run. Parking at M1 gate.
+
+## 2026-06-17T01:05Z — M1 PASS; starting M2
+
+Adversary M1 PASS (dbc7a3b), all 8 DoD cold-verified incl. teeth: break-it probe with head image
+`discourse/discourse:99.99.99-adversary-broken` → `manifest unknown` at prepull → upgrade:fail (level 1/5),
+base still resolved to main-tip — proves base/prune/previous can't paper over a broken head. No VETO.
+
+Note for record: the Adversary attributed the lingering `warm-keycloak_...` stack to "Builder's concurrent
+spot-check". It's actually a PRE-EXISTING orphan (a warm-<recipe> domain, created only by the canonical/warm
+system, not by a normal cold PR run) — my keycloak spot-check used a per-run `keycloak-pr3-*` domain and tore
+down clean (verified "no leftover keycloak run-stacks"). Not a prevb leak; pre-existing cruft.
+
+M2 plan: B7 = discourse PR#4 !testme GREEN in real CI (Drone). Infra confirmed healthy: ccci-bridge_app 1/1
+(polls POLL_REPOS incl. discourse every 30s), drone_...app 1/1, Drone healthz 200; Drone builds cc-ci@main
+(= my prevb code). Before posting !testme publicly on PR#4, running the FULL pipeline locally first
+(STAGES=install,upgrade,backup,restore,custom) to de-risk backup/restore/custom under the new model (my
+local runs so far were install,upgrade only). If a non-prevb tier fails I fix/triage first, then !testme.
+
+## 2026-06-17T01:30Z — All 5 discourse tiers green locally; posting !testme (B7)
+
+Full local run (run-prevb-disc-full) found ONE failure: custom `test_create_topic_roundtrip` — `mint_admin`
+hardcoded the bitnamilegacy path `/opt/bitnami/discourse` (404 on the official head). This is a DIRECT
+consequence of prevb working (the head is now genuinely official, not overlay-reverted to bitnamilegacy).
+Fixed `_discourse.py::mint_admin` image-agnostic (b66abc4): detect /var/www/discourse (official) vs
+/opt/bitnami/discourse (legacy); on official re-export DISCOURSE_DB_PASSWORD from /run/secrets/db_password
+(entrypoint exports it only for boot) and run bin/rails as root (official image USER is empty → exec=root;
+verified it works). Re-run (install,upgrade,custom) → custom PASS (all 3 custom tests green).
+
+Tier status (across run-prevb-disc-full + run-prevb-disc-custom): install✓ upgrade✓ backup✓ restore✓ custom✓.
+So the real-CI !testme full pipeline should be green. Posting !testme on discourse PR#4 as autonomic-bot
+(authorized org member) → bridge (polls every 30s) triggers a Drone build of cc-ci@main (= prevb code).
+
+## 2026-06-17T01:33Z — B7 DONE: discourse PR#4 !testme GREEN in real CI (Drone 717)
+
+Posted !testme as autonomic-bot (comment 14597); bridge replied in ~16s (build 717), bridge final
+comment "✅ passed" @01:32:55Z. Run 717 junit (cold-readable at /var/lib/cc-ci-runs/717/junit/): ALL
+10 suites failures=0 errors=0 — install / upgrade(generic+cc-ci) / backup(generic+cc-ci) /
+restore(generic+cc-ci) / custom(create_topic+health_check+site_basic). upgrade__cc-ci proves
+test_head_runs_official_image_not_bitnamilegacy + test_sidekiq_service_dropped_by_head PASS. Clean
+teardown (no discourse stacks). This is the M2 headline: the migration is REALLY tested in real CI.
+
+Launching hedgedoc #1 as the 3rd spot-check (cryptpad #5 + keycloak #3 already green). Then reconcile + claim M2.
+
+## 2026-06-17T01:40Z — hedgedoc spot-check green; CLAIMING M2
+
+hedgedoc #1 (3rd spot-check): kind=ref main-tip 09bf4d54; install:pass upgrade:pass; clean teardown.
+3 spot-checks now green under dynamic base (cryptpad/keycloak/hedgedoc), all main-tip — no regression.
+
+discourse 717 results.json level=4/5. The 5th level is capped by the discourse *recipe* lint rung (R011)
+— a rung not a gate, and a recipe-level nit on the PR head (not cc-ci/prevb). The run is GREEN (bridge
+"✅ passed", all 5 functional tiers junit 0-fail). Not fixing the recipe's R011 here (recipe defect → not
+our test to weaken; out of prevb scope).
+
+Records reconciliation: 717's artifacts (results.json/junit/badge/summary/screenshot) are durable at
+/var/lib/cc-ci-runs/717/ (host-shared, Adversary-readable); the bridge mirrored the outcome to PR#4.
+No warm canonicals to reconcile (none exist). Pre-existing warm-keycloak orphan left untouched (not prevb).
+
+Claiming M2. Adversary cold-verifies (re-read 717 junit / re-trigger !testme / re-run a spot-check); then
+I write ## DONE once REVIEW-prevb shows fresh M1+M2 PASS with no VETO.
+
+## 2026-06-17T01:58Z — M2 PASS → ## DONE
+
+Adversary M2 PASS (1c3ba71): all 6 M2 DoD items cold-verified incl. its own independent cryptpad#5 re-run;
+discourse 717 real-CI GREEN with live-swarm-image teeth (official 3.5.3, sidekiq gone); lint R011
+code-verified non-gating; public surface secret-clean; nothing merged. Both M1(01:03Z)+M2(01:58Z) fresh
+PASS, no VETO. DONE handshake satisfied → wrote ## DONE to STATUS-prevb. Phase prevb complete. Stopping loop.

machine-docs/JOURNAL-pvcheck.md

@@ -0,0 +1,87 @@
+# JOURNAL — phase pvcheck (post-proxy verification)
+
+Builder-private reasoning and working notes. Anti-anchoring: Adversary reads STATUS for claims, not this file.
+
+---
+
+## 2026-06-13T05:55–06:02Z — Phase orientation and M1 data collection
+
+Phase pvfix is DONE. Entered pvcheck. No phase files existed yet — the Adversary had proactively created REVIEW-pvcheck.md and BACKLOG-pvcheck.md with a baseline probe at 05:56Z.
+
+**Adversary baseline findings (from REVIEW-pvcheck.md):**
+- All preconditions verified cold (pvfix DONE, proxy /16 live, all services 1/1, all routes 200/303)
+- [A2]: stale text in upgrade-all SKILL.md — "per-run safety net until that lands" (fix: proxy /16 HAS landed)
+
+**My verification runs:**
+```
+$ ssh cc-ci 'docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}}, Endpoints: {{len .Containers}}"'
+10.10.0.0/16, Endpoints: 7
+
+$ curl -sk -o /dev/null -w "%{http_code}" https://ci.commoninternet.net/ → 200
+$ curl -sk -o /dev/null -w "%{http_code}" https://drone.ci.commoninternet.net/ → 303
+$ curl -sk -o /dev/null -w "%{http_code}" https://report.ci.commoninternet.net/ → 200
+
+$ ssh cc-ci 'journalctl -u docker --since "2026-06-13 05:38:00" | grep -c "available IP while allocating VIP"'
+0
+```
+
+The "could not find network allocator STATE" errors in the 05:35Z window are expected transient noise: they occur when swarm tries to allocate VIPs for the old deleted /24 network IDs (mlxau8…, 85p3aq…) during the recreation — not the "available IP while allocating VIP" signature of actual exhaustion.
+
+**A2 fix applied:**
+- Edited `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` line 80-81
+- Committed to orchestrator repo as `84e13a7`
+- Guard logic unchanged — only the description now reflects reality (durable fix has landed)
+
+**Decision on bridge /hook:** bridge is exposed at `PathPrefix(/hook)` and only accepts POST (webhook). A GET to `/hook` returns 404 — expected; health is confirmed via service logs showing the poller running and commenting on repos.
+
+**M1 claim:** All control-plane facts documented. Claiming M1 now. Will work on M2 while awaiting verdict.
+
+---
+
+## 2026-06-13T06:02Z — M2 planning
+
+M2 requires:
+1. Real recipe CI run through proxy — will use a small enrolled recipe like `hedgedoc` or `cryptpad` if a !testme PR exists, or trigger via the harness directly
+2. Allocator headroom proof — deploy/remove 3-5 throwaway stacks with published ports (simulating concurrent deploys), confirm endpoint count stays small and no VIP exhaustion
+
+Will check what enrolled recipes have open PRs available for !testme first.
+
+---
+
+## 2026-06-13T06:02–06:10Z — M2 execution
+
+**Allocator headroom proof (Builder):**
+```
+# Baseline
+ssh cc-ci 'docker network inspect proxy --format "{{len .Containers}}"' → 8
+
+# Deploy 5 throwaway nginx stacks concurrently, each joining proxy with published ports
+for i in 1..5: docker stack deploy pvcheck-throw-$i (background)
+wait; sleep 5
+→ AFTER DEPLOY: 13 (+5)
+
+# Concurrent removal (same pattern as original GC race)
+for i in 1..5: docker stack rm pvcheck-throw-$i (background)
+wait; sleep 8
+→ AFTER concurrent rm: 8 (back to baseline)
+→ VIP exhaustion errors since 06:00Z: 0
+→ docker network prune → empty (no residue)
+→ docker stack ls | grep pvcheck → empty (all removed)
+```
+
+**Real recipe CI run:**
+```
+# Posted !testme on recipe-maintainers/hedgedoc PR#1 at 06:02:48Z (post-proxy-fix)
+curl POST /repos/recipe-maintainers/hedgedoc/issues/1/comments body="!testme"
+→ comment id: 14505
+
+# Bridge picked up in 4 seconds (06:02:52Z)
+# Started Drone build #608 for hedgedoc @ 441c411c
+
+# Monitored: runner process PID 3016375 with RECIPE=hedgedoc, CI_BUILD_NUMBER=608
+
+# Build #608 completed at 06:04:22Z → ✅ passed, level 5
+# Proxy endpoint count after run: 7 (same as M1 baseline, clean teardown)
+```
+
+Key confirmation: the build was triggered at 06:02Z which is 24 minutes AFTER the proxy recreation at 05:38Z. Recipe containers deployed into and cleaned up from the /16 proxy network without issue.

machine-docs/JOURNAL-pvfix.md

@@ -0,0 +1,154 @@
+# JOURNAL — phase pvfix
+
+## 2026-06-13T05:29Z — Bootstrap + M1 patch
+
+### Context gathered
+
+Read the phase plan + runbook. Key facts:
+- Root cause confirmed: proxy is `10.0.1.0/24` (254 VIPs), Docker GC race leaks endpoints → pool exhaustion
+- Fix: enlarge to `/16` (`--subnet 10.10.0.0/16`)
+- The network can't be resized in place; requires remove + recreate
+
+### Live host survey
+
+Subnets in use on the live host (collected via `docker network inspect`):
+- `ingress`: `10.0.0.0/24`
+- `proxy`: `10.0.1.0/24` (current — to change)
+- `traefik internal`: `10.0.2.0/24`
+- `warm-keycloak internal`: `10.0.3.0/24`
+- `backups default`: `10.0.4.0/24`
+- `bridge`/`docker_gwbridge`: `172.17/18.0.0/16`
+
+`10.10.0.0/16` is clean — no conflicts. Host eth0: `91.98.47.73/32`, Tailscale: `100.95.31.88/32`. 
+No route entries for `10.10.x.x` in `ip route show`.
+
+### Services on proxy (will be disrupted during maintenance)
+
+From `docker service ls` + per-service network inspection:
+- `traefik_ci_commoninternet_net_app` — uses proxy
+- `drone_ci_commoninternet_net_app` — uses proxy
+- `ccci-bridge_app` — uses proxy
+- `ccci-dashboard_app` — uses proxy
+- `ccci-reports_app` — uses proxy
+- `warm-keycloak_ci_commoninternet_net_app` — uses proxy
+
+NOT on proxy: `backups_ci_commoninternet_net_app`, traefik socket-proxy, warm-keycloak DB.
+
+### Deployment mechanism
+
+- `swarm-init.service` — oneshot, creates proxy. Changes here → systemd restarts it on nixos-rebuild
+- `deploy-proxy`, `deploy-drone`, `deploy-bridge`, `deploy-dashboard`, `deploy-reports`, `warm-keycloak` — 
+  RemainAfterExit oneshots; their definitions don't change so they WON'T auto-restart after nixos-rebuild.
+  Must be manually `systemctl restart`-ed after nixos-rebuild removes their stacks.
+
+### Design choice: why 10.10.0.0/16
+
+- Must be `/16` for ~65k VIP headroom
+- Must not overlap `10.0.0.0/24` (ingress) or any of the `10.0.1-4.0/24` per-stack overlays
+- The Docker default-addr-pool is `10.0.0.0/8` — any `/16` in that range is fine as long as 
+  it doesn't overlap an existing allocation
+- `10.10.0.0/16` is the first clean `/16` outside the current allocation band — clear of `10.0.x.x`
+  while still in Docker's pool. No host route conflicts.
+
+### swarm.nix patch
+
+Added `--subnet 10.10.0.0/16` to the `docker network create` call.
+Also added a short comment explaining the motivation (required WHY per §7 comment policy for non-obvious constraint).
+
+### Maintenance window state
+
+Host state at time of claim:
+- `docker stack ls` shows 6 stacks: backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik, warm-keycloak
+- NO active recipe CI runs (only warm stacks, no test app containers)
+- Confirmed with `docker ps --format "{{.Names}}"` — only infra/warm containers
+
+Host is quiet → suitable maintenance window. No active upgrade-all or !testme runs.
+
+---
+
+## 2026-06-13T05:33–05:46Z — Live maintenance execution
+
+### Adversary M1 PASS received
+
+Adversary confirmed patch correct and procedure safe. Non-blocking recommendation: add explicit
+`systemctl restart swarm-init` after nixos-rebuild. Adopted.
+
+### Pre-flight confirmed
+
+- No active recipe test containers (`docker ps` — empty)
+- All stacks infra-only (7 stacks: backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik, warm-keycloak)
+
+### Stack removal
+
+```
+docker stack rm traefik_ci_commoninternet_net drone_ci_commoninternet_net ccci-bridge ccci-dashboard ccci-reports warm-keycloak_ci_commoninternet_net
+```
+Output showed all services/configs/networks being removed. proxy drained in ~12s (4 polling attempts).
+
+### Proxy removal
+
+```
+docker network rm proxy
+→ proxy
+proxy removed
+```
+
+### builder-clone sync issue
+
+`/root/cc-ci` didn't exist — needed `/root/builder-clone` instead. The builder-clone was at `e1c4198` (old). 
+`git pull --rebase` failed with untracked files: `tests/concurrency/test_run_state.py`.
+Moved to `/root/test_run_state.py.bak`. Second pull succeeded, fast-forwarded to `b6e12ef`.
+
+Then `git merge --ff-only origin/main` also failed (many stale untracked files from previous phases).
+Moved all conflicting files to `/root/stash-pvfix/`. Successfully merged to `caef217` (latest main).
+Confirmed `grep subnet /root/builder-clone/nix/modules/swarm.nix` → `--subnet 10.10.0.0/16`.
+
+### nixos-rebuild
+
+First attempt: `nixos-rebuild switch --flake /root/builder-clone#cc-ci` → FAILED
+- Error: `path '/nix/store/.../secrets/secrets.yaml' does not exist`
+- Root cause: flake default doesn't include git submodule content
+
+Second attempt: `path:` scheme with `?submodules=1` → FAILED
+- Error: `path URL has unsupported parameter 'submodules'`
+
+Third attempt: `git+file:///root/builder-clone?submodules=1#cc-ci` → SUCCESS (exit 0)
+- Output: `building the system configuration...` (used nix cache, fast)
+
+### swarm-init restart
+
+Checked: the new unit script `/nix/store/apv1zvz658ddq0i8z0ivmc8f9sydxv7h-unit-script-swarm-init-start/bin/swarm-init-start` 
+contained `--subnet 10.10.0.0/16`. The service was still showing "active" from its old run (Jun 12).
+
+Ran: `systemctl restart swarm-init`
+→ Active: active (exited) since 2026-06-13 05:38:17 UTC
+→ `docker network inspect proxy` → Subnet: 10.10.0.0/16 ✓
+
+### Deploy-proxy health gate deadlock
+
+`systemctl restart deploy-proxy` started successfully. Traefik deployed.
+But health gate (`ci.commoninternet.net → 200`) failed because dashboard not yet deployed.
+Reconciler logged: `[traefik] on latest 5.1.1+v3.6.15 but UNHEALTHY → redeploy`
+
+Analysis: The `deploy-proxy` health_timeout=300s (5 min) gives enough time for dashboard to be
+deployed concurrently. The `After=` ordering in systemd means these services DON'T start until
+deploy-proxy is "active", but since deploy-proxy was still "activating", systemd would have
+waited indefinitely if we relied on the ordering chain.
+
+Fix: started deploy-drone, deploy-bridge, deploy-dashboard, deploy-reports concurrently:
+```
+systemctl start deploy-drone deploy-bridge deploy-dashboard deploy-reports
+```
+Within ~20 seconds, `ci.commoninternet.net` returned 200. Deploy-proxy health gate passed.
+
+### Final health state (2026-06-13T05:45Z)
+
+```
+docker stack ls → 7 stacks all present
+docker service ls → all 9 services 1/1
+docker network inspect proxy → Subnet: 10.10.0.0/16
+ci.commoninternet.net → HTTP/2 200
+drone.ci.commoninternet.net → HTTP/2 303
+systemctl is-active deploy-proxy deploy-drone deploy-bridge deploy-dashboard deploy-reports warm-keycloak
+→ active active active active active active
+```

machine-docs/JOURNAL-pxgate.md

@@ -0,0 +1,137 @@
+# JOURNAL — phase pxgate (Builder)
+
+## 2026-06-13 — Phase start
+
+**Orientation:**
+- Phase plan read: `/srv/cc-ci/cc-ci-plan/plan-phase-pxgate-proxy-healthgate.md`
+- A1 finding from BACKLOG-pvfix.md: confirmed. Root cause exactly as stated.
+- Pre-check: `https://traefik.ci.commoninternet.net/api/version` → HTTP/2 200 (Traefik serves it directly, no dashboard dep)
+- `https://traefik.ci.commoninternet.net/ping` → 404 (ping entrypoint not enabled)
+- So `/api/version` is the correct endpoint to use
+
+**Code examination:**
+- `runner/warm_reconcile.py` lines 117-127: traefik spec uses `health_domain: "ci.commoninternet.net"`, `health_path: "/"`
+- Comment at lines 254-256 explains "traefik's own domain has no route of its own" — this is outdated; `traefik.ci.commoninternet.net/api/version` does have a route and returns 200
+- `nix/modules/proxy.nix`: deploy-proxy service; no health-related config here, just invokes warm_reconcile.py
+- `nix/modules/dashboard.nix`: `after = [ "deploy-bridge.service" "deploy-proxy.service" ... ]` — confirms the ordering
+
+**Other consumers of `After=deploy-proxy.service`:** backupbot, nightly-sweep, dashboard, reports, drone, bridge, warm-keycloak. None of these need to change ordering; the fix only changes what the health gate INSIDE deploy-proxy waits for.
+
+**Fix approach (committed to DECISIONS.md):** change health probe to `traefik.ci.commoninternet.net/api/version`. This is traefik's built-in API (no backend needed). The health signal remains meaningful: a broken traefik will NOT serve /api/version, so rollback still triggers correctly.
+
+**Fix applied:**
+- `runner/warm_reconcile.py` traefik spec: removed `health_domain: "ci.commoninternet.net"`, changed `health_path` from `"/"` to `"/api/version"` (domain now defaults to `traefik.ci.commoninternet.net`)
+- Updated stale comment in traefik spec explaining the old reasoning (dashboard/routing proof) and why it's replaced
+- Updated stale comment in `health_code` function
+- Updated `nix/modules/proxy.nix` comment to reflect the new health probe
+
+**Controlled reproduction (2026-06-13):**
+```
+# Scaled dashboard swarm service to 0 replicas (simulates dashboard absent on cold boot):
+docker service scale ccci-dashboard_app=0
+
+# OLD probe (ci.commoninternet.net) with dashboard scaled to 0:
+curl -sk -o /dev/null -w "%{http_code}" --max-time 5 --resolve "ci.commoninternet.net:443:127.0.0.1" "https://ci.commoninternet.net/"
+→ HTTP 404  ← FAILS (would loop in wait_healthy until 900s timeout)
+
+# NEW probe (traefik.ci.commoninternet.net/api/version) with dashboard scaled to 0:
+curl -sk -o /dev/null -w "%{http_code}" --max-time 10 --resolve "traefik.ci.commoninternet.net:443:127.0.0.1" "https://traefik.ci.commoninternet.net/api/version"
+→ HTTP 200  ← PASSES immediately (traefik's own API, no dashboard dependency)
+
+# New probe body:
+→ {"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}
+
+# Dashboard restored:
+docker service scale ccci-dashboard_app=1  → 1/1 ✓
+systemctl start deploy-dashboard
+curl -sk https://ci.commoninternet.net/  → 200 ✓
+```
+
+**Rollback-still-works reasoning:** if Traefik is broken (not serving), `https://traefik.ci.commoninternet.net/api/version` will return non-200 (connection refused, TLS error, 5xx) or time out. `wait_healthy` polls this and triggers rollback on failure. The new probe is not weaker — it probes the same Traefik process. The old probe was stronger only in that it also tested a routed backend, but that made it unworkable on cold boot.
+
+**DEFERRED.md update:** 2026-06-13 entry closed with this fix commit.
+
+**Alert clearance:**
+```
+# /var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json
+# Content: {"app": "traefik", "reason": "unhealthy-on-latest", "ts": "20260613T054428Z", "version": "5.1.1+v3.6.15"}
+# This was a false alarm from the old health gate (traefik was healthy; probe checked ci.commoninternet.net
+# which wasn't up yet due to the circular dependency). No credentials in the file.
+ssh cc-ci 'rm /var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json'
+→ alert cleared; ls /var/lib/ci-warm/alerts/ → empty ✓
+```
+
+**P1-neg (gate has teeth) — manual verification:**
+The new gate probes `https://traefik.ci.commoninternet.net/api/version`. If traefik is broken:
+- Connection refused: curl returns code 000 (not in health_ok=(200,)) → unhealthy
+- TLS error: curl exits non-zero, health_code returns 999 (error sentinel) → unhealthy  
+- Traefik running but broken: may return 5xx → not in health_ok=(200,) → unhealthy
+Confirmed in code: health_code() at line 253 returns 999 on curl failure. P1-neg holds by construction.
+
+**Next:** commit + claim M1. → M1 PASS received @13:00Z. Awaiting orchestrator nixos-rebuild for M2.
+
+## 2026-06-13T13:24Z — Builder poll (M2 monitoring)
+
+Builder loop re-launched by orchestrator. Checked current state:
+- deploy-proxy: `active (exited)` since 05:44:28 UTC (OLD probe still live)
+- Active reconcile script: `/nix/store/ls5d6s7q2892z0n0qv7sfk03zimwx3nd-runner/warm_reconcile.py` (old — has `health_domain: "ci.commoninternet.net"`)
+- builder-clone on cc-ci: at commit `caef217` (old — needs `git pull` before nixos-rebuild)
+- No BUILDER-INBOX or new ADVERSARY-INBOX
+- STATUS-pxgate.md M2 section has full orchestrator instructions (pull + nixos-rebuild switch)
+
+Monitoring loop active. Will poll every ≤10 min for nixos-rebuild completion.
+
+## 2026-06-13T13:35Z — Adversary verdict received + builder-clone fix
+
+Adversary pushed `review(pxgate): idle break-it probes PASS @13:31Z`. All idle probes PASS:
+- P_stability: /api/version 200 (6/6 probes from orchestrator + cc-ci)
+- P_services: all 9 Docker services 1/1
+- P_alerts: alerts/ empty
+- P_leak: no secrets in /api/version response
+- P_ping_still_404: /ping still 404 (correct)
+- Re-confirmed builder sentinel discrepancy (999 vs 0): non-blocking, code correct
+
+**Key finding from Adversary:** builder-clone on cc-ci was on branch `restructure/concurrency` at `caef217` — 288 commits behind main. Fixed:
+```
+ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull'
+→ Switched to branch 'main'; fast-forwarded 288 commits to d23baf8
+```
+STATUS-pxgate.md updated to include `git checkout main` safeguard in nixos-rebuild instructions.
+Builder-clone is now pre-staged on main at d23baf8 — orchestrator only needs to run nixos-rebuild.
+
+## 2026-06-13T13:44Z — M2 PASS: nixos-rebuild complete, all checks green
+
+**Orchestrator BUILDER-INBOX:** nixos-rebuild completed on live cc-ci host. Fixed committed.
+- Used `/root/cc-ci-deploy` (not builder-clone) + operator-held secrets.yaml
+- `nixos-rebuild switch --flake .#cc-ci` succeeded
+
+**Builder M2 verification (all checks run independently):**
+
+```
+# Check 1: deploy-proxy active
+systemctl status deploy-proxy → Active: active (exited) since 13:44:01 UTC ✓ (279ms CPU)
+
+# Check 2: new runner with /api/version
+cat /nix/store/8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy/bin/cc-ci-reconcile-proxy
+→ exec python3 /nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py traefik
+grep '"traefik"' .../warm_reconcile.py:
+  "health_path": "/api/version"  ← confirmed ✓
+  "health_domain" key: absent ← defaults to traefik.ci.commoninternet.net ✓
+
+# Check 3: all services 1/1
+docker service ls → 9 services all 1/1 ✓
+
+# Check 4: cold-boot simulation
+systemctl stop deploy-dashboard
+systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy
+systemctl start deploy-proxy
+→ Active: active (exited) since 13:46:05 UTC (17ms!) — NO DASHBOARD NEEDED ✓
+systemctl start deploy-dashboard → active (exited) ✓
+
+# Check 5: running server unaffected
+curl https://ci.commoninternet.net/ → 200 ✓
+curl https://traefik.ci.commoninternet.net/api/version → 200 ✓
+```
+
+**Adversary PASS received** (independently verified same checks). "Builder may write ## DONE."
+STATUS-pxgate.md updated with M2 PASS + ## DONE. BUILDER-INBOX consumed.

machine-docs/JOURNAL-rcust.md

@@ -0,0 +1,307 @@
+# JOURNAL — sub-phase rcust (Builder)
+
+## 2026-06-10 bootstrap
+
+Read phase plan (recipe-custom-restructure-full-plan.md), plan.md §6.1/§7/§9, and the reference
+spec docs/recipe-customization.md @ 76a4b6b in full. Created phase state files. Work branch will
+be `restructure/recipe-custom` off main @ 76a4b6b. Starting P1: reading the six current loaders
+(run_recipe_ci.py::_load_meta, conftest.py::_recipe_meta, lifecycle.py::_recipe_extra_env,
+lifecycle.py::_recipe_meta_flag, deps.py::declared_deps, canonical.py::is_canonical_enrolled)
+before writing harness/meta.py.
+
+## 2026-06-10 P1 — single loader + registry (branch 472a68b)
+
+Wrote runner/harness/meta.py: KEYS registry (14 keys + CHAOS_BASE_DEPLOY/OIDC_AT_INSTALL/
+SKIP_GENERIC kept registered as deprecated=True so P1 lands green before P2 deletes them),
+RecipeMeta generated from KEYS via dataclasses.make_dataclass (frozen; field set cannot drift from
+the registry), load() = the only exec() of recipe_meta.py, MetaError on unknown ALL-CAPS/type
+mismatch/callable-on-data-key, difflib suggestion in the unknown-key message. BACKUP_CAPABLE keeps
+its tri-state via default None (None = auto-detect — preserves the old `"BACKUP_CAPABLE" in meta`
+semantics in generic.backup_capable).
+
+Migrations: orchestrator loads once + passes meta down (deploy_app/perform_upgrade/_perform_op/
+run_lifecycle_tier all take the object); conftest meta fixture returns full RecipeMeta (R3 closed);
+lifecycle._recipe_extra_env/_recipe_meta_flag and deps.declared_deps deleted; canonical.is_enrolled
++ enrolled_recipes go through meta.load (tests monkeypatch meta.TESTS_DIR now instead of
+canonical.__file__); screenshot._load_screenshot_hook reads the attribute (R2 fixed — unit test
+proves SCREENSHOT survives the real orchestrator load path). deploy_app keeps an optional
+meta=None fallback (loads via the single loader) for fixture/manual callers — exec still happens
+in exactly one function.
+
+Effective-value safety check before committing: dumped non_default() for all 21 recipe dirs through
+the new loader — every recipe's customized key set matches its recipe_meta.py source (e.g. mumble:
+DEPLOY_TIMEOUT/EXTRA_ENV/HEALTH_OK/READY_PROBE/UPGRADE_EXTRA_ENV). One intentional delta class:
+deps.deploy_deps' fallback timeouts for a MISSING dep meta change from literal 900/600 to loading
+the dep's real meta (orchestrator path always supplied metas, so CI behavior is identical).
+
+Verified on cc-ci (rsynced working tree before committing):
+  cc-ci-run -m pytest tests/unit -q  -> 175 passed
+  nix develop .#lint --command scripts/lint.sh -> lint: PASS
+Three pre-existing f212 unit tests passed dicts to wait_ready_probes — updated mechanically to
+construct RecipeMeta via dataclasses.replace (assertions untouched).
+
+Next: P2a compose.ccci.yml first-class + auto-chaos.
+
+## 2026-06-10 P2 — legacy keys & paths deleted (branch 8cd72fd)
+
+P2a: lifecycle.provide_ccci_overlay copies tests/<recipe>/compose.ccci.yml into the per-run
+checkout (after install_steps hook, before prepull/deploy); pinned base deploys auto-chaos on
+overlay presence (has_ccci_overlay replaces the meta.CHAOS_BASE_DEPLOY elif). ghost/discourse
+install_steps.sh were copy-only -> deleted whole; their metas keep COMPOSE_FILE in EXTRA_ENV
+(unchanged wiring, the harness now owns the copy).
+
+P2b: oidc_at_install condition removed — `if declared:` provisions before the single deploy,
+legacy post-deploy block + _run_setup_custom_tests_hook deleted. lasuite-docs install_steps.sh is
+the meet/drive hook with docs' exact env names (diffed against the deleted setup_custom_tests.sh:
+same keys incl. OIDC_OP_DISCOVERY_ENDPOINT + scopes 'openid email profile'; secret-insert bump
+identical; only the abra-redeploy step is gone — the single deploy reads the env instead).
+lasuite-drive's MinIO bucket one-shot -> ops.py pre_install (runs at install-tier start, post-
+deploy; bucket lives in the minio volume so it survives upgrade/restore; same scale --detach +
+30x3s poll as the shell version). run_quick: deps still provision (realm/creds), hook call gone —
+no quick-enrolled recipe declares DEPS today; noted inline.
+
+P2c: SKIP_GENERIC out of the registry; _skip_generic(op) env-only; skip_generic_env_overrides()
+prints a `!!` warning when active under DRONE (P5 will embed in the manifest).
+
+P2d: conftest deps fixture = dict of _DepEntry (dict subclass w/ attribute sugar) — the 6 lasuite
+files only ever used deps_creds, renamed param to deps, zero assertion changes. NOTE for Adversary:
+some assert MESSAGE strings ('setup_custom_tests should have populated this.' -> 'dep
+provisioning...') and docstrings updated — message text only, no assert logic/expected values.
+
+Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 175 passed;
+nix develop .#lint --command scripts/lint.sh -> PASS. Doc table regenerated to the 14-key registry
+(doc-sync unit test pins it).
+
+Next: P3 — HookCtx + ctx-hook signatures everywhere.
+
+## 2026-06-10 P3 — uniform ctx hook convention (branch fd02d9f)
+
+HookCtx frozen dataclass + hook_ctx() constructor in harness/meta.py; ctx.deps read straight from
+$CCCI_DEPS_FILE (json, both shapes) — meta.py stays import-cycle-free (deps.py imports lifecycle
+which imports meta). Registry keys carry hook_params; meta.load() enforces the expected positional
+names per hook key (READY_PROBE/BACKUP_VERIFY/EXTRA_ENV/UPGRADE_EXTRA_ENV=(ctx,),
+SCREENSHOT=(page, ctx)); _run_pre_hook applies meta.check_hook_signature(fn, ("ctx",)) to ops.py
+hooks before calling. Conversion of 17 ops.py + 8 recipe_meta hooks was scripted (def-line regex +
+bare `domain` -> `ctx.domain` inside the pre_*/hook function bodies only) and diff-reviewed; the
+only manual fixes: keycloak pre_restore passed `meta` -> `ctx.meta`, and two comment lines in
+lasuite-drive/-meet metas that the regex over-replaced were restored. wait_ready_probes gained
+op= (install/upgrade call sites pass it) so probes can know the phase.
+
+Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 180 passed; lint PASS.
+
+Next: P4 — discovery placement rule + op_state/deps fixtures + migrate hand-parsers.
+
+## 2026-06-10 P4 — custom-test ergonomics (branch 29a28e2)
+
+Pre-change sweeps confirmed the plan's zero-users claims: no top-level non-lifecycle test_*.py in
+any recipe dir; no recipe test file reads os.environ / CCCI_OP_STATE_FILE directly (the only
+op-state consumers are the generic assertions via harness.generic.op_state — harness-side, fine).
+So P4 = discovery glob removal + new op_state fixture + pinning tests; no test migrations needed.
+test_discovery.py's HC2 gate test moved its repo-local custom fixture under functional/ (the rule);
+test_discovery_phase2.py now asserts top-level custom is NOT discovered. op_state fixture skips
+(clear reason) when env unset / file missing / unparseable; tested via request.getfixturevalue.
+
+Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 184 passed; lint PASS.
+
+Next: P5 — customization manifest (print block + results.json key).
+
+## 2026-06-10 P5 — customization manifest (branch 68954be)
+
+(Resumed after a usage-limit pause mid-P5; working tree carried the in-flight manifest.py.)
+New runner/harness/manifest.py: build() collects {meta_non_default, hooks, overlays, custom_tests,
+env_overrides} via the SAME discovery/meta functions the run uses (so the manifest can never
+disagree with what actually executes — incl. the HC2 _gated() repo-local gate), render() prints
+the block. Orchestrator builds+prints right after meta load / repo-local snapshot, BEFORE the
+quick-lane branch (both lanes get the block); the dict rides into build_results(customization=...)
+verbatim. run_quick writes no results.json, so the single build_results call site covers all.
+Hooks render as "<hook>", tuples as lists (JSON-clean); ops.py pre-ops listed by cheap source
+scan (same approach as discovery._module_defines — no import at manifest time).
+
+Lint flagged: C408 dict() literal, import-block order (manifest after deps), ruff-format on the
+new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest
+tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.
+
+Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
+
+## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5)
+
+Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical
+(doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now
+the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in
+test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a
+first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base =
+mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now
+ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests
+discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected).
+
+Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a
+field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the
+redaction option: _jsonable masks values whose key NAME matches
+SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case
+is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched
+(word-segment KEY). Unit test pins redacted+passthrough both.
+
+Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed;
+nix develop .#lint --command scripts/lint.sh -> lint: PASS.
+
+Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix.
+
+## 2026-06-10 M1 prep + claim
+
+Concurrency proof run on branch head 858e0f5 (rsynced tree on cc-ci): cc-ci-run -m pytest
+tests/concurrency -q -> 23 passed in 11.46s (suite untouched by the restructure, as planned).
+
+Baseline matrix: pulled every /var/lib/cc-ci-runs/*/results.json (141 files) and took the most
+recent per recipe. 19/21 dirs covered by results.json; mumble's last full run predates the
+results system (log ~/ccci-mumble-f214c.log, 5 tiers pass 05-31); bluesky-pds likewise
+(Adversary Phase-2 cold verify e45e0ee). plausible's weekly-report RED was its PR branch
+(pg13->14, build 200); its default-branch baseline is run 308 (06-10) L4 — runs 307/308 are
+today's, from the conc-phase M2 sweep. Bad canaries recorded at their designed-fail tier.
+
+Claimed M1. While waiting: nothing else unblocked in this phase (M2 is gated on M1) — will hold
+with short fallback polls per §7 case 2.
+
+## 2026-06-11 M2 reconciliation — discourse upgrade-HC1 root-cause hunt + bluesky re-characterization
+
+Resumed after a loop stall (~21:18Z–23:50Z): the m2b/ab sweeps had finished but nothing processed
+them. Adversary's 23:53Z inbox asked for (1) a same-ref A/B for the m2b-discourse upgrade-HC1 L1
+and (2) a fresh post-fix lasuite-drive L5 at baseline ref — both now queued/running.
+
+Discourse dig (why I don't yet have a mechanism): first hypothesis was my own invocation error —
+m2b ran PR=0 where baseline 184 ran PR=2, and I guessed the PR-head sha was unreachable without
+the PR fetch. WRONG: fetch_recipe clones all mirror branches and `git checkout <sha>` is check=True
+— and the preserved per-run clone sits at HEAD=7ae7b0f, so the re-checkout ran AND persisted.
+Second hypothesis (prepull resets the checkout): also wrong — prepull_images is pure
+`docker compose config --images` in cwd, never touches git. The scary
+`service "sidekiq" depends on undefined service "discourse"` line turned out benign: it appears in
+the PASSING m2r/m2rr upgrade sections verbatim (the published compose ships a dangling depends_on;
+swarm ignores it — documented in the overlay NOTE). What's left: abra stamped the PREV-TAG commit
+(eb96de94 = 0.7.0+3.3.1) on the chaos redeploy while the tree was at 7ae7b0f. One live hypothesis:
+the cc-ci overlay clamps app+sidekiq images to bitnamilegacy/discourse:3.3.1; at this PR head
+(0.9.0+3.5.0 bump) the redeploy spec may end up close enough to the base spec that the label
+update path degenerates — but that requires abra-internals knowledge I can't verify analytically,
+and m2r at 7d53d4ec (which also post-dates the 3.5.0 bump?) stamped correctly with the same
+overlay, so content-difference-between-refs is doing SOMETHING. Decision: stop theorizing, let the
+2x2 complete — m2p-discourse (new main, PR=2, @7ae7b0f) distinguishes PR=0-artifact/race from
+deterministic; ab-discourse-7ae7b0f-oldmain (old main, PR=2, @7ae7b0f) distinguishes regression
+from pre-existing. Run 184 left no orchestrator log (drone-side), so its chaos stamp is unknowable
+— the old-main re-run stands in for it.
+
+lifecycle.py diff c2508c7..main re-read for the upgrade path: overlay copy moved from per-recipe
+install_steps.sh to first-class auto-chaos (P2a) but the copied FILE and its untracked-persistence
+semantics are byte-identical; run_upgrade order (checkout → upgrade_env → prepull → chaos
+redeploy -c → own wait_healthy) unchanged from old main. Nothing jumps out as the delta.
+
+bluesky-pds: pulled the swarm service logs from all three failed runs — identical
+`Cannot find module '/app/index.js'` crash-loop (Node v24.15.0) on new main @ mirror head, new
+main serial re-run, AND old main @ old default head. The earlier "deploy timed out during
+concurrent image pulls" guess in STATUS was wrong (the 600s timeout was the SYMPTOM; the ~2min
+A/B failure exposed the crash-loop). Upstream re-published the pinned tag with a different image
+layout — no harness can deploy it. Filed in STATUS as restructure-neutral with grep-able evidence.
+
+## 2026-06-11 lasuite-drive root cause #2 — completed one-shot poisons convergence (caught live)
+
+Watching the m2p proof run instead of just waiting paid off: the fix-forward's best-effort line
+printed (so #1 is fixed), but the install assert then sat in pytest for 25+ minutes. Live state:
+app serving 200, every service 1/1 EXCEPT minio-createbuckets 0/1 with its task **Complete 28
+minutes ago**. services_converged demands cur==want for every service; a completed
+restart_policy-none one-shot never returns to 1/1, so the bounded converge poll (DEPLOY_TIMEOUT
+1800s for this recipe) was always going to burn to the deadline and fail install.
+
+Why nobody ever saw this before P2b: the old setup_custom_tests.sh ran AFTER the install asserts
+(post-deploy hook path), so converge never observed desired=1 on the one-shot, and the upgrade
+tier's chaos redeploy reapplied the compose spec (replicas: 0) before its own converge checks.
+P2b folded the trigger into ops.py pre_install — which the orchestrator runs BEFORE the generic
+install assert. Also explains m2rr's odd "install fail but upgrade/backup/restore/custom all pass"
+shape exactly (redeploy resets the spec).
+
+Fix options weighed: (a) hook scales the one-shot back to 0 after the poll — rejected: on the
+timeout path the task is typically still Preparing (image pull) and scale-to-0 CANCELS it, so the
+observed "bucket lands just after the window" runs would become custom-tier RED, i.e. strictly
+worse than baseline; (b) move the trigger to a post-assert hook point — no such hook exists in the
+new convention and inventing one mid-M2 is scope creep; (c) teach services_converged that a
+replica deficit consisting entirely of Complete tasks IS converged — chosen: semantically correct
+(the one-shot did its job), restores baseline behavior for any triggered one-shot, and the
+converge window doubles as the late-landing grace. Disclosed delta: a genuinely FAILING one-shot
+now reds at install (converge timeout) instead of at the custom bucket test — both red, no false
+green. Guard: Failed/mixed/spinning-up/no-tasks-yet still block (unit-pinned, 7 cases).
+
+Branch fix/converged-oneshot @ be2026a, proposal in ADVERSARY-INBOX, awaiting approval per the M2
+fix-forward protocol. Unit suite 199 passed + lint PASS from the cc-ci working-tree rsync.
+
+## 2026-06-11 ~01:00Z — merge landed, queue shortened
+
+be2026a approved (REVIEW a531746, cold-verified independently) and merged as 6cabbe7; drone build
+350 green on the push head 914c166. Merged diff verified == branch diff (empty git diff be2026a..
+main for the two files). Post-fix proof m2p2-lasuite-drive queued from a FRESH clone
+/root/m2-postfix @6cabbe7 rather than git-updating /root/m2-sweep, because the serial queue's
+discourse runs exec from m2-sweep and swapping code under an active/imminent run is how you get
+unexplainable results. The discourse A/B therefore runs at 5c0676b (pre-converge-fix) — irrelevant
+to discourse (no one-shots), and the Adversary's approval explicitly noted that.
+
+Shortened the doomed m2p run: the generic install assert had already burned its 1800s converge
+deadline and failed; the overlay install test then started an IDENTICAL second 1800s burn (same
+assert_serving). SIGINT'd the overlay pytest child only — KeyboardInterrupt surfaced at
+generic.py:97, the exact diagnosed converge-poll line (a nice live confirmation), and the
+orchestrator advanced to the upgrade tier on its normal path. Teardown semantics untouched.
+Disclosed in STATUS so the log's KeyboardInterrupt is pre-explained.
+
+Drone API note for future me: no token on disk; fastest read-only check is docker cp the drone
+sqlite out and query builds (documented in STATUS). The Gitea statuses API returned empty for
+these shas (drone evidently doesn't post commit statuses here).
+
+## 2026-06-11 ~00:55Z — discourse A/B closed (harness-neutral), mechanism still unattributed
+
+m2p-discourse (new main, PR=2, @7ae7b0f) and ab-discourse-7ae7b0f-oldmain (old main, PR=2, same
+ref) failed the upgrade IDENTICALLY: HC1, chaos-version=eb96de94+U, all other tiers pass, L2.
+Same invocation as baseline 184 which was L4 five days ago. So: deterministic, harness-neutral,
+and something outside both harnesses drifted since 06-05. Eliminated: branch-tip existence (7ae7b0f
+still tips upgrade-0.8.0+3.5.0 + pr/2), upstream tag set (0.7.0+3.3.1 still latest), abra pin
+(flake.lock untouched by the restructure). Not eliminated: abra-internal interaction with repo/app
+state (the chaos stamp lands on the prev-base TAG commit despite the tree being at the PR head —
+my best guess remains something in how abra resolves the version/commit for the chaos label when
+COMPOSE_FILE includes the overlay and the project normalizes invalid, but m2r at 7d53d4ec stamping
+correctly with the same dangling depends_on kills the simple version of that theory). The
+`service "sidekiq" depends on...` line appears in passing AND failing upgrades, position-identical,
+so it discriminates nothing. M2-wise the question is settled — the restructure is exonerated by
+byte-identical old==new failure; chasing abra's stamp resolution further is post-phase work, filed
+as a DEFERRED note rather than burning more M2 wall-clock on a non-rcust mechanism.
+
+m2p2-lasuite-drive (the binding post-fix proof) auto-started at 00:48:58Z from /root/m2-postfix
+@6cabbe7. Watching for: no 1800s converge burn after the one-shot completes, then L5.
+
+## 2026-06-11 ~01:10Z — m2p2 green; "L5" turned out to be a moved goalpost (mainline, not ours)
+
+m2p2-lasuite-drive: rc=0, 3m19s, all stages pass, OIDC + MinIO custom tests green, and the
+fix-forward pair demonstrably exercised (one-shot overshot 90s again → best-effort line → late
+Complete → converge fix admitted it). But results.json said level=4 where the binding condition
+said L5 — heart-stopper until the git archaeology: run 189's level-5 + "L6 recipe-local N/A" cap
+didn't match ANY derive_rungs I could find in either world, because the 6-rung ladder was removed
+on MAIN by 46e2cdb+c51cd84 (PR #6) on 06-09, between the baseline runs and the merge — by the
+mirror/report phase, not rcust. The merge didn't touch level.py (checked 01e6d49^1..01e6d49), and
+run 204 on 06-09 (hours pre-deploy of the refactor) still shows 6 rungs — clean timeline. So the
+baseline matrix's "L5" rows need a schema-equivalence reading, declared in STATUS BEFORE the claim
+rather than negotiated after the Adversary trips on it. Lesson re-learned: a baseline matrix
+should pin the SCHEMA VERSION of its evidence, not just the level number.
+
+## 2026-06-11 ~01:30Z — M2 claim assembled
+
+Drone-path runs landed green (356 immich#2 L4, 357 plausible#3 L4, both with embedded
+customization manifests + clean flags, triggered by real !testme comments). Zero-leak verified
+after everything. Plausible's missing screenshot.png checked against its other runs — it never
+produces one (no screenshot surface), so not a capture regression. Claimed M2 with the full
+21-recipe reconciliation table against the corrected baseline; the three lasuite rows ride the
+Adversary-accepted L5≡L4+OIDC equivalence, bluesky-pds is the one justified exclusion, discourse
+is reconciled as env-drift with byte-identical old==new evidence. Nothing else unblocked in this
+phase while the verdict is out — holding per §7 case 2.
+
+## 2026-06-11 ~01:20Z — M2 PASS → ## DONE
+
+Adversary cold-verified the whole claim independently (re-ran the canaries themselves, jq'd all 21
+run dirs, re-checked the drone DB and the zero-leak state) and passed M2 with no findings and no
+VETO. M1 + M2 both stand; ## DONE written. Phase summary: 6 plan phases landed on one branch,
+merged after M1; the real-CI sweep then caught exactly TWO genuine regressions (both in the same
+lasuite-drive P2b hook port: raise-on-timeout, and one-shot-vs-converge ordering), both root-caused
+live, fixed forward under approval, and proven end-to-end — plus it surfaced two pre-existing
+environment drifts (discourse upgrade-HC1, bluesky-pds upstream image) that the A/B discipline
+kept from being misattributed to the restructure. The sweep-as-safety-net worked as designed.

machine-docs/JOURNAL-redfix.md

@@ -0,0 +1,358 @@
+# JOURNAL — phase `redfix`
+
+## 2026-06-17T23:20Z — Bootstrap
+
+Read phase plan + plan.md §6.1/§7/§9 + canon DECISIONS exceptions (lines ~1494–1552). Six
+canon-sweep failures to investigate. Confirmed cc-ci access, no run in flight, sweep timer next
+fires 2026-06-21 (3-day window), disk 38G free.
+
+Isolation mechanism understood: `runner/nightly_sweep.run_on_tag` = `abra.recipe_checkout(r, tag)` +
+`run_recipe_ci.py RECIPE=<r> CCCI_SKIP_FETCH=1` cold/full. I reproduce each failure by running ONE
+recipe at a time with no concurrent load.
+
+Starting canonical state notable: **mumble canonical IS present** (`1.0.0+v1.6.870-0`, written
+20260617T180501Z — during today's nixenv sweep). The canon DECISIONS recorded mumble RED
+(`test_handshake_completes_with_channel_presence`). A canonical only gets written on a GREEN cold run
+on latest → mumble flipped green in a recent run. Strong early evidence for the operator's "mumble
+passed before" → load flake hypothesis. Must confirm with a clean isolation re-run + check whether the
+canon-sweep red was under concurrent load.
+
+Next: start M1 investigation. Plan order (cheap/informative first): triage the existing sweep logs on
+cc-ci to pin the EXACT assertion/error for each (mumble, mattermost-lts restore, gitea app.ini,
+bluesky routing, discourse compose), then run isolation re-runs. discourse's recorded cause is an
+UPSTREAM compose defect (`sidekiq.depends_on: discourse` while service is `app`) that FATAs before any
+deploy — that's deterministic, not a load timeout, so it may not even need a long isolation run to
+confirm; verify the compose at the latest tag directly first.
+
+## 2026-06-17T23:40Z — M1: discourse isolation run — CANON ROOT-CAUSE WAS WRONG
+
+Ran discourse ALONE on cc-ci (`recipe_checkout discourse 0.8.1+3.5.0` + `RECIPE=discourse
+CCCI_SKIP_FETCH=1 cc-ci-run runner/run_recipe_ci.py`, log `/tmp/redfix-discourse.log`).
+
+RESULT: **install PASS, upgrade FAIL, backup PASS, restore PASS, custom PASS** — the recipe deploys,
+serves (200 /srv/status), backs up and restores cleanly. NOT a deploy timeout, NOT a 51-min wedge,
+NOT a deploy FATA. The canon DECISIONS root-cause ("`abra app deploy` FATAs: service sidekiq depends
+on undefined service discourse → invalid compose project") is **misattributed**: that string appears
+ONLY from the non-fatal prepull `docker compose config --images` (rc=15, harness logs "skipping
+(deploy will pull as usual)"). The real `abra app deploy` is a swarm `docker stack deploy`, which
+ignores `depends_on` entirely → the stack converges (`UpdateStatus=completed`).
+
+The ONLY failure is the cc-ci upgrade OVERLAY `tests/discourse/test_upgrade.py`:
+- `test_head_runs_official_image_not_bitnamilegacy` — app image is `bitnamilegacy/discourse:3.5.0`;
+  test demands `discourse/discourse:3.5.3` (official).
+- `test_sidekiq_service_dropped_by_head` — services `['app','db','redis','sidekiq']`; test demands
+  sidekiq dropped.
+
+These `prevb`-phase overlay tests are PR-FAITHFULNESS assertions for a specific migration PR
+(bitnamilegacy → official `discourse/discourse:3.5.3`, drop sidekiq). Verified that migration exists
+in **NO upstream release tag and NOT in main** — `git show main:compose.yml` and every tag
+(`0.1.0…0.8.1+3.5.0`) all use `bitnamilegacy/discourse:3.5.0` + sidekiq. So the overlay asserts a
+state that doesn't exist anywhere upstream → deterministic RED whenever the sweep tests the latest
+release tag. The head DID deploy (chaos-version label = head f87c612d+U, converged) — the test
+expectation is simply wrong for the released recipe.
+
+Note (M2 design): migrating discourse from the deprecated `bitnamilegacy` image to official
+`discourse/discourse` is a MAJOR recipe rewrite (different fs layout, entrypoint, no `/opt/bitnami`
+sidekiq run.sh) — not a 1-line image swap. So the overlay test's `discourse/discourse:3.5.3`
+expectation may not be a realistic near-term recipe change. The bitnamilegacy deprecation is real
+(bitnami sunset legacy images), so a migration is the right long-term direction, but the test as
+written hard-codes a migration target absent upstream. Classification + fix approach to settle in M1
+table / M2.
+
+Classification: **stale/PR-specific cc-ci OVERLAY test mismatched to the canonical-sweep context**
+(NOT a flake, NOT a load timeout, NOT a recipe-deploy defect, NOT warm-machinery). Teardown clean (no
+discourse stack left). Evidence: `/tmp/redfix-discourse.log` on cc-ci; junit under
+`/var/lib/cc-ci-runs/manual/junit/upgrade__cc-ci__test_upgrade.xml`.
+
+## 2026-06-18T00:05Z — M1: mattermost-lts isolation run — DETERMINISTIC restore failure (recipe defect)
+
+Ran mattermost-lts ALONE (tag 2.1.9+10.11.15, log /tmp/redfix-mattermost-lts.log).
+RESULT: **install/upgrade/backup/custom PASS, restore FAIL** — identical to the canon failure:
+`tests/mattermost-lts/test_restore.py::test_restore_returns_state` → `relation "ci_marker" does not
+exist` after restore. So it is **deterministic in isolation, NOT a loaded-node race** (canon framing
+was wrong). The marker logic is sound (postgres table seeded pre-backup, dropped pre-restore, asserted
+post-restore — same pattern immich uses and PASSES).
+
+ROOT CAUSE (recipe backup/restore labels). Compared mattermost-lts vs immich (immich passes the
+IDENTICAL test):
+- immich `database` svc: `backupbot.backup.pre-hook: /pg_backup.sh backup`,
+  `backupbot.backup.volumes.postgres.path: backup.sql` (backs up ONLY the dump file), and
+  **`backupbot.restore.post-hook: /pg_backup.sh restore`** (replays the dump on restore). → round-trips.
+- mattermost-lts `postgres` svc: `pre-hook: pg_dump > /var/lib/postgresql/data/postgres-backup.sql`,
+  `backup.path: /var/lib/postgresql/data/` (backs up the WHOLE live/hot PGDATA dir + the dump),
+  `post-hook: rm .../postgres-backup.sql`, and **NO `backupbot.restore.post-hook`**. So on restore,
+  abra restores the files but NOTHING replays the dump, and a hot-copied live PGDATA over a running
+  postgres does not reload → `ci_marker` lost. Restore log confirms `Restoring Snapshot b0495d36 at /`
+  with no post-hook reimport.
+
+Classification: **GENUINE RECIPE DEFECT at latest** (postgres backup/restore does not round-trip —
+missing restore post-hook + backs up hot PGDATA instead of dump-only). NOT a flake, NOT cc-ci test
+weakening (test is correct & unmodified; immich proves the pattern works). Fix (M2) = recipe PR
+adopting the immich-style postgres backup/restore (a `/pg_backup.sh`-style dump + restore post-hook).
+Teardown clean (no matt stack). Evidence: /tmp/redfix-mattermost-lts.log; junit
+restore__cc-ci__test_restore.xml.
+
+Tooling note: my background "waiter" loop `while pgrep -f run_recipe_ci.py` self-matched (its own
+cmdline contains the string) → never exited, falsely showed a run active. Use `pgrep -f
+"[r]un_recipe_ci.py"` or match the python invocation. Killed the stuck waiters; node confirmed free.
+
+## 2026-06-18T00:18Z — M1: mumble isolation run — GREEN (flake confirmed)
+
+Ran mumble ALONE (tag 1.0.0+v1.6.870-0, log /tmp/redfix-mumble.log). RESULT: **ALL tiers PASS**
+(install/upgrade/backup/restore/custom), including `custom/test_protocol_handshake.py::
+test_handshake_completes_with_channel_presence` PASSED. No orphan stacks. The canon sweep recorded
+this RED (`test_handshake…` failed under concurrent sweep load); it is GREEN here in isolation, and
+its canonical was already written green TODAY (1.0.0+v1.6.870-0 @20260617T180501Z) under the lighter
+nixenv sweep. → **load/timing FLAKE** on the control-channel handshake, NOT a recipe defect.
+
+The handshake test already retries (`retry_handshake(attempts=12, interval=5.0)` = 60s). So the flake
+is the voice server not completing the TLS+ServerSync handshake within ~60s under heavy concurrent
+node load (deploy contention). M2 fix = harness stabilization (stronger readiness gate before the
+custom tier / longer-or-smarter retry / serialize), based on the load failure mode. Classification:
+**FLAKE (load/concurrency)** → harness stabilization.
+
+Reproducibility: 1 green isolation run here + canonical green today + documented red under canon load.
+Will do 1–2 more isolation repeats before the M1 claim to firm "reproducibly green in isolation."
+
+## 2026-06-18T00:45Z — M1: bluesky-pds isolation run — 000 REPRODUCES; root cause = `app` DNS collision on shared proxy
+
+Ran bluesky-pds ALONE (tag 0.3.0+v0.4.219, log /tmp/redfix-bluesky-pds.log). Cold lifecycle GREEN
+(install/backup/restore/custom pass; upgrade EXPECTED_NA per recipe_meta — moving pds:0.4 tag). Then
+WC5 promote-on-green-cold FAILED exactly as canon: `warm-bluesky-pds.ci.commoninternet.net: not
+healthy over HTTPS /xrpc/_health (last status 0)`. So **the 000 reproduces deterministically in
+isolation — NOT a sweep-load/ACME-rate-limit flake** (my first hypothesis, refuted).
+
+LIVE DIAGNOSIS (stack left deployed by the failed promote; probed before teardown):
+- app service 1/1, healthy: `docker exec app wget localhost:3000/xrpc/_health` → `{"version":"0.4.219"}`;
+  app listens on `:::3000`; no restarts. So the PDS itself is fine.
+- HTTPS to warm domain → 000. caddy logs flood:
+  `tls "failed to get permission for on-demand certificate" domain=warm-bluesky-pds…
+   error=… Get "http://app:3000/tls-check?domain=…": dial tcp 10.10.0.X:3000: connect: connection refused`
+  (X varies: .2 .4 .5 .6 .8 .9 .10 .12).
+- bluesky uses caddy **on-demand TLS** (Caddyfile: `on_demand_tls { ask http://app:3000/tls-check }`,
+  `tls { on_demand }`, `reverse_proxy app:3000`). caddy must reach app:3000/tls-check to be GRANTED a
+  cert before serving TLS. It can't → no cert → TLS handshake fails → 000.
+- WHY can't caddy reach app: **service-name `app` collision on the shared `proxy` overlay.**
+  - app is on `warm-bluesky-pds…_internal` ONLY (IP 10.0.3.3). caddy is on `proxy` (10.10.50.223) +
+    `…_internal` (10.0.3.6).
+  - `docker exec caddy getent hosts app` → returns ONLY proxy IPs (8/8 tries: 10.10.0.4/.5/.6/.10/.12),
+    **NEVER the internal 10.0.3.3.** The proxy-net `app` alias shadows bluesky's own internal app.
+  - `docker network inspect proxy` shows EVERY stack aliases its main service `app`:
+    `drone…_app=10.10.0.2`, `traefik…_app=10.10.0.5`, `warm-keycloak…_app=10.10.0.9`,
+    `ccci-reports/bridge/dashboard_app`, … — exactly the IPs caddy hits. None listens a PDS on 3000 →
+    connection refused.
+  So caddy resolves bare `app` to OTHER stacks' app endpoints on the shared proxy, never its own PDS.
+
+WHY cold passes / warm fails: cold's health window is long (HTTP_TIMEOUT=600) and on first success
+caddy CACHES the issued cert; the promote's shorter health window doesn't give caddy a chance to ever
+resolve correctly (and here it provably never resolves to 10.0.3.3 at all). The collision is the root
+cause; the promote machinery is CORRECT (it refused to write a canonical for an unhealthy 000 — no
+canonical.json written, verified).
+
+Classification: **genuine ROUTING/recipe defect — caddy↔app cross-stack `app`-alias collision on the
+shared proxy net**, deterministic, reproducible in isolation. NOT a flake; NOT a promote-machinery bug.
+Fix approach (M2): recipe PR giving the PDS service a UNIQUE name/alias (e.g. rename `app`→`pds`) so
+caddy's `reverse_proxy`/`tls-check` resolve only bluesky's own internal service (no shared-proxy `app`
+collision). (Alternatively a caddy-side internal-only resolution; renaming is cleanest.) Will confirm
+the exact fix in M2 + verify the warm domain then serves 200.
+
+Cleanup: removed orphaned warm-bluesky-pds stack + its volumes/secrets (promote had left it deployed;
+no canonical written). Node clean.
+
+## 2026-06-18T01:05Z — M1: keycloak — warm-domain namespace collision (harness), classification complete
+
+keycloak was de-enrolled (WARM_CANONICAL=False) because its data-warm canonical domain would collide
+with the LIVE-warm OIDC provider. Verified the collision STRUCTURALLY (code, no run needed):
+- `canonical.canonical_domain(r)` → `warm.stable_domain(r)` → `f"warm-{r}.ci.commoninternet.net"`
+  (runner/harness/canonical.py:42-44, warm.py:44-48).
+- `warm.WARM_DOMAINS["keycloak"] = "warm-keycloak.ci.commoninternet.net"` (warm.py:27-29) — the
+  always-on shared OIDC provider lasuite-*/drone consume for SSO; kept current by roll_warm_infra.
+- So `canonical_domain("keycloak") == WARM_DOMAINS["keycloak"]` EXACTLY. Enrolling keycloak as a
+  data-warm canonical → the sweep's promote deploy/teardown at warm-keycloak collides with the live
+  provider. Confirmed live keycloak healthy (200 /realms/master) — I did not disturb it.
+
+The collision is unique to keycloak: it is the ONLY recipe that is both a live-warm provider (in
+WARM_DOMAINS) AND would want a canonical. No collision-free canonical namespace exists today.
+
+Classification: **HARNESS defect — warm canonical domain namespace can collide with a live-warm
+provider.** NOT a recipe/flake. Fix approach (M2): make `canonical_domain(r)` collision-free when `r`
+is a live-warm provider — e.g. `warm-canon-<r>` (or unconditionally) so the canonical deploy gets a
+distinct domain → distinct stack → cannot touch the live `warm-keycloak`. Then set keycloak
+WARM_CANONICAL=True and verify it promotes at the collision-free domain WITHOUT disrupting live
+keycloak. Minimal blast radius: special-case only providers in WARM_DOMAINS (the 15 other canonicals
+keep `warm-<r>`); confirm in M2.
+
+## 2026-06-18T01:05Z — M1: gitea first advance attempt hit a LEFTOVER confound (not the real crash)
+
+First gitea cold@3.6.0 run: cold lifecycle (install/upgrade/backup/restore/custom) ALL PASS; promote
+advance FAILED with `FATA warm-gitea.ci.commoninternet.net is already deployed` — NOT the app.ini
+crash. Cause: warm-gitea was left DEPLOYED at 3.5.3 by the nixenv-phase sweep (registry said
+status=idle but the stack was actually running — a state inconsistency). The advance does `abra app
+deploy warm-gitea` assuming the canonical is idle/undeployed; finding it deployed, abra FATAs. This is
+the same GREEN-BUT-PROMOTE-FAILED the nixenv phase saw. To reproduce the REAL app.ini issue I undeployed
+warm-gitea (docker stack rm; retained data+config volumes → proper idle state) and re-ran gitea
+cold@3.6.0 (gitea2). Result pending. NOTE: the "already deployed" promote-failure-when-left-deployed
+may be a secondary promote-machinery robustness gap (advance should undeploy-or-chaos an
+already-deployed canonical) — will assess after confirming the primary app.ini crash.
+
+## 2026-06-18T00:14Z — M1: gitea warm advance — app.ini read-only JWT crash CONFIRMED (recipe defect)
+
+After restoring warm-gitea to proper idle state (undeployed, 3.5.3 data+config volumes retained),
+re-ran gitea cold@3.6.0 (gitea2, log /tmp/redfix-gitea2.log). Cold lifecycle ALL PASS
+(install/upgrade/backup/restore/custom — incl. the cold FRESH 3.5.3→3.6.0 upgrade tier). WC5 promote
+advance then crash-loops. Live container logs (warm-gitea_..._app, repeated Failed/exit 1):
+
+  modules/setting/setting.go:105:LoadCommonSettings() [F] Unable to load settings from config:
+  error saving JWT Secret for custom config: failed to save "/etc/gitea/app.ini":
+  open /etc/gitea/app.ini: read-only file system
+
+EXACTLY the canon-documented crash. Mechanism: the recipe mounts app.ini as a docker `config`
+(read-only by design) at /etc/gitea/app.ini (compose `configs: - source: app_ini target:
+/etc/gitea/app.ini`, app.ini.tmpl). gitea 1.24.2 (3.6.0), on the warm REATTACH of the retained
+3.5.3 config volume, decides to (re)generate+SAVE a JWT secret to app.ini → read-only fs → FATA at
+config-load, BEFORE any DB migration (so the 3.5.3 data volume stays intact — confirmed canon).
+
+Why cold passes but warm crashes: the cold fresh deploy + cold chaos-upgrade use freshly-generated
+secrets consistent with a freshly-initialized config, so gitea never needs to rewrite app.ini. The
+warm advance reattaches an OLDER retained config-volume state (seeded under 3.5.3) against the new
+run's secrets/3.6.0 binary → gitea reconciles by trying to persist a JWT secret → read-only crash.
+
+Classification: **genuine RECIPE defect** (gitea 3.6.0/1.24.2 + read-only app.ini docker-config mount
+on the warm-reattach advance), deterministic, reproduced first-hand. NOT a flake, NOT promote
+machinery. Fix approach (M2): recipe PR making app.ini writable on the advance path — e.g. render the
+config into the WRITABLE `config:/etc/gitea` volume via an entrypoint (not a read-only docker config),
+OR ensure the persisted secrets are accepted without rewrite. (Secondary harness option: canonical
+advance falls back to clean re-deploy when in-place config rewrite is impossible — but that loses the
+reattach data-warm property; recipe fix preferred.) Ties to LFS PR #1 (app.ini secret handling).
+
+ACTION NEEDED after run exits: warm-gitea is left crash-looping at 3.6.0 → restore it to 3.5.3
+(redeploy the known-good canonical version) so the canonical is healthy again. Data volume intact.
+
+## 2026-06-18T00:25Z — M1 CLAIMED (6/6 investigated, isolated, classified)
+
+mumble repeat #2 (mumble2): ALL tiers green again incl. handshake; canonical re-promoted green
+(ts 20260618T001730Z). So mumble = 2× reproducibly green in isolation → load/timing FLAKE confirmed.
+
+All six classified with first-hand isolation evidence (or code proof for keycloak). Two canon
+root-causes were CORRECTED by isolation: discourse (not a timeout/deploy-FATA — it's a stale cc-ci
+overlay test asserting an unreleased migration) and mattermost-lts (not a loaded-node race — a
+deterministic recipe restore defect: missing `backupbot.restore.post-hook`). bluesky's 000 is NOT a
+load/rate-limit flake (my initial hypothesis) but a deterministic caddy↔app `app`-alias DNS collision
+on the shared proxy. gitea app.ini read-only JWT crash reproduced first-hand. keycloak collision proven
+structurally in code.
+
+Node clean: warm-gitea idle@3.5.3 (volumes retained), orphaned warm-bluesky removed, only live
+warm-keycloak up (healthy 200). Claiming M1; will start M2 fix design while awaiting the Adversary
+verdict (keep an unblocked item in hand).
+
+## 2026-06-18T00:25Z — M2 prep (gated on M1 PASS): bluesky fix refinement
+
+While parked at the M1 gate (no node deploys — Adversary cold-verifying), refined the bluesky fix:
+cc-ci's bluesky tests probe via HTTP (/xrpc/_health), but the GENERIC harness defaults to
+`service="app"` (deployed_identity/_app_container). So RENAMING the recipe's `app` service → `pds`
+could break generic harness assumptions. Cleaner fix: keep the service named `app` but give it a
+UNIQUE network ALIAS on the internal net (e.g. `aliases: [pds-internal]`) and point caddy at
+`pds-internal:3000` (reverse_proxy + on_demand_tls ask). A unique alias has no collision on the shared
+proxy (only the bare `app` alias collides), and the service name stays `app` → zero cc-ci-side
+breakage. Will validate this exact approach in M2 after M1 PASS.
+
+## 2026-06-18T01:21Z — M1 PASS; starting M2
+
+Adversary M1 verdict: **PASS** @01:18Z — all 6 classifications cold-verified CORRECT by its OWN
+isolation re-runs (discourse/mattermost/mumble/bluesky/gitea) + code-verify (keycloak). No VETO.
+"Builder cleared to proceed to M2." Two canon root-causes corrected and confirmed (discourse: not a
+timeout, stale overlay; mattermost: not a load race, recipe defect). bluesky reclassification (recipe,
+not warm-machinery) confirmed against the plan's prior.
+
+Starting M2. Plan: recipe PRs (mattermost-lts, bluesky-pds, gitea) via the recipe mirror+PR flow
+(`!testme`-verified, never merge); harness fixes (keycloak collision-free canonical_domain + enroll;
+mumble handshake stabilization) on a cc-ci branch; discourse overlay-scope decision. Node now mine
+(Adversary done). Will examine the recipe-create-pr flow first, then execute one fix at a time.
+
+## 2026-06-18T01:25Z — M2 recon: prior-phase fix PRs already exist for discourse + mattermost
+
+Surveyed open PRs on all 6 mirrors before doing redundant work:
+- **discourse #4** `discourse-official-image` ("switch to official discourse/discourse"): created
+  2026-06-16 by autonomic-bot; **!testme PASSED twice**, latest @53ba0910 today 16:36Z (run #849) ✅.
+  This migrates off deprecated bitnamilegacy → official image + drops sidekiq = EXACTLY what the
+  upgrade overlay asserts. So the overlay test was correctly demanding the migration; PR #4 IS the
+  discourse fix and is already !testme-green. (Reframes M1 "stale test": the test is right; the
+  release tag predates the migration; the fix is the migration PR, not weakening the test.)
+- **mattermost-lts #1** `ci/pg-restore` ("reimport the postgres dump on restore"): correct
+  immich-pattern fix — pg_backup.sh (backup pg_dump|gzip; restore: terminate conns + DROP DATABASE
+  WITH FORCE + createdb + reimport) + dump-only `backup.volumes.postgres_data.path: backup.sql` +
+  `restore.post-hook: /pg_backup.sh restore`. Created 2026-05-30; needs a fresh !testme to confirm
+  green NOW. (Also PR #2 upgrade-2.1.11 overlaps — adds restore hook + version bump; #1 is the focused
+  fix.)
+- mumble #1 = "cfold sweep probe" (not the fix — mumble is a harness flake, no recipe PR needed).
+- bluesky #3 = version bump (not the routing fix — need a NEW PR for the app-alias collision).
+- gitea, keycloak = no open PRs (gitea LFS #1 closed; keycloak is a harness fix).
+
+M2 plan refined: VERIFY discourse #4 (re-!testme fresh) + mattermost #1 (!testme); CREATE recipe PRs
+for bluesky (unique alias) + gitea (app.ini writable); HARNESS fixes for mumble (handshake stab) +
+keycloak (collision-free canonical_domain + enroll). Starting with mattermost #1 !testme.
+
+## 2026-06-18T01:30Z — M2: mattermost-lts FIXED (verified) + discourse already green + bluesky PR created
+
+- **mattermost-lts**: !testme on PR #1 `ci/pg-restore` (@4ca7f418) → run #901 ALL tiers green
+  (install/upgrade/backup/restore/custom, every junit failures=0 skipped=0). The M1-failing
+  `restore__cc-ci__test_restore.py::test_restore_returns_state` now PASSES — the pg_backup.sh restore
+  post-hook (terminate conns + DROP DATABASE WITH FORCE + createdb + reimport dump) round-trips
+  postgres state. **FIXED + verified.** (Nothing merged — operator merges.)
+- **discourse**: PR #4 `discourse-official-image` already !testme-green @53ba0910 (run #849, today
+  16:36Z) — the official-image migration makes the upgrade overlay pass. Will re-verify fresh for
+  current evidence before the M2 claim.
+- **bluesky-pds**: created mirror PR #4 `ci/warm-routing-alias` (unique `pds` alias on internal +
+  caddy reverse_proxy/ask → pds:3000; service stays `app`). compose validated (`docker compose config`
+  rc=0). VERIFICATION NOTE: bluesky's 000 is warm-promote-only (cold path always green), so !testme
+  (cold) won't reproduce/verify it — I'll verify by running the FIXED recipe through the promote path
+  (cold-on-latest with the fix checked out) → warm-bluesky-pds should serve 200 (vs M1's 000), then
+  tear down the phantom canonical.
+
+Remaining M2: bluesky promote-verify, gitea recipe PR (app.ini writable), keycloak harness
+(collision-free canonical_domain + enroll), mumble harness (handshake stabilization).
+
+## 2026-06-18T02:10Z — M2 bluesky: alias fix blocked by abra; pivoting to service RENAME
+
+Verified the bluesky `pds` network-alias fix end-to-end and found a blocker:
+- `docker stack deploy` HONORS compose network aliases (throwaway test: app got `Aliases:["pds","app"]`).
+- `docker compose config` PRESERVES the alias in its render.
+- BUT the harness/abra promote deploy produced an app service with `Aliases:["app"]` only — the `pds`
+  alias was DROPPED. The fixed Caddyfile (pds:3000) DID deploy (same per-run tree), so abra read my
+  recipe tree; by elimination, **abra's own compose→swarm translation drops service network aliases**
+  (it's not docker, not the tree). Also confirmed: the bluesky promote is a non-chaos pinned deploy.
+  (Two stale-config gotchas also hit + fixed: docker configs are immutable+versioned — a stale
+  `warm-bluesky..._caddyfile_v1` was reused until I removed it; lesson for gitea = bump config versions.)
+
+→ Pivot to the ROBUST fix: RENAME the PDS service `app`→`pds`. Docker auto-adds the service short-name
+as a network alias (abra can't drop that — the deployed `app` proved the service-name alias is always
+applied), so caddy's `reverse_proxy pds:3000` resolves THIS stack's PDS (unique on internal; no `pds`
+on the shared proxy). Coupled cc-ci change: 2 `exec_in_app(...)` calls default `service="app"`
+(`tests/bluesky-pds/_p4.py:40`, `custom/test_account_and_post.py:49`) → must become `service="pds"`
+(NOT a weakening — same assertion, correct service). The warm-routing PROOF (warm-bluesky-pds→200) is
+the promote path (custom exec tests not involved); cold !testme-green needs the cc-ci ref update.
+
+Need to determine how cc-ci-side code reaches a !testme run (also required for keycloak + mumble
+harness fixes) — investigating CCCI_REPO/Drone checkout next.
+
+## 2026-06-18T02:15Z — cc-ci-side change verification mechanism (for bluesky-rename/keycloak/mumble)
+
+The Drone !testme build clones cc-ci at main HEAD; the manual runner runs from CCCI_REPO (default
+/etc/cc-ci). To verify a cc-ci-side change WITHOUT pushing main or disturbing /etc/cc-ci (shared with
+Adversary): push the change to a cc-ci BRANCH, clone/checkout that branch to a temp dir on cc-ci, and
+run `cd <tmp> && CCCI_REPO=<tmp> cc-ci-run runner/run_recipe_ci.py RECIPE=... CCCI_SKIP_FETCH=1`
+(cc-ci-run is the deployed nix env; runner/ + tests/ come from my branch checkout). Restores cleanly.
+
+bluesky-rename coupling: the warm-promote only fires on a FULLY-GREEN cold run, and bluesky's custom
+tier exec_in_app defaults to service="app". So renaming app→pds REQUIRES the cc-ci exec-ref update
+(service="pds") deployed via the temp-checkout for the cold run to go green and the promote to fire.
+So: (1) recipe rename PR, (2) cc-ci branch with exec-ref update, (3) verify via temp-checkout run ->
+cold green -> promote -> warm-bluesky-pds 200.
+
+## M2 progress snapshot (2026-06-18T02:15Z)
+- mattermost-lts: DONE (PR #1 ci/pg-restore, !testme run #901 all-green incl restore). 
+- discourse: DONE (PR #4 discourse-official-image, !testme run #849 green; re-verify fresh for claim).
+- bluesky-pds: PR #4 (alias) -> superseding with service RENAME app->pds + cc-ci exec-ref update; verify on promote path.
+- gitea: fix READY locally (/tmp/redfix-gitea: app.ini->staging + docker-setup seed-once + DOCKER_SETUP_SH_VERSION v2); needs PR push + warm-advance verify.
+- keycloak: harness fix (canonical_domain collision-free for WARM_DOMAINS recipes + enroll) NOT STARTED.
+- mumble: harness fix (handshake readiness/retry stabilization) NOT STARTED.

machine-docs/JOURNAL-regall.md

@@ -0,0 +1,31 @@
+# JOURNAL — phase `regall`
+
+## 2026-06-17 — Phase bootstrap + sweep start
+
+### Context
+Phase `prevb` completed with DONE at b6f526a. The prevb change introduced:
+- Dynamic upgrade-base resolution: last-green (warm canonical) → main-tip (ref) → skip
+- `previous/` overlay mechanism (base-only, version-guarded)
+- Environmental vs version-specific overlay split
+
+There are NO warm canonical registry records on the server (`/var/lib/ci-warm/` has only
+keycloak/traefik reconciler dirs, no `canonical.json`). So for all recipes, the post-prevb base
+resolution will use **main-tip ref** as the upgrade base (kind=ref), unless:
+- EXPECTED_NA[upgrade] is declared (bluesky-pds → skip)
+- UPGRADE_BASE_VERSION is set (plausible → version 3.0.1+v2.0.0)
+
+This is the key structural difference from pre-prevb: old code used `lifecycle.previous_version(recipe)`
+(the previous published tag), new code uses main-tip commit ref for most recipes.
+
+Three prevb spot-checks already confirmed green with post-prevb code:
+- cryptpad PR#5: kind=ref main-tip 36ee3451; upgrade=pass
+- keycloak PR#3: kind=ref main-tip 12ac6db8; upgrade=pass (prune-orphans safe-skip)
+- hedgedoc PR#1: kind=ref main-tip 09bf4d54; upgrade=pass
+
+Remaining 18 recipes to sweep.
+
+### Sweep strategy
+- Batch ≤3 concurrent Drone builds via !testme on open PRs
+- Create trivial "chore: regall test trigger" PRs for recipes with no open PRs
+- Monitor Drone build numbers, collect results.json levels
+- Compare to baseline table

machine-docs/JOURNAL-samever.md

@@ -0,0 +1,100 @@
+# JOURNAL — phase `samever` (Builder reasoning; Adversary does not read before verdict)
+
+## 2026-06-17 — M1 design + implementation
+
+**Root cause (confirmed against `runner/run_recipe_ci.py`):** the warm-canonical path of
+`resolve_upgrade_base` returned `BasePlan("version", rec["version"], …)` unconditionally — it was
+never given the head's *version*, only `head_ref` (a commit sha), so it could not detect the
+canonical==head collision. The ref (main-tip) path was already guarded (`main_tip == head_ref →
+skip`); the version path was not. In the nightly steady state a green cold-on-latest run promotes
+`canonical → latest`, so the *next* night finds `canonical == latest == version-under-test` and the
+upgrade tier deploys base==head: a vacuous same-version "upgrade."
+
+**Why pass `head_version` as a param rather than read compose inside the resolver:** keeps the
+resolver pure/unit-testable (the existing 8 tests inject `canonical.read_registry` /
+`lifecycle.recipe_branch_commit` via monkeypatch and never touch the filesystem). The call site
+(`main()`) reads it once via `abra.head_compose_version(recipe)` from the head checkout that already
+exists on disk. Tests pass `head_version=` directly.
+
+**Why `version_key`-based equality instead of raw string `==`:** the canonical record version and the
+compose label *should* be byte-identical when equal, but routing both through the existing coop-cloud
+ordering key (`warm_reconcile.version_key`) means a re-published or incidentally-reformatted equal
+version still compares equal, and the step-back's "strictly older" uses the *same* single ordering
+source — no hand-rolled semver (plan §2 constraint). `version_key` is the inner key of the existing
+`sort_versions`, lifted out so `sort_versions`/`newest_older_version` share it (no behavior change to
+`sort_versions` — verified by the unchanged existing warm_reconcile tests).
+
+**Why the step-back inherits F1d-2 automatically:** it returns `kind="version"` exactly like the
+normal canonical base, so it flows through the same deploy path (`abra.recipe_checkout` pins the tag
+on disk, non-chaos deploy) — the chosen older base genuinely deploys that pinned version, never
+LATEST. No new deploy code; the protection is structural.
+
+**Skip only when genuinely no older predecessor:** `newest_older_version` returns None only when the
+head version is the oldest (or only) published tag — then, and only then, a declared skip
+(`"base == head … and no older published predecessor"`), never a same-version no-op.
+
+**`head_version is None` (compose unreadable / no label):** cannot compare → `same=False` →
+preserves prevb behavior exactly (canonical is primary). No regression for any caller that omits
+`head_version`; the existing `test_last_green_warm_canonical_is_primary` still passes unchanged.
+
+**Pre-existing unrelated failures** (confirmed failing on clean `279d84d` with my changes stashed,
+so NOT introduced here): `tests/unit/test_meta.py::test_generated_doc_table_in_sync` and
+`tests/unit/test_warm_reconcile.py::test_traefik_spec_is_stateless_with_setup` (KeyError
+'health_domain'). Out of scope for samever.
+
+## 2026-06-17T04:25Z — M1 claimed; M2 prep (no gate runs until M1 PASS)
+
+M1 claimed (c5a0d20). Parked at gate; doing read-only M2 prep:
+- Trigger mechanism (from prevb M2): `!testme` on a recipe PR → bridge (polls 30s) → Drone build of
+  cc-ci@main (now = samever code) → artifacts at `/var/lib/cc-ci-runs/<N>/` (junit/results.json,
+  Adversary-readable). Local full-pipeline runs on cc-ci de-risk before posting.
+- Enrolled (WARM_CANONICAL=True) recipes: only **custom-html** currently. No canonical registries on
+  cc-ci right now (`/var/lib/cc-ci-canonical/` empty).
+- M2 plan shape: (1) nightly steady state — seed custom-html canonical registry version = its LATEST
+  published tag, run cold-on-latest → assert upgrade tier `kind=version`, base_version < latest
+  (step-back, genuine delta, not no-op/skip). (2) PR form — non-version-bump PR, head==canonical, same
+  step-back. (3) discourse #4 version-bump → UNAFFECTED (canonical→head). (4) spot-check ≥1 other
+  enrolled recipe (only custom-html enrolled today — resolve during M2: enroll/seed a 2nd, or use the
+  registry mechanism on another recipe). Need ≥2 published tags on the step-back recipe for an older
+  target to exist — verify custom-html tag count before run.
+
+## 2026-06-17T04:40Z — M2 real-CI evidence captured (custom-html + discourse)
+
+Two-run authentic nightly simulation on cc-ci (/root/samever-deploy @ cc-ci main, samever code):
+- **Run A** (cold-on-latest, no canonical): upgrade base kind=skip (head==main tip); green 5 tiers;
+  WC5 promote → canonical custom-html = 1.13.0+1.31.1 (the "first nightly").
+- **Run B** = THE HEADLINE (2nd consecutive nightly, canonical==latest==head):
+  `upgrade base: kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1)
+  == head version 1.13.0+1.31.1; newest older published base)`. Upgrade tier deployed base 1.11.0+1.29.0
+  then chaos-upgraded to head: `version=1.11.0+1.29.0→1.13.0+1.31.1` (label MOVED, base<head, REAL
+  delta — not a no-op, not a skip). All 5 tiers green. Proves F1d-2: the older base actually deployed
+  the pinned 1.11.0 then upgraded to 1.13.0.
+- **Run C** (version-bump UNAFFECTED, enrolled): re-seeded canonical→OLDER 1.11.0+1.29.0, cold-on-latest
+  head 1.13.0 → `kind=version version=1.11.0+1.29.0 (last-green (warm canonical, status=idle))` —
+  reason "last-green", NOT "step-back": the unchanged prevb path. Upgrade 1.11.0→1.13.0 green. The
+  step-back never engages when canonical≠head.
+- **discourse #4** (non-enrolled version-bump, REF=ae5a8180): `kind=ref ref=f87c612d71b4 (target-branch
+  (main) tip)` — byte-identical to prevb run 717; discourse never enters the canonical branch, so samever
+  cannot perturb it. (Full install,upgrade migration running to green for completeness.)
+
+Artifacts preserved on cc-ci: /root/samever-run{A,B,C}.log, /root/samever-disc4.log; run B/C results
+copied to /var/lib/cc-ci-runs/samever-run{B,C}/ (Adversary-readable).
+
+## 2026-06-17T04:55Z — M2 complete (PR form + spot-check), claiming
+
+- **Run D (PR form):** ran custom-html with REF=2b82ebab PR=999 (a PR head whose compose version is
+  still 1.13.0 == canonical). Resolver stepped back to 1.11.0+1.29.0 even with the ref present —
+  confirming the step-back is ref-independent (the canonical branch precedes the main-tip/ref path).
+  Upgrade 1.11.0→1.13.0 green.
+- **Spot-check (hedgedoc):** only custom-html is WARM_CANONICAL-enrolled, so to exercise the resolver on
+  a SECOND recipe + different tag ordering I hand-seeded hedgedoc's canonical record to its latest
+  (3.0.10+1.10.8) — the resolver reads canonical.read_registry regardless of enrollment, so this is the
+  same production code path. cold-on-latest → step-back to 3.0.9+1.10.7, upgrade green. Removed the
+  seeded record afterward (`rm -rf /var/lib/ci-warm/hedgedoc`) to leave clean state; hedgedoc is not
+  enrolled and would be pruned anyway.
+- **State hygiene:** custom-html canonical left at the legitimately-promoted 1.13.0+1.31.1 (its real
+  enrolled steady state). No leftover run stacks (clean teardown verified). Pre-existing warm-keycloak
+  orphan untouched.
+
+Design B (canonical history) is already recorded out-of-scope in cc-ci-plan/IDEAS.md (per plan §5) —
+verify before DONE.

machine-docs/JOURNAL-settings.md

@@ -0,0 +1,104 @@
+# JOURNAL — phase `settings` (WHY / reasoning; Adversary does not read before verdict)
+
+## 2026-06-17 — bootstrap + M1 design
+
+**Phase:** server-level `settings.toml` + `SKIP_CANONICALS_FOR_UPGRADE` + release-tag-first
+no-canonical fallback. Plan: `/srv/cc-ci/cc-ci-plan/plan-phase-settings-ci-server-config.md`.
+
+### Why a new `harness/settings.py` (not extending an env-var module)
+Checked for an existing cc-ci config mechanism first (plan §2.A "extend rather than spawn a parallel
+one"). The server config today is **scattered ad-hoc env reads** (`os.environ.get` for `MAX_TESTS`,
+`CCCI_RUNS_DIR`, `CCCI_REPO`, `STAGES`, `CCCI_QUICK`, …) — there is **no** central config module/class
+to extend (`grep` for `tomllib|settings\.toml|class Settings` → none). So a small dedicated loader IS
+the minimal, extensible home rather than threading another env var. Stdlib `tomllib` (py3.12 on the
+server, confirmed). One `[upgrade]` table, one key now; `_SCHEMA` is the single source of
+defaults+validation so adding a key/table later is a one-line change.
+
+### Settings file path: `/etc/cc-ci/settings.toml` (override `$CCCI_SETTINGS`)
+The harness runs from `/etc/cc-ci` in BOTH execution contexts (nightly sweep sets `CCCI_REPO=/etc/cc-ci`
+and `cd`s there; the Drone recipe-CI runner runs from its checkout but an **absolute** host path is read
+identically by both). `/etc/cc-ci` is a git checkout kept current by `git pull` + nixos-rebuild on
+deploy — an **untracked** `settings.toml` there survives pulls (git pull never deletes untracked files)
+and sits next to the tracked `settings.toml.example`. Chose this over `/srv/cc-ci/settings.toml` (the
+plan's *suggestion*) because `/srv/cc-ci` is the orchestrator path, ambiguous on the server; `/etc/cc-ci`
+is unambiguous and discoverable. The loader is graceful if the file/dir is absent → defaults.
+
+### Why the canonical-present path (incl. samever step-back) is byte-for-byte unchanged
+Guardrail §4: default false must be a no-op for current behavior. Structure:
+`if rec and rec.version and not flag:` → the entire existing prevb/samever block runs verbatim
+(canonical ≠ head → canonical; canonical == head → step-back older tag, else skip). Only when there is
+**no canonical in play** (rec falsy, OR flag true) do we enter the new `_no_canonical_base`. So with
+flag false + a canonical, nothing changes; the step-back's "no older predecessor → skip" is preserved
+(NOT routed to main-tip), which is correct — routing it to main-tip could reintroduce the same-version
+no-op samever exists to prevent. The plan §2.C "unified chain ... (==head)" is satisfied by the
+step-back already taking the same release-tag helper as step 1; I deliberately did NOT add a main-tip
+tail to the step-back skip, to keep samever's guarantee intact. This is the one place where a literal
+reading of §2.C ("==head → ... → main-tip → skip") and the §4 no-op guardrail + samever's intent point
+slightly differently; I chose the conservative path that preserves both samever and the no-op guardrail.
+If the Adversary reads §2.C literally and wants the step-back-no-older case to fall to main-tip, that is
+a one-line change — but I believe it would be a regression (vacuous upgrade), so it's recorded here.
+
+### Why `_no_canonical_base` guards on `head_version` before calling `recipe_tags`
+`newest_older_version(tags, None)` returns None, but evaluating `recipe_tags(recipe)` eagerly would
+shell out to `git -C <per-run recipe dir> tag` even when head_version is None (e.g. callers/tests that
+don't pass it). Guarding `if head_version else None` avoids a needless/erroring git call and preserves
+the prevb behavior for the no-head_version caller shape (→ main-tip).
+
+### Why wrong-type raises but malformed/absent doesn't
+Plan M1: "malformed file handled" (graceful) AND "wrong type errors clearly". Reconciled: absent /
+unreadable / TOML-syntax-error → WARN + all-defaults (a red file degrades to today's behavior, can't
+crash CI). A syntactically-valid file with a **known key of the wrong type** → `TypeError` (a typo'd
+value should be loud, not silently mis-parsed). bool-is-int-subclass handled: `1`/`0` for a bool key is
+rejected, not coerced.
+
+### Pre-existing, OUT OF SCOPE: dashboard lint drift on main
+`scripts/lint.sh` reports `dashboard/dashboard.py` + `tests/unit/test_dashboard.py` would be reformatted
+by the pinned ruff — confirmed present at HEAD f68f1c5 (`git show HEAD:...` through pinned ruff), NOT in
+my diff. Not touched by this phase (narrow scope). Recorded in DECISIONS as an observation. My 5
+phase files are format-clean + `ruff check` clean.
+
+### Verification (commands + output)
+- `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_upgrade_base.py
+  tests/unit/test_settings.py -q` → **32 passed**.
+- full unit suite `pytest tests/unit/ -q` → **315 passed**.
+- `ruff check runner/ tests/unit/ bridge/ dashboard/` → All checks passed.
+- `ruff format --check` (pinned) on my 5 files → all formatted.
+
+## 2026-06-17 — M2 prep (read-only; not advancing past M1 gate)
+
+Server canonical registry (`/var/lib/ci-warm/<recipe>/canonical.json`, status all `idle`):
+- **WITH canonical** (16): cryptpad, custom-html, custom-html-tiny, drone, ghost, gitea, hedgedoc,
+  immich, lasuite-docs, lasuite-drive, lasuite-meet, mailu, matrix-synapse, n8n, plausible, uptime-kuma.
+- **warm dir but NO canonical.json** (candidates for M2 evidence (a) "recipe without a canonical →
+  newest release tag < head"): **keycloak, alerts, traefik**.
+
+M2 plan (after M1 PASS):
+- (a) pick a no-canonical recipe WITH published release tags (keycloak has many) → show
+  `resolve_upgrade_base` returns a release-tag base, not raw main-tip. Likely via a harness dry-run /
+  targeted invocation on the server reading the live settings (absent file → default false).
+- (b) drop a scratch `/etc/cc-ci/settings.toml` with `skip_canonicals_for_upgrade = true`, show a
+  canonical-bearing recipe (e.g. gitea/ghost) now resolves to the release-tag base (canonical bypassed),
+  then remove the scratch file → restore default false.
+- Deploy: ensure `/etc/cc-ci` is at the phase commit (git pull); settings.py is pure-python loaded at
+  runtime from the checkout, so no nixos-rebuild needed for the harness to pick it up (the `cc-ci-run`
+  wrapper execs python on the checkout's runner/). Confirm on server.
+
+## 2026-06-17 — M1 PASS + M2 verified live, claimed
+
+M1 Adversary cold-PASS (REVIEW-settings.md @17:00Z, no VETO). Advanced to M2.
+Deployed phase commit to `/etc/cc-ci` via `git pull --ff-only` (HEAD 99d6bbc); no nixos-rebuild needed
+(pure runner python read at runtime; the nightly sweep runs from /etc/cc-ci and Drone reads the same
+absolute settings path). Added `scripts/show-upgrade-base.py` — a faithful, lightweight live probe that
+calls the DEPLOYED `resolve_upgrade_base` against live settings + canonical registry + recipe tags,
+avoiding a heavy per-recipe deploy/test/teardown while still proving the real resolution decision on the
+server. Chose this over full `cc-ci-run runner/run_recipe_ci.py` runs (samever's approach) because my
+change is purely in base RESOLUTION, not tier execution — the BasePlan is the whole claim.
+
+Evidence-(b) recipe choice: scanned all 16 canonical recipes; only `gitea` has canonical≠head
+(3.5.3 vs 3.6.0), making it the cleanest bypass demo — flag false reads the canonical
+("last-green (warm canonical, status=idle)"), flag true bypasses to the release-tag path
+("no-canonical fallback: newest release tag older than head 3.6.0..."). The resolved version is 3.5.3
+both ways (the canonical happens to equal the newest predecessor tag), so the REASON string is the proof
+of bypass — honest and matches the plan wording "ALSO resolve to that release-tag base (canonical
+bypassed)". All other recipes are in steady state (canon==head) where step-back and the fallback share
+the same helper and so coincide. Server restored to steady state (settings.toml absent → false).

machine-docs/JOURNAL-shot.md

@@ -0,0 +1,105 @@
+# JOURNAL-shot.md — Builder journal, phase `shot`
+
+## 2026-06-11 ~01:17–01:35Z — phase open, P1+P2 in one sweep
+
+Read the phase plan + plan.md §6.1/§7/§9. Enumerated enrolled recipes (19). Pulled per-recipe
+latest-run data off cc-ci (`results.json` screenshot field + PNG size for all ~190 run dirs),
+scp'd 18 PNGs to /tmp/shot-audit/ and Read every one of them.
+
+Findings vs the orchestrator pre-audit: all four 4801-2B suspects are indeed blank frames
+(immich pure white, lasuite-meet white, n8n off-white, cryptpad grey). keycloak 8.7KB is a
+"Loading the Administration Console" spinner — NOT a sparse login page as §2 guessed.
+lasuite-docs/drive ~5.9KB are lone spinners. Two surprises: (1) mattermost-lts 242KB, classed
+healthy by size, is actually the brand splash/loading screen, not the login form — size
+heuristics lie in both directions; (2) mumble serves a real web page (mumble-web client per
+compose.mumbleweb.yml, deployed since Phase 2 for HTTP health) showing its connecting spinner —
+so mumble is fixable, not an N/A.
+
+plausible root cause: traced via Drone sqlite (no python3 on host; ran alpine+sqlite3 against
+the drone data volume). Build 357 log t=73s: capture failed, last status=500 after 45s. Cross-ref
+tests/plausible/functional/test_health_check.py: `/` 500s via auth_controller under
+DISABLE_AUTH=true — permanent, not an init race. So the default landing capture can never work;
+plausible needs a SCREENSHOT hook to a path that renders (will probe /login, /sites on a live
+deploy during P3).
+
+bluesky-pds: null because install fails at level 0 (upstream image breakage, already in
+DEFERRED.md from rcust) — capture gated on deploy_ok, correctly skipped. N/A while upstream broken.
+
+custom-html nginx-welcome: verified no install-time seeding exists for this recipe (custom-html-tiny
+has install_steps.sh; custom-html only seeds in pre_backup/pre_upgrade ops, after capture). The
+nginx default page IS the honest fresh-install view. Leaving OK; flagged in matrix for Adversary.
+
+Adversary opened REVIEW-shot.md with its own cold pre-audit (4f3a747) before my first push —
+good: my visual reads agree with theirs on every overlapping row.
+
+Design thinking for P3 (next iteration): default-path improvement = after goto(domcontentloaded),
+try a bounded `wait_for_load_state("networkidle")` (~10-15s cap) and/or wait for a non-trivial
+painted body, then screenshot; then a blank-detect (PNG < ~6KB or near-uniform) → one retry with
+a longer settle. Keep total ≤ ~60s worst case, all inside the existing capture() try/except so R7
+(cosmetics never block) is preserved. Unit tests: blank-detector pure function + retry logic with
+a fake page. Per-recipe hooks only for plausible (500 root) + whatever the re-audit still shows.
+
+## 2026-06-11 ~05:45-06:00Z — plausible root cause was a 62-char SECRET_KEY_BASE; M1 PASSed meanwhile
+
+M1 PASS (ae10b55) with a watch-list. P3 done in two commits: ce50f64 (harness settle+blank-retry,
+6 unit tests, 205 pass, lint PASS) and b98a471 (plausible fix). The plausible story changed under
+probing: three live probes (shot-probe{,2,3}-plausible) showed / and every HTML route 302→/register
+which 500s; app logs gave the smoking gun: `(ArgumentError) cookie store expects conn.secret_key_base
+to be at least 64 bytes`. Our EXTRA_ENV value — comment claimed "64-char" — measures 62. So every
+page render 500'd while /api/* (no cookie store) passed all tiers. NOT auth_controller/DISABLE_AUTH
+as the old comments claimed; corrected both stale comments. Fix = 68-char value; verified
+shot-fix-plausible run: install pass, screenshot.png 64132B = real registration page (empty fields,
+placeholders only — same safe shape the Adversary blessed for n8n/uptime-kuma). No hook needed.
+
+P4 started: !testme posted 05:56:32Z on immich#2 + plausible#3 (drone builds 370+371 running,
+concurrent). Manual full proof run keycloak launched (shot-proof-keycloak). Remaining queue:
+mattermost-lts, cryptpad, lasuite-meet, lasuite-docs, lasuite-drive, n8n, mumble.
+
+## 2026-06-11 ~06:05-06:30Z — proof sweep underway; A1 fixed; mumble is the holdout
+
+Proofs verified visually so far (each level matches its baseline): drone 370 immich L4 234KB real
+onboarding card (was 4801B); drone 371 plausible L4 64KB registration page (was null); keycloak L4
+real sign-in form (was loading spinner); cryptpad L4 real landing w/ document picker (was grey blank);
+lasuite-meet L4 real product landing (was white blank); mattermost-lts L2(=m2r baseline L2) — real
+page but it's the desktop-or-browser interstitial, so per the watch-list I added the first
+SCREENSHOT hook (80e5713, → /login + public settle()); re-run pending.
+
+A1 (blank-retry could regress a larger frame): fixed in 7ad7d1f — retry goes to a temp path and
+only replaces via os.replace when >= first; regression test [9999,4801]→9999. 207 unit, lint PASS.
+
+mumble: proof run still spinner after settle+retry (7980B). Probing live what mumble-web does over
+90s (it printed real mumble-web HTML while up; suspect autoconnect overlay that never resolves
+because the websocket voice path may not be browser-reachable). Orchestrated probe2 running.
+Also in flight: n8n + lasuite-docs proofs from the A1-fixed tree. Queue: lasuite-drive, mattermost
+re-run; then ghost/hedgedoc/etc. healthy-class citations + dashboard/card check + runtime compare.
+
+## 2026-06-11 ~06:40-07:15Z — mattermost solved via click-through; mumble settled as best-available; M2 assembled
+
+mattermost: hook v1 (/login) produced a byte-identical interstitial PNG — mattermost shows the
+desktop-or-browser chooser on ANY first-visit route. Hook v2 clicks "View in Browser" (best-effort,
+suppress) → shot-proof3 PNG is the genuine "Log in to your account" form at L2=baseline. That's
+watch-list item 3 satisfied the hard way.
+
+mumble: three live probes. probe4 (90s DOM+console watch): localization loads, NO errors, NO failed
+requests, connect-dialog selectors match nothing, page stays at loading-container forever. orch5:
+websockify serves everything (its own 404s on /ws,/websocket; config.local.js = untouched sample, no
+autoconnect). Conclusion: the pinned mumble-web:0.5 client never paints for an anonymous visitor —
+not a capture bug, not fixable harness-side without changing the deploy (guardrail says upstream).
+Filed DEFERRED (6104a99); claiming the loader frame as documented best-available. Voice = the
+recipe's function and is protocol-tested; the Adversary may still want a different disposition —
+their call at the gate.
+
+Ops lessons this stretch: 3 simultaneous run launches race on abra catalogue fetch (lasuite-drive
+died "unable to update catalogue"; reran solo green) — stagger launches. Backgrounded one-shot ssh
+launchers with `cd X && nohup A & nohup B &` only cd for the first — give each its own cd.
+
+M2 evidence: 10 fixed-class proof runs (table in BACKLOG-shot P4, every PNG Read by me), 2 of them
+real !testme drone builds (370/371, durations 198s/166s vs 199s/209s baselines — plausible FASTER
+since capture stops burning its 45s fail window), healthy-class cited from P1, dashboard grid/card/
+badge all 200. Claiming M2.
+
+## 2026-06-11 ~07:20Z — phase complete
+
+M2 PASS (2b54adb): 18/18 PNGs independently Read, both !testme proofs confirmed genuine via bridge
+logs, durations/levels/R7 all verified, mumble N/A-variant agreed (Adversary reversed its M1 stance
+on the new DOM evidence), bluesky-pds N/A re-confirmed. Wrote ## DONE. Loop ends.

machine-docs/REVIEW-aoeng.md

@@ -0,0 +1,183 @@
+# REVIEW — phase aoeng (Adversary log)
+
+Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-aoeng-engine.md`
+Deliverable repo: `recipe-maintainers/agent-orchestrator` on git.autonomic.zone
+
+---
+
+## Adversary orientation @2026-06-13T18:23Z
+
+Pre-build orientation complete. Key facts noted for cold verification:
+
+**DoD items to verify (from phase plan):**
+1. `recipe-maintainers/agent-orchestrator` exists; `main` pushed; `v0.1.0` annotated tag present.
+2. **No cc-ci hardcoding:** `grep -rIE 'cc-ci|/srv/cc-ci|recipe|upgrad' <repo> --include='*.py'` on a clean /tmp checkout returns only generic/example/comment hits.
+3. `python3 agents.py selftest` passes; `python3 agents.py status --config agents.example.toml` prints sane table; `agents.py --help` documents verbs.
+4. Example project smoke run: bring up + tear down in isolated sandbox (own `session_prefix`, throwaway sessions), using ONLY files in repo.
+5. Nix: `flake.nix`+`flake.lock` committed; `nix develop -c python3 -c 'import tomllib'` succeeds; `tmux`/`git` on PATH in devShell.
+6. README documents: schema + verbs + AI-PO usage + `nix develop`.
+
+**Specific hardcoding to watch for in the ported agents.py (from source analysis):**
+- `log_dir` default `/srv/cc-ci/.cc-ci-logs` → must be project-rooted / config-driven
+- `session_prefix` default `cc-ci-` → must require from config (no implicit default)
+- `build_loop_kickoff()` hardcoded `*** cc-ci SUB-PHASE ***` preamble → must be template file from config
+- `handoff.repo` default `/srv/cc-ci/cc-ci` → must be config-driven
+- `cwd` fallback `/srv/cc-ci-orch` and `/srv/cc-ci-orch/cc-ci` → must be config-driven
+- `on_complete.run = "upgrader"` → must be generic task name from config
+- `opencode.preamble` has `/srv/cc-ci/.testenv` → must be config-driven
+
+**Guardrails to enforce:**
+- Do NOT modify live launch system at `/srv/cc-ci/cc-ci-plan/agents.py`, `agents.toml`, `cc-ci-plan/state/`, or running tmux sessions
+- New repo must be separate from cc-ci tree
+
+**Repo state at orientation:** `recipe-maintainers/agent-orchestrator` EXISTS on Gitea but is EMPTY (Builder created shell; no content yet)
+
+---
+
+## Verdicts
+
+### ALL DoD items: PASS @2026-06-13T18:41Z
+
+Cold verification from clean `/tmp/agent-orchestrator-check` clone. No gate claim was formally
+posted in STATUS-aoeng.md before I ran these checks — the Builder pushed all deliverables without
+a formal claim step; I ran the full DoD suite independently on discovery.
+
+**Cold checkout:**
+```
+git clone https://…@git.autonomic.zone/recipe-maintainers/agent-orchestrator.git \
+  /tmp/agent-orchestrator-check
+```
+
+---
+
+#### DoD-1 — Repo + main + annotated tag: PASS
+
+- Repo `recipe-maintainers/agent-orchestrator` exists on git.autonomic.zone ✓
+- `main` branch present and pushed (commit `289ef07`) ✓
+- `v0.1.0` is an annotated tag (`git cat-file -t v0.1.0` → `tag`, not `commit`) ✓
+- Tag message: "agent-orchestrator v0.1.0 — first generic harness release"
+
+---
+
+#### DoD-2 — No cc-ci hardcoding: PASS
+
+Exact DoD-2 command on clean /tmp checkout:
+```
+grep -rIE 'cc-ci|/srv/cc-ci|recipe|upgrad' /tmp/agent-orchestrator-check --include='*.py'
+```
+→ **zero hits** (not even comment hits — pristine)
+
+Extended check across all file types (.py, .toml, .md, .sh, .nix):
+```
+grep -rIE 'cc-ci|/srv/cc-ci' /tmp/agent-orchestrator-check/ \
+  --exclude-dir=.git --include='*.py' --include='*.toml' --include='*.md' --include='*.sh' --include='*.nix'
+```
+→ **zero hits**
+
+All specific hardcoding points flagged at orientation are confirmed gone:
+- `session_prefix` — required from config, errors hard if absent
+- `log_dir` — required from config, no path default
+- kickoff preamble — template file from `[loop].kickoff_template`, no built-in text
+- `handoff.repo` — config-driven under `[loop].handoff`
+- cwd fallbacks — none; `project_dir` in config
+- `on_complete.run` — generic task name from `[loop].on_complete`
+- opencode preamble — config field `preamble` (no path default)
+
+Break-it — missing session_prefix:
+```toml
+[defaults]
+log_dir = "/tmp/test"; backend = "demo"
+[backend.demo]
+bin = "echo test"; prompt_delivery = "exec"
+```
+`python3 agents.py status` → `ERROR: config error: [defaults].session_prefix is required` ✓
+
+---
+
+#### DoD-3 — selftest + status + help: PASS
+
+```
+python3 agents.py selftest
+```
+Output:
+```
+  PASS: footer_ui idle footer is idle
+  PASS: footer_ui active footer is active
+  PASS: limit banner + idle footer is not active
+```
+
+```
+python3 agents.py status --config agents.example.toml
+```
+Output (sane table):
+```
+  phase: demo1 [1/2]  plan=examples/PLAN-demo1.md  (in progress)
+  AGENT     KIND     BACKEND  MODEL    WATCH  STATE
+  builder   loop     demo     default  none   stopped
+  adversary loop     demo     default  none   stopped
+  watchdog  service  -        -        -      stopped
+```
+
+```
+python3 agents.py --help
+```
+→ Documents all verbs: up/down/status/watchdog/logs/phase/selftest/init + --config option ✓
+
+---
+
+#### DoD-4 — Smoke run: PASS
+
+```
+cd /tmp/agent-orchestrator-check && bash smoke.sh
+```
+Output:
+```
+== sanity: 'status' on the shipped example config ==
+== bring up isolated sandbox (ao-smoke-678978-) ==
+[agents 18:40:02] starting ao-smoke-678978-builder (demo, kind=loop, phase=smoke)
+[agents 18:40:02] starting ao-smoke-678978-adversary (demo, kind=loop, phase=smoke)
+  up: ao-smoke-678978-builder
+  up: ao-smoke-678978-adversary
+  kickoff assembled OK (template + role prompt)
+== tear down ==
+[agents 18:40:02] killing ao-smoke-678978-builder
+[agents 18:40:02] killing ao-smoke-678978-adversary
+  down: ao-smoke-678978-builder
+  down: ao-smoke-678978-adversary
+SMOKE PASS
+```
+
+Verified: isolated `session_prefix` (`ao-smoke-<PID>-`), throwaway tmpdir, no leftover sessions,
+kickoff template + role prompt assembled correctly.
+
+---
+
+#### DoD-5 — Nix present + works: PASS
+
+- `flake.nix` and `flake.lock` both committed ✓
+- `nix develop -c python3 -c 'import tomllib; print("tomllib OK")'` → `tomllib OK` ✓
+  (devShell banner: "Python 3.11.11, tmux 3.5a, git version 2.47.2")
+- `nix develop -c sh -c 'which tmux && tmux -V && which git && git --version'`:
+  - `/nix/store/…/tmux-3.5a/bin/tmux` — `tmux 3.5a` ✓
+  - `/nix/store/…/git-2.47.2/bin/git` — `git version 2.47.2` ✓
+
+---
+
+#### DoD-6 — README: PASS
+
+README covers all four required areas:
+- **Schema** — complete config reference: `[watchdog]`, `[defaults]`, `[backend.<name>]`,
+  `[[agent]]`, `[[service]]`, `[loop]` with all fields, types, and examples ✓
+- **Verbs** — "The driver: verbs" section lists all 8 verbs with args/description ✓
+- **AI-PO usage** — "Driving the harness from an AI project-orchestrator" dedicated section:
+  5-point contract (one config, isolation by prefix, state on disk, one-directional knowledge,
+  submodule pin), plus minimal project layout scaffold ✓
+- **`nix develop`** — "Nix" section with devShell usage and `nix develop`/`nix flake check`
+  commands documented ✓
+
+---
+
+### Summary
+
+All 6 DoD items PASS at 2026-06-13T18:41Z on commit `289ef07` (v0.1.0 tag).
+No findings. No veto. Phase aoeng is DONE.

machine-docs/REVIEW-aotest.md

@@ -0,0 +1,217 @@
+# REVIEW — phase aotest (Adversary log)
+
+**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-aotest-verify.md`
+**Deliverable repo:** `recipe-maintainers/agent-orchestrator` on git.autonomic.zone
+
+---
+
+## Adversary orientation @2026-06-13T18:44Z
+
+**Mission:** Verify the agent-orchestrator harness runs a real project generically on BOTH
+claude and opencode backends, fully isolated, with a committed test suite.
+
+**DoD items to verify (from phase plan):**
+1. Unit tests PASS — run from clean /tmp checkout inside `nix develop`
+2. claude smoke test PASSES via the harness (isolated, cleaned up)
+3. opencode smoke test PASSES or SKIPs with clear, justified reason recorded here
+4. No leftover `aotest-*` tmux sessions or held ports after the run; live cc-ci sessions
+   (cc-ci-orchestrator/watchdog/assistant3) untouched
+5. Test suite + runner committed and documented in README
+
+**Key guardrails for my verification:**
+- Must use a non-`cc-ci-` session prefix (aotest-* is correct)
+- opencode port must ≠ 4096 (the live cc-ci port)
+- Do NOT touch live launch system: `/srv/cc-ci/cc-ci-plan/agents.py`, `agents.toml`,
+  `cc-ci-plan/state/`, or running tmux sessions
+- Verify from COLD START: fresh shell, /tmp checkout, no cached state
+
+**Repo state at orientation:** v0.1.0 (commit `289ef07`) — no tests/ dir present yet.
+Awaiting Builder to push the aotest deliverable.
+
+**Code orientation @2026-06-13T18:44Z (from clean /tmp/ao-adv-check clone):**
+
+Key functions the unit tests MUST exercise (from reading agents.py 929 lines):
+- `load_config`: session_prefix required → hard die; log_dir required → hard die; defaults merge;
+  project_dir resolution; agents inherit defaults; services inherit defaults
+- `build_loop_kickoff`: reads `[loop].kickoff_template`, fills `{phase_id}/{plan}/{status}/{role}`,
+  then appends `<roles_dir>/<role>.md`. No project text in code — must test slot substitution.
+- `phase_done`: reads `status_basename` from `handoff_repo(cfg)`, looks for `done_marker` line;
+  skips DONE_PLACEHOLDER_RE lines. Must test: file absent → False, no marker → False, marker present
+  → True, placeholder line → False.
+- `phase_advance_check`: auto-advance on DONE marker; idempotent when SEQUENCE-COMPLETE exists;
+  appending a phase clears SEQUENCE-COMPLETE marker and resumes.
+- `_parse_reset_epoch`: AM/PM handling (12pm=12:00, 12am=00:00), 24h format, invalid hour/minute
+  returns None, no match returns None. Takes the LAST match.
+- `_parse_waiting_until`: footer_ui branch uses last non-empty line only; non-footer scans whole
+  pane. ISO-8601 with Z suffix. Invalid format returns None.
+- `pane_active`: claude backend uses `active_re` match; opencode uses `footer_ui` branch (only
+  last line of 3 matters); limit banner + idle = not active (tested in selftest).
+
+**Live smoke isolation requirements (DoD verification):**
+- claude smoke: session prefix must be `aotest-` (NOT `cc-ci-`), isolated log dir under /tmp
+- opencode smoke: port must ≠ 4096 (live cc-ci port is 4096), own server, own prefix
+- Post-run: `tmux ls | grep aotest` → zero results; live sessions intact
+
+**Specific break-it checks I will run:**
+1. `tmux ls | grep aotest` before AND after — no leakage
+2. `ss -ltn | grep 4096` — opencode test must NOT use this port
+3. Check cc-ci sessions: cc-ci-orchestrator, cc-ci-watchdog, cc-ci-assistant3 still present
+4. Try to interrupt the live smoke mid-run (if isolatable) — cleanup still fires
+5. Unit test edge cases:
+   - load_config with missing session_prefix → expect die()
+   - load_config with missing log_dir → expect die()
+   - phase_done with ## DONE followed only by placeholder → expect False
+   - _parse_reset_epoch("resets Jun 16, 12pm") → 12:00 (NOT 24:00 which is invalid)
+   - _parse_reset_epoch("resets Jun 16, 12am") → 00:00 (not 12:00)
+   - _parse_waiting_until with footer_ui=True: only last non-empty line checked
+6. Confirm selftest (DoD-3 of aoeng) still passes after any test infrastructure changes
+
+---
+
+## Verdicts
+
+### ALL DoD items: PASS @2026-06-13T19:00Z
+
+Cold verification from clean `/tmp/ao-adv-check` clone (fresh git clone before pulling the
+Builder's STATUS — verdict formed independently). Commit verified: `cdcece9a9ac64b458103194025f2c22ba830ce15`.
+
+```
+rm -rf /tmp/ao-adv-check
+git clone https://...@git.autonomic.zone/recipe-maintainers/agent-orchestrator.git /tmp/ao-adv-check
+git -C /tmp/ao-adv-check rev-parse HEAD
+# → cdcece9a9ac64b458103194025f2c22ba830ce15  ✓ matches claimed commit
+```
+
+---
+
+#### DoD-1 — Unit tests PASS (clean /tmp, nix develop): PASS
+
+```
+cd /tmp/ao-adv-check && nix develop -c python3 -m unittest discover -s tests -p 'test_*.py' -v
+```
+
+```
+Ran 51 tests in 0.062s
+OK
+```
+
+51 tests, rc=0. Coverage confirmed:
+- `TestConfigLoad` (12 tests): session_prefix required die, log_dir required die, defaults merge,
+  explicit session override, per-agent override wins, relative/absolute dir resolution, log_dir
+  resolved, state_dir created, service session named, backend_of resolves, backend_of unknown dies,
+  env AGENT_MODEL override single-invocation
+- `TestExampleConfig` (1 test): shipped `agents.example.toml` loads with expected shape
+- `TestKickoff` (5 tests): slot fill ({phase_id}/{plan}/{status}/{role}), correct role prompt
+  appended, no unrendered slots, agent_prompt dispatches correctly, role_model phase override
+- `TestPhaseMachine` (8 tests): phase_done detects marker, rejects placeholder, false when no
+  marker, false when file missing; cur_idx reads state file; advance on DONE; sequence-complete
+  idempotent (no re-stop on 2nd call); append-phase clears SEQUENCE-COMPLETE and resumes;
+  custom done_marker respected
+- `TestLimitParsing` (8 tests): PM, AM+minutes, 12am=midnight, invalid hour=None, no match=None,
+  picks last match, unparsable fallback, within-6h window uses banner, >6h falls back
+- `TestWaitingUntil` (5 tests): non-footer finds marker anywhere, non-footer None without marker,
+  footer ignores marker not in last line, footer honors marker as last line, bad timestamp=None
+- `TestActivityDetection` (8 tests): claude active_re (esc to interrupt, Running tool, spinner),
+  claude idle not active; opencode active footer, idle footer, active-only-at-top ignored,
+  log_grace fallback via mtime
+
+---
+
+#### DoD-2 — claude smoke PASSES via harness: PASS
+
+```
+cd /tmp/ao-adv-check && nix develop -c bash tests/smoke_claude.sh
+```
+
+```
+=== claude backend smoke (isolated: prefix=aotest-c-681472-) ===
+[agents] starting aotest-c-681472-probe (claude, kind=persistent, model=claude-haiku-4-5)
+  PASS: session aotest-c-681472-probe created via agents.py (pane command: claude)
+  PASS: claude TUI attached + alive (driven entirely by agents.py)
+  PASS: agents.py status reports probe RUNNING
+  PASS: agents.py down cleanly removed the session
+=== CLAUDE BACKEND SMOKE: PASS ===
+```
+
+Confirmed: isolated prefix `aotest-c-<pid>-` (not cc-ci-), temp sandbox log_dir, pane command
+is `claude` (TUI alive), status RUNNING, down cleans up. Cleanup trap on EXIT/INT/TERM.
+
+---
+
+#### DoD-3 — opencode smoke PASSES via harness (dedicated port ≠ 4096): PASS
+
+```
+cd /tmp/ao-adv-check && nix develop -c bash tests/smoke_opencode.sh
+```
+
+```
+=== opencode backend smoke (isolated: prefix=aotest-o-681566- port=4097) ===
+  PASS: dedicated opencode server listening on :4097
+[agents] starting aotest-o-681566-probe (opencode, kind=persistent, model=default)
+  PASS: session aotest-o-681566-probe created via agents.py (pane command: opencode)
+  PASS: opencode TUI attached + alive (driven entirely by agents.py)
+  PASS: agents.py status reports probe RUNNING
+  PASS: agents.py down cleanly removed the session
+=== OPENCODE BACKEND SMOKE: PASS ===
+```
+
+Confirmed: dedicated server on `:4097` (script has hardcoded guard refusing `4096`); isolated
+prefix `aotest-o-<pid>-`; TUI attached; cleanup kills server AND does `pkill -f "opencode serve.*--port ${PORT}"` + waits for port to free.
+
+---
+
+#### DoD-4 — No leftover aotest-* sessions or ports; cc-ci sessions intact: PASS
+
+Post-run isolation check (after full suite via run.sh):
+
+```
+tmux ls | grep '^aotest-'
+# → (no output)  ✓
+
+ss -ltn | grep ':4097 '
+# → (no output)  ✓
+
+tmux ls | grep -E 'cc-ci-orchestrator|cc-ci-watchdog|cc-ci-assistant3'
+# → cc-ci-assistant3, cc-ci-orchestrator, cc-ci-watchdog  ✓
+```
+
+run.sh isolation sanity block output:
+```
+>>> ISOLATION SANITY
+  PASS: no leftover aotest-* tmux sessions
+  info: live cc-ci sessions present: cc-ci-orchestrator cc-ci-watchdog cc-ci-assistant3
+```
+
+---
+
+#### DoD-5 — Test suite + runner committed and documented: PASS
+
+Files at commit `cdcece9`:
+- `tests/test_unit.py` — 51-test stdlib unittest suite ✓
+- `tests/smoke_claude.sh` — isolated live claude smoke ✓
+- `tests/smoke_opencode.sh` — isolated live opencode smoke ✓
+- `tests/run.sh` — runner: unit always, live smokes when available, isolation sanity ✓
+
+README `## Testing` section (lines ~321–351):
+- Documents `nix develop -c ./tests/run.sh` as the canonical invocation ✓
+- Explains what each layer covers (unit vs live vs isolation) ✓
+- Documents skip conditions (backend bin/creds absent) ✓
+- Documents useful env vars (CLAUDE_BIN, AOTEST_MODEL, AOTEST_OC_PORT, AOTEST_OC_CREDS) ✓
+- Notes safety by construction (non-cc-ci prefix, non-4096 port, cleanup trap) ✓
+
+---
+
+### Full suite summary (run.sh output)
+
+```
+SUMMARY:  unit=PASS  claude=PASS  opencode=PASS  isolation=PASS
+ALL RUN TESTS PASSED (skips are OK)
+```
+
+rc=0. Verified at commit `cdcece9`, clean /tmp clone, nix develop (Python 3.11.11, tmux 3.5a).
+
+---
+
+### No findings. No veto. Phase aotest is DONE.
+
+All 5 DoD items PASS at 2026-06-13T19:00Z on commit `cdcece9`.

machine-docs/REVIEW-bsky.md

@@ -0,0 +1,238 @@
+# REVIEW-bsky.md — Adversary verdicts for the `bsky` sub-phase
+
+Phase SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md`.
+Gates: **M1** (root cause + green fix PR), **M2** (operator handoff complete → `## DONE`).
+This file is append-only; the Builder reads it, never writes it.
+
+---
+
+## Baseline recon @2026-06-11 (cold, pre-claim — NOT a verdict)
+
+Established independently from the live recipe checkout on cc-ci
+(`~/.abra/recipes/bluesky-pds`, HEAD `b2d86ef`, tag `0.2.0+v0.4-4-gb2d86ef`) so I am
+ready to verify the Builder's root-cause claim without anchoring:
+
+- `compose.yml`: app `image: ghcr.io/bluesky-social/pds:0.4` — a **moving minor tag**.
+  Version label `coop-cloud.${STACK_NAME}.version=0.2.0+v0.4`.
+- Recipe **overrides the image entrypoint** via `entrypoint.sh.tmpl` (mounted as a config
+  at `/entrypoint.sh`, `entrypoint: dumb-init --`, `command: /entrypoint.sh`). That script
+  ends with `exec node --enable-source-maps index.js` — a **relative** `index.js`, resolved
+  against the image's WORKDIR.
+- Known symptom (rcust/shot evidence, DEFERRED.md): app crash-loops
+  `Cannot find module '/app/index.js'` (MODULE_NOT_FOUND) under Node v24.15.0. Consistent
+  with: image WORKDIR `/app`, but `index.js` no longer present there → upstream
+  restructured/rebuilt whatever `:0.4` now resolves to.
+
+Verification angles I will hold the Builder's M1/M2 to (per phase plan §3 gates):
+1. Root-cause evidence reproduces — I independently inspect the live image
+   (`docker run --entrypoint sh ... -c 'ls; node --version'` / crane/skopeo) and confirm
+   `index.js` is absent from the assumed WORKDIR at the OLD pin, and present/working at the
+   NEW pin.
+2. The fix is in the **recipe mirror PR**, not the harness; diff minimal + each line
+   justified against upstream bluesky-social/pds changelog; version label bumped per recipe
+   convention; **no test/gate weakening** anywhere in cc-ci.
+3. The green run is genuinely the **PR head via the drone `!testme` path** (not a local
+   hand-run) — full lifecycle incl. lint, level recorded under de-capped semantics.
+4. Screenshot real + credential-free (I Read the PNG myself); never shows generated creds.
+5. DEFERRED entries closed with pointers; operator handoff in STATUS-bsky.md.
+
+No gate CLAIMED yet — awaiting Builder's first `claim(...)` on a bsky gate.
+
+## Pre-claim recon update @2026-06-11T11:45Z (cold image probe — NOT a verdict)
+
+Independently reproduced BOTH halves of the root cause via `docker run` on cc-ci:
+- `ghcr.io/bluesky-social/pds:0.4` (current moving tag, digest …2324702f): **Node v24.15.0**,
+  WORKDIR `/app`, ships **`index.ts`** only — no `index.js`. The recipe's entrypoint
+  `exec node --enable-source-maps index.js` therefore fails with exactly
+  `Cannot find module '/app/index.js'`. Symptom reproduced. ✔
+- `ghcr.io/bluesky-social/pds:0.4.219` (Builder's proposed pin): **Node v20.20.2**,
+  WORKDIR `/app`, ships **`index.js`** (`package.json` `main: index.js`). The recipe's
+  existing entrypoint resolves the file → addresses the crash at the image level. ✔
+
+Open scrutiny points I will hold the M1 claim to (NOT yet judged — no gate CLAIMED):
+- **§2.2 upgrade-preference:** `0.4.219` is the latest patch of the *previous* 0.4 line,
+  not an upgrade to current stable (`:0.4` now = 0.5.1). The plan prefers upgrading unless
+  research justifies otherwise. Need: a genuine DECISIONS.md justification (e.g. 0.5.x
+  moved to a TS entrypoint requiring an entrypoint rewrite / larger blast radius) — I'll
+  read it only AFTER my own verdict, and check it against upstream changelog.
+- Pin should be exact/immutable (0.4.219 looks like a full patch tag — verify it's not
+  itself moving; digest-pin would be strongest).
+- Fix must land on the recipe MIRROR PR and be proven green via the drone `!testme` path
+  at PR head — not a local hand-run; no cc-ci harness/gate weakening.
+
+Still no gate CLAIMED (STATUS-bsky: "none claimed yet — working M1"). Idling for the claim.
+
+## Pre-claim recon @2026-06-11T11:55Z — EXPECTED_NA['upgrade'] premise (cold, NOT a verdict)
+
+Builder added a harness change: `EXPECTED_NA['upgrade']` suppresses the upgrade-tier base
+deploy for bluesky-pds ("no deployable base"). I independently checked the premise on the
+live recipe checkout:
+- Published recipe tags: ONLY `0.1.1+v0.4` and `0.2.0+v0.4`. **Both** pin
+  `ghcr.io/bluesky-social/pds:0.4` (the moving tag that now resolves to the broken
+  0.5.1/index.ts image). So every published base would crash identically → there is no
+  deployable previous published version. Premise holds. ✔
+- Logic: the PR fix (pin 0.4.219) is the FIRST deployable published version; before it,
+  NO published version deploys, so a "previous published → PR" upgrade path cannot exist.
+  Genuinely N/A, not a dodge. (Post-merge, future PRs WILL have a deployable base → tier
+  re-activates; operator handoff should note this.)
+
+STILL must hard-verify when M1 is CLAIMED (do NOT pre-judge):
+- The NA is **scoped to bluesky-pds only** (per-recipe EXPECTED_NA declaration, not a
+  global loosening of the upgrade tier for all recipes) — read the diff.
+- install / backup-restore / functional / lint tiers are NOT suppressed.
+- N/A recorded honestly with reason and handled correctly under de-capped level semantics
+  (doesn't silently inflate the level nor falsely block); the 6 new upgrade_base() unit
+  tests actually have teeth.
+- §9 alternative ("deploy base minimally via overlay, then upgrade to latest") is correctly
+  rejected here: latest-deployable == PR head == 0.4.219, so there's no version delta to
+  test and an overlay base would be synthetic — N/A is the honest call, not the overlay.
+
+---
+
+## M1 — PASS @2026-06-11T12:30Z  (root cause + green fix PR + screenshot)
+
+Verdict formed COLD from my own clone + live cc-ci probes, BEFORE reading JOURNAL.md
+(anti-anchoring respected). Sources: phase plan §3 (SSOT), the code/git history, the
+verification info in STATUS-bsky.md, and my own re-runs below. Every M1 acceptance item
+independently reproduced.
+
+### 1. Root cause reproduces ✔
+Cold `docker run` on cc-ci of both images:
+- `ghcr.io/bluesky-social/pds:0.4` (current, digest …2324702f/871194d2): `@atproto/pds`
+  **0.5.1**, **Node v24.15.0**, `/app/index.ts` — **NO index.js**. The recipe's
+  entrypoint `exec node --enable-source-maps index.js` ⇒ `Cannot find module
+  '/app/index.js'`. Symptom reproduced exactly.
+- `:0.4.219` (the fix pin): `@atproto/pds` **0.4.219**, **Node v20.20.2**, `/app/index.js`
+  present (`package.json main:index.js`) ⇒ entrypoint resolves. Fix sound at image level.
+- Upstream registry `cc-ci-plan/upstream/bluesky-pds.md` matches my probes (moving `:0.4`
+  tracks main; 0.4.x keeps classic layout; env interface stable across 0.4.x → no
+  migration). `:0.4` is demonstrably a MOVING tag upstream republished.
+
+### 2. PR #2 minimal + justified, unmerged ✔
+Gitea API: PR #2 **open, merged=false, mergeable=true**; base main b2d86ef, head
+**f7b6c8df** (branch upgrade-0.3.0+v0.4.219). Diff = **1 file, +2 −2** on compose.yml only:
+image `:0.4`→`:0.4.219`, version label `0.2.0+v0.4`→`0.3.0+v0.4.219`. No
+test/harness/recipe-test weakening in the PR. `:0.4.219` is an **exact** (non-moving)
+version tag — newest 0.4.x exact tag preserving the recipe's `index.js` layout, so §2.2's
+"exact-version tag … unless research justifies otherwise" is met (0.5.x restructured to a TS
+entrypoint requiring a recipe entrypoint rewrite — the same-series re-pin is the minimal
+correct fix). NOTE (not a finding): pursuing the 0.5.x upgrade later is a reasonable
+operator follow-up; the re-pin is the right minimal fix now.
+
+### 3. Green run 427 via the GENUINE drone !testme path, at PR head ✔
+- PR #2 comment **14342** `!testme` → bridge swarm log (ccci-bridge_app):
+  `[poll] triggered build 427 for bluesky-pds@f7b6c8df (PR #2, comment 14342) by
+  autonomic-bot` → `reflected outcome build 427 (bluesky-pds PR #2): success` → PR comment
+  **14343** "✅ passed @ f7b6c8df". Real poll→drone→reflect, not a hand-run.
+- run-427 recipe checkout = PR head `f7b6c8d "chore: upgrade to 0.3.0+v0.4.219"`,
+  compose.yml line 6 image=`:0.4.219`, version label `0.3.0+v0.4.219`.
+- `results.json`: **level=5**, ref=f7b6c8dfb81c, pr=2; rungs
+  install/backup_restore/functional/lint=**pass**, upgrade=**skip**;
+  `skips.intentional.upgrade`=declared reason, `skips.unintentional`=[];
+  flags clean_teardown+no_secret_leak=true; schema=2.
+
+### 4. No gate weakening (the EXPECTED_NA['upgrade'] harness change) ✔
+- Premise true (cold): BOTH published recipe tags (0.1.1+v0.4, 0.2.0+v0.4) pin the broken
+  moving `:0.4` ⇒ no deployable upgrade base. Genuine structural N/A, not a dodge.
+- `upgrade_base()` (e9745c8) returns None only when `upgrade ∈ EXPECTED_NA`, declared
+  **per-recipe** in `tests/bluesky-pds/recipe_meta.py`. NOT a global loosening — unit test
+  `test_expected_na_other_rung_does_not_suppress` proves a DIFFERENT-rung EXPECTED_NA does
+  not suppress the upgrade base. The tier records `"skip"`, never `"pass"`.
+- **Negative control run 423** (same PR head, pre-EXPECTED_NA): base 0.1.1+v0.4 deploy →
+  **install=fail** → level **0**. Proves the harness has TEETH: it goes red when a base IS
+  attempted against the broken tag; 427's level 5 is solely the legitimate base-suppression,
+  not a masked failure. A synthetic overlay base (0.4.219→0.4.219, zero delta) would be a
+  meaningless green — N/A-skip is the honest call.
+- Level math (`compute_level`, pure): install=pass(1) · upgrade=skip(climbs) ·
+  backup_restore=pass(3) · functional=pass(4) · lint=pass(5) ⇒ **5**. Consistent with the
+  lvl5 de-cap semantics (skip climbs; only fail/unver block).
+- Unit tests COLD on cc-ci (fresh clone HEAD cba53b6): **253 passed** (6 new in
+  test_upgrade_base.py, with teeth). Repo lint COLD: `lint: PASS` (exit 0).
+
+### 5. Screenshot — real + credential-free ✔
+Published `…/runs/427/screenshot.png` (HTTP 200, 29274 B) is **sha256-identical** to the
+on-disk capture. I Read the PNG: the genuine PDS landing page — Bluesky ASCII butterfly,
+"This is an AT Protocol Personal Data Server (aka, an atproto PDS)", "/xrpc/" pointer,
+Code/Self-Host/Protocol links. **No credentials** (no admin password / invite / secret).
+Default capture suffices — no SCREENSHOT hook needed.
+
+### 6. No secret leak ✔
+Independent scan of published artifacts (results.json, summary.html, lint.txt, junit) for
+the PDS-generated secrets (admin password / jwt / plc rotation key) and high-entropy
+strings: the ONLY matches are recipe SOURCE secret-NAME references (`- pds_jwt_secret`
+etc.) and one abra lint WARN naming `pds_admin_password` (length policy) — no secret VALUE
+exposed. Only high-entropy token = the 40-char commit SHA. clean_teardown confirmed (no
+swarm secret/stack residue for the run).
+
+**M1 PASS. No VETO.** Builder cleared to proceed to M2 (operator handoff). M2 will get a
+fresh cold pass: independent re-trigger/confirm green at PR head, PNG re-Read, level/baseline
+reconciliation, DEFERRED entries closed with pointers, and the operator summary checked —
+plus I will then consult JOURNAL/DECISIONS to contextualise (noting it there).
+
+---
+
+## M2 — PASS @2026-06-11T15:48Z  (operator handoff complete)
+
+Fresh Adversary cold pass. Verdict formed from the plan (§3 M2 SSOT), the code/deliverables,
+the STATUS-bsky verification info, and my OWN independent re-trigger — BEFORE reading
+JOURNAL.md (anti-anchoring respected; I may consult it after, noting so).
+
+### 1. Green at PR head — independently RE-TRIGGERED ✔ (the decisive proof)
+I posted `!testme` on PR #2 myself (comment **14344**, 15:46:21Z). Bridge:
+`[poll] triggered build 435 for bluesky-pds@f7b6c8df (PR #2, comment 14344) by
+autonomic-bot`. Fresh **build 435** results.json: **level=5**, ref=f7b6c8dfb81c (PR head),
+pr=2; rungs install/backup_restore/functional/lint=**pass**, upgrade=**skip**
+(skips.intentional.upgrade=declared reason, skips.unintentional=[]); clean_teardown +
+no_secret_leak=true. Recipe checkout = PR head `f7b6c8d`, image `:0.4.219`. Identical rung
+profile to run 427 → reproducibly green, not a one-off.
+- **Real stages, not a no-op:** junit shows install/backup(generic+cc-ci)/restore
+  (generic+cc-ci) and FOUR live functional tests — `test_health_check`,
+  `test_describe_server`, `test_session_auth`, `test_account_and_post`. A no-op could not
+  pass account-creation/post/session-auth against a live PDS. (Wall-clock ~70s is plausible:
+  lightweight 2-service recipe, image cached on host.)
+
+### 2. PNG independently Read ✔
+Fresh build 435 screenshot.png sha256 == run 427's (bdb71d3e…) == the image I Read at M1:
+genuine PDS landing page (Bluesky ASCII butterfly, "AT Protocol Personal Data Server",
+/xrpc/ pointer, upstream links), **no credentials**. Deterministic, real.
+
+### 3. Level under new semantics + baseline reconciled ✔
+level=5 under the de-capped ladder (upgrade=skip climbs; only fail/unver block). Old Phase-2
+baseline ("full lifecycle green", e45e0ee, pre-results era) is genuinely unreproducible —
+the moving-tag republish broke ALL published recipe versions; the PR restores deployability.
+Reconciliation recorded in the DEFERRED closure + the M2 claim. Independently corroborated:
+**0.5.x has NO release tag** (upstream git: 0 `0.5.x` tags, highest v0.4.219 + anomalous
+v0.4.5001; ghcr `0.5.0/0.5.1/v0.5.1` all absent) — so an exact-version pin REQUIRES 0.4.x.
+This fully resolves the §2.2 "prefer upgrade" scrutiny: re-pinning to 0.4.219 (newest exact)
+is not "old over new" — there is no exact 0.5.x tag to upgrade to; 0.5.x lives only on the
+moving tag the recipe must never pin. Justified.
+
+### 4. DEFERRED entries closed with pointers ✔
+machine-docs/DEFERRED.md: ✅ RESOLVED @2026-06-11 (phase bsky). Explicitly closes BOTH the
+re-pin follow-up AND the rcust M2 baseline-exclusion note, with pointers to PR #2 / run 427 /
+negative control 423 / upstream registry / DECISIONS. Original entry preserved (append-only).
+
+### 5. Operator summary ✔
+STATUS-bsky "Operator summary": crisp + complete — what was wrong (moving tag → index.ts vs
+recipe's index.js; broke both published versions), what the PR changes (2-line re-pin
+0.4.219 + label bump; why not 0.5.1 = no release tag + entrypoint migration), and a 5-step
+post-merge runbook (merge → publish version → drop EXPECTED_NA + set
+UPGRADE_BASE_VERSION="0.3.0+v0.4.219" → no canonical to reseed → never re-pin :0.4).
+Corroborated: ci-warm has NO bluesky entry (only custom-html/keycloak/traefik) → "nothing to
+reseed" is true.
+
+### 6. PR left OPEN ✔
+PR #2 head f7b6c8df, state=open, merged=**false** (re-confirmed at re-trigger). The phase is
+done WITH the PR open — merging is the operator's, post-merge reseeding documented not done.
+
+**M2 PASS. No VETO.** Both M1 (@369f4f4) and M2 are fresh Adversary PASSes; no gate
+weakening, no secret leak, screenshot real, PR unmerged. The Builder is cleared to write
+`## DONE` to STATUS-bsky.md. (Post-verdict I will consult JOURNAL/DECISIONS only to
+contextualise — it does not change this verdict.)
+
+### Post-verdict consult (does NOT change the verdict)
+Read DECISIONS.md bsky entries after writing M2 PASS. Fully consistent: pin-choice entry
+REJECTS 0.5.1 (no release tag + index.ts migration) AND digest-suffix pinning (abra
+survey/upgrade tooling chokes on `tag@digest`) → exact-version tag 0.4.219 chosen (satisfies
+plan §2.2 "digest-pinned OR exact-version tag"). EXPECTED_NA entry matches the harness
+behaviour I verified. No contradiction, no new finding.

machine-docs/REVIEW-canon.md

@@ -0,0 +1,637 @@
+# REVIEW-canon — Adversary verdicts for the `canon` (canonical-sweep) phase
+
+SSOT for what is being verified: `/srv/cc-ci/cc-ci-plan/plan-phase-canon-canonical-sweep.md`.
+Gates: **M1** (machinery works locally, each piece proven) and **M2** (proven end-to-end in real CI),
+plus the operator-required **samever-orthogonality** proof. `## DONE` only after fresh PASS on both.
+
+---
+
+## Orientation @ 2026-06-17T06:18Z — Adversary online for canon phase; no gate claimed yet
+
+Prior phase `samever` is DONE + Adversary-verified (M1 1310a95, M2 199f5b6, no VETO). The `canon`
+phase has **not** been bootstrapped by the Builder yet: no STATUS-canon.md / BACKLOG-canon.md, no
+`claim(`/`status(canon` commits, no inbox. I am idling per liveness protocol and will verify promptly
+when M1 is CLAIMED (watchdog will ping on the claim).
+
+### Independent COLD baseline of the claimed starting state (§1) — captured before any canon work
+
+Verified from my own clone + a cold `ssh cc-ci`, NOT from the Builder:
+
+- **Enrollment:** exactly **one** recipe sets `WARM_CANONICAL = True` → `custom-html`. (`grep -rl
+  'WARM_CANONICAL *= *True' tests/*/recipe_meta.py` → 1 hit.) Matches §1 "only custom-html enrolled".
+- **canonical.json records on cc-ci:** exactly **one**, for `custom-html`:
+  `/var/lib/ci-warm/custom-html/canonical.json` =
+  `{recipe: custom-html, version: 1.13.0+1.31.1, commit: 2b82ebabde74a9d9b1fd4cb49722a7037b18a176,
+  status: idle, ts: 20260617T050314Z}`, retained volume `warm-custom-html_..._content` present.
+  - **NOTE — plan §1 is now slightly stale.** The plan (authored 04:43Z) says "ZERO canonical.json
+    records exist." That was true at authoring, but the just-completed **samever M2** e2e
+    (custom-html two-run) wrote this record at **05:03:14Z**. So there is now exactly one canonical,
+    produced by samever's promote path. This is *favorable* evidence for canon M1(A) — the promote
+    path already demonstrably writes a real, reusable record + retains the volume for custom-html —
+    but the Builder must NOT cite custom-html's pre-existing canonical as proof of canon's *new*
+    work (tagged-gate, trigger, all-enrolled, mirror-sync). I will require fresh, canon-attributable
+    evidence for each M1/M2 sub-claim.
+- **Timer:** `nightly-sweep.timer` enabled+active, daily `OnCalendar` (NEXT 2026-06-18 03:00:24 UTC),
+  last fired 2026-06-17 03:09:20 UTC exit 0. So the timer plumbing works; the job was a near-no-op
+  (only custom-html enrolled). Phase must (F) move this to **weekly** and (M2) prove a real fire
+  advances canonicals, not exit-0 on an empty set.
+
+### What I will adversarially probe when claimed (from the plan, not the Builder's narrative)
+- M1(A): a canon-attributable green cold run writes canonical.json AND `--quick` warm-reattach reuses
+  it; promote now ALSO requires a **release tag** — feed an UNTAGGED state, confirm NO promote.
+- M1(C): mirror-sync is *faithful upstream sync only* — never pushes our changes to mirror `main`,
+  never disturbs unrelated PRs. Will diff before/after on a mirror.
+- M1(D): trigger keyed on **latest release tag vs canonical version**, NOT commit — new untagged
+  commits on `main` with same tag ⇒ SKIP; newer tag ⇒ run cold on that tag.
+- M1(B): all ~21 recipes enrolled; warm-volume disk budget recorded (not silently dropped).
+- M2: full sweep promotes greens / leaves reds intact / skips unchanged; **run-twice ⇒ skip-all**
+  determinism; real (non-hollow) timer fire; tagged-promote proof (untagged green ⇒ no promote).
+- samever orthogonality: (a) no-new-tag ⇒ SKIPPED; (b) new-tag ⇒ canonical(older)→new, real delta,
+  promote; step-back NEVER fires in the sweep. Construct scenarios if the live set doesn't cover both.
+- §2.G: if plausible's canonical lands at 3.0.1, `UPGRADE_BASE_VERSION` retired cleanly (key +
+  resolver branch + docs + tests) AND plausible still resolves base 3.0.1 dynamically + passes — else
+  kept with a recorded DECISIONS reason. Will re-derive, not trust.
+- Guardrail: NO AI at runtime (pure script + timer).
+
+## Pre-claim code read @ 2026-06-17T06:41Z — M1 still IN PROGRESS (M1.2 not yet committed)
+
+Builder has landed 4 of 5 M1 items (27e0628 M1.1, 136100f M1.3, f8c0e53 M1.4+M1.5). M1.2 (the
+release-tag trigger `sweep_decision` + mirror-sync wiring into `nightly_sweep.sweep()`) is **not yet
+committed** — M1 is correctly not-yet-claimed. Read the landed code (NOT JOURNAL); points to scrutinize
+when claimed:
+- **M1.1 (27e0628):** `should_promote_canonical` gained `tagged` param; caller computes
+  `tagged = warm_reconcile.is_released_version(recipe, head_version)`. ⚠️ PROBE: the gate checks
+  `head_version` (code under test) but `promote_canonical` records `latest_version(recipe_tags(recipe))`
+  (newest tag). Confirm these can't diverge — e.g. a manual latest run where `main` sits on a tagged
+  commit OLDER than `latest` tag would gate on the older tag yet promote the newer. In the sweep path
+  (D) the tag is checked out so head==tag; verify the manual/`RECIPE=<r>` path too.
+- **M1.4 (f8c0e53):** root cause = sweep service ran the nix-STORE runner copy (no `tests/`) so
+  `TESTS_DIR` missing → `enrolled_recipes()=[]`. Fix sets `CCCI_REPO=/etc/cc-ci` + `cd` + execs
+  `$CCCI_REPO/runner/nightly_sweep.py`. ⚠️ PROBE at M2: confirm `/etc/cc-ci` actually exists on cc-ci,
+  has runner/ AND tests/, and is git-pulled before nixos-rebuild (else still hollow). The fix also
+  means sweep-logic ships via checkout pull, NOT a store rebuild — verify deploy procedure pulls it.
+- **M1.5 (f8c0e53):** `OnCalendar` daily → `Sun *-*-* 03:00:00`, Persistent kept. Trivial; verify the
+  deployed timer shows the weekly schedule after M2.1 nixos-rebuild.
+- **M1.3 (136100f):** enroll all 21 — verify the count is exactly the `used-recipes.md` set and that
+  fixtures (custom-html-*-bad, concurrency, regression) were NOT enrolled.
+- **Still owed for M1 claim:** M1.2 `sweep_decision(recipe, latest_tag, canon_version)` →
+  run|skip:no-new-version|skip:never-released keyed on `version_key` NOT commit; mirror-sync via
+  `open-recipe-pr.sh --reconcile-only` (faithful, vendored); cold-run ON THE TAG. Unit tests for all.
+
+---
+
+## M1: PASS @ 2026-06-17T07:12Z — machinery cold-verified (claim 626badd, code @ d4cc9e4)
+
+Verified from a COLD start: my own clone for code/pure-logic, a fresh independent clone on cc-ci
+(`/tmp/adv-canon` @ 626badd) for the unit suite, and a cold `ssh cc-ci` for live state. I did NOT
+read JOURNAL-canon.md before forming this verdict. Every M1 sub-claim re-derived against the plan,
+not the Builder's narrative.
+
+**M1.1 tagged-promote gate (§2.A) — PASS.**
+- Code: `should_promote_canonical` returns `is_enrolled and overall==0 and not quick and not ref and
+  tagged`; caller computes `tagged = is_released_version(recipe, head_version)`; `promote_canonical`
+  now records the TESTED `head_version` (commit d4cc9e4), not a re-derived `latest_version`. My prior
+  PROBE (head_version-vs-latest_version divergence on a manual `RECIPE=<r>` run) is CLOSED by d4cc9e4
+  — read the diff, it promotes exactly the tested version.
+- Unit: ran `tests/unit/test_promote.py` myself in the fresh cc-ci clone — all 6 pass, each gate
+  clause individually exercised (`test_no_promote_when_untagged` asserts `tagged=False → False`;
+  all-conditions asserts `tagged=True → True`). Not hollow.
+- Live PROMOTE: re-derived `git rev-list -n1 1.13.0+1.31.1` = `df2e27339f983a25da548fc8b8d56e9af8645f83`
+  and `/var/lib/ci-warm/custom-html/canonical.json` records EXACTLY that commit + version
+  `1.13.0+1.31.1`, status idle, retained volume `warm-custom-html_..._content` present. So the promote
+  recorded the tag's own commit (correcting samever's earlier `2b82eba` merge-commit record) — the
+  divergence fix is live-proven, not just unit-tested.
+- Live UNTAGGED → NO PROMOTE: independently confirmed `1.13.1+1.31.1` is `NOT-A-TAG` in the custom-html
+  clone → `is_released_version` returns False → gate blocks. canonical.json is unchanged (still
+  df2e273). The full live tagged-vs-untagged e2e is M2.4; at M1 the code + unit + live-not-a-tag +
+  unchanged-canonical chain is sufficient.
+
+**M1.2 release-tag trigger + faithful mirror-sync (§2.C/§2.D) — PASS.**
+- `sweep_decision` re-derived directly (no pytest) — truth table exactly right and VERSION-keyed, not
+  commit-keyed: new>canon→run; equal→skip no-new-version; older→skip; no tag→skip never-released; no
+  canon→run(seed). The function takes only (latest_tag, canon_version) — it CANNOT see commits, so new
+  untagged commits on `main` can never trigger a run. That IS the operator's refinement.
+- `scripts/recipe-mirror-sync.sh` read in full: pins an explicit coopcloud `upstream` remote, force-
+  syncs mirror `main := upstream/main` + all tags, pushes NOTHING of our own. PR close is gated on
+  `git merge-tree --write-tree NEW_MAIN_SHA <pr-head>` == upstream `MAIN_TREE` (i.e. the PR's merge is
+  a no-op because it's already in upstream) → close; otherwise "left as-is". Faithful, never merges,
+  never disturbs unrelated PRs.
+- `nightly_sweep.sweep()` wiring read: per enrolled recipe `mirror_sync → fetch_recipe →
+  sweep_decision → run_on_tag` (checkout the release tag + `CCCI_SKIP_FETCH=1` so head IS the tag →
+  tagged-gate passes; REF popped → cold → promote allowed). Pure script.
+
+**M1.3 all recipes enrolled (§2.B) — PASS.** My `grep -rl 'WARM_CANONICAL = True'` set is EXACTLY the
+21 `used-recipes.md` rows (incl. `uptime-kuma`, the lone `external` row — correctly enrolled for
+CI/canonical even though excluded from weekly upgrade). Fixtures (`custom-html-*-bad`, `concurrency`,
+`regression`) NOT enrolled.
+
+**M1.4 hollow-sweep fix — PASS (code; live is M2.1).** `nix/modules/nightly-sweep.nix` exports
+`CCCI_REPO=/etc/cc-ci`, `cd`s there, and execs `$CCCI_REPO/runner/nightly_sweep.py` — the checkout WITH
+`tests/`, replacing the store copy whose missing `tests/` caused `enrolled_recipes()=[]`. Root cause
+correctly addressed in code. ⚠️ CARRIED TO M2: `/etc/cc-ci` is currently STALE — `git -C /etc/cc-ci`
+HEAD is `e60415d` (Phase-3 era), canon code NOT yet there. M2.1 deploy MUST `git -C /etc/cc-ci pull`
+before `nixos-rebuild`, else the deployed timer stays hollow. I will verify the pull + a real fire at
+M2.5.
+
+**M1.5 weekly timer (§2.F) — PASS (code).** `OnCalendar = "Sun *-*-* 03:00:00"`, `Persistent = true`.
+Deployed-timer schedule verified at M2.
+
+**Guardrail NO-AI-at-runtime — PASS.** grep of `nightly_sweep.py` / `warm_reconcile.py` /
+`recipe-mirror-sync.sh` for anthropic|claude|openai|llm|gpt|ai_ → only one code COMMENT match, zero
+calls. Pure script + systemd timer.
+
+**Full unit suite — PASS.** Ran `cc-ci-run -m pytest tests/unit/` in the fresh independent cc-ci clone
+@ 626badd → **295 passed in 5.60s**, matching the claim. Enrolling 21 recipes broke nothing.
+
+**Minor narrative note (not a defect):** the claim cites proof-A ts `065027Z` but live canonical ts is
+`065532Z`; promoting the same tag again yields the same version+commit (only ts moves), so this is a
+benign re-run, not a divergence — the recorded version/commit are correct either way.
+
+**Verdict: M1 PASS.** No VETO. All M1 DoD items cold-verified; the deployed-state items (M1.4 live,
+M1.5 timer schedule) are honestly scoped by the Builder to M2 and I will hold them there. (Consulted
+JOURNAL-canon.md only AFTER writing this verdict: no surprises — confirms the proof-A/C sequence.)
+
+---
+
+## Pre-claim observation @ 2026-06-17T07:23Z — M2.1 deploy verified live (NOT a gate verdict)
+
+Builder inbox: M1 PASS consumed; M2.1 deploy done; M2.2 full sweep started (long, serial, hours).
+M2 NOT yet claimed — no formal verdict here, just an opportunistic READ-ONLY check that resolves my
+two carried-to-M2 code-only probes (favorable; I'll still re-verify the live proofs at the M2 claim):
+- **/etc/cc-ci now at `3bdd5d1`** (current main; was stale `e60415d` Phase-3 era), with `tests/` +
+  `runner/nightly_sweep.py` present → the deploy DID `git -C /etc/cc-ci pull`. My M1.4 "deploy must
+  pull or stays hollow" risk is cleared.
+- **Deployed timer:** `systemctl cat nightly-sweep.timer` → `OnCalendar=Sun *-*-* 03:00:00`,
+  `Persistent=true` (weekly, live). M1.5 deployed-schedule probe cleared.
+- **Deployed code path is the non-hollow one:** the in-flight sweep (PID 1620630) runs
+  `nightly_sweep.sweep()` from `/etc/cc-ci/runner`, and `run_recipe_ci.py` runs from
+  `/etc/cc-ci/runner/` — i.e. the checkout WITH `tests/`, not the store copy. Root cause fixed live.
+STILL OWED at the M2 claim (I will cold-verify, not trust the sweep log): canonicals actually promoted
+for greens / reds left intact / no-new-tag skipped (M2.2); run-twice→skip-all (M2.3); live tagged-vs-
+untagged (M2.4); real timer fire advances canonicals via full main() incl. roll (M2.5); samever never
+fires in-sweep (M2.6); disk budget recorded (M2.7); §2.G UPGRADE_BASE_VERSION retirement (M2.8).
+Staying read-only while the sweep is in flight (single node).
+
+---
+
+## Pre-claim finding @ 2026-06-17T08:40Z — M2.2 sweep: PASS-labelled but promotes mostly FAILING (evidence captured)
+
+NOT a verdict (M2 unclaimed). Read-only capture from `/root/canon-verify/_sweep.log` so the evidence
+survives log growth. Per-recipe promote outcomes observed (alphabetical sweep, ~7 recipes deep):
+- bluesky-pds: cold rc=0; `WC5 promote failed: abra app deploy warm-bluesky-pds… failed (1)` → NO canonical; logged `PASS (promoted)`.
+- cryptpad: cold rc=0; `canonical cryptpad advanced to known-good 0.6.0+v2026.5.1` → canonical WRITTEN. ✓ (the only real promote so far)
+- custom-html: SKIP no-new-version (pre-existing canonical). ✓ expected.
+- custom-html-tiny: cold rc=0; `WC5 promote failed: warm-custom-html-tiny… not healthy over HTTPS / (404)` → NO canonical; logged `PASS (promoted)`.
+- discourse: cold rc=142 (deploy timeout — the 51m wedge I flagged) → `FAIL (canonical unchanged)`. Legit red.
+- drone: cold rc=0; `WC5 promote failed: …warm-drone… timed out after 600 seconds` → NO canonical; logged `PASS (promoted)`.
+- ghost: cold rc=0; `WC5 promote failed: abra app new ghost… failed (1)` → NO canonical; logged `PASS (promoted)`.
+- gitea: promote in progress at capture.
+Live `/var/lib/ci-warm/*/canonical.json` = {cryptpad, custom-html} only. NET NEW this sweep = 1 (cryptpad).
+Leftover warm volumes w/ NO registry record: drone, gitea, custom-html-tiny (partial-promote residue).
+
+**DEFECT-1 [adversary] (results-label):** `nightly_sweep.sweep()` line ~119 sets
+`results[r] = "PASS (promoted)" if rc==0 else "FAIL …"`. Because `promote_canonical` is non-fatal
+(swallows its own exception so it "never fails a green run"), a FAILED promote still yields rc=0 →
+the summary asserts "PASS (promoted)" when NO canonical was written. The per-recipe results log — the
+DoD's evidence that "canonicals actually promoted for the green recipes" — is therefore UNTRUSTWORTHY.
+Repro: `grep "WC5 promote failed" _sweep.log` vs `grep "PASS (promoted)" _sweep.log` — failed promotes
+appear in BOTH. Fix direction: label from "does a canonical record now exist at the tested version",
+not from rc.
+
+**DEFECT-2 [adversary] (promote path failing broadly):** 4 of 5 completed promotes FAILED across 4
+modes (warm `app deploy` failed(1) / timed-out 600s / unhealthy-404 / `app new` failed(1)). Cold CI is
+green for each, so this is specifically the WARM-CANONICAL promote deploy failing — the exact
+end-to-end step this phase exists to make real. Root cause TBD (node contention on the long serial
+run / unclean cold-test teardown / discourse residue / flat 600s warm timeout) — Builder's to diagnose.
+
+**Determinism risk (M2.3):** every recipe left without a canonical (bluesky-pds, custom-html-tiny,
+drone, ghost, discourse…) will `sweep_decision(latest, None) → run` on a second sweep, NOT skip — so
+run-twice ≠ skip-all until promotes actually succeed. I will hard-test this at the M2 claim.
+
+Sent the Builder a BUILDER-INBOX heads-up (ba28a88). When M2 is claimed I will cold-verify, per recipe,
+that a canonical record exists at the tested tag version (not trust the PASS label), and re-run the
+determinism no-op myself. If promotes are still failing / mislabelled, M2 FAILs.
+
+## Pre-claim note @ 2026-06-17T09:11Z — fix f94de22 validated by Builder; M2 re-run in flight (NOT a verdict)
+
+Consumed ADVERSARY-INBOX (Builder ~09:10Z): DEFECT-1/DEFECT-2 fix validated live — custom-html-tiny
+PROMOTED (1.2.0+2.43.0, was 404) and ghost PROMOTED (1.4.0+6.45.0-alpine, was app-new dirty-tree FATA);
+label now derives from "canonical record exists at tested version". 7 canonicals claimed (cryptpad,
+custom-html, custom-html-tiny, ghost, gitea, hedgedoc, immich). Full sweep re-run in flight. M2 unclaimed.
+Staying read-only off the node (sweep in flight, single node).
+
+**bluesky-pds "documented RED" — must scrutinise at M2 claim, two ways it could be wrong:**
+1. The conservative direction is CORRECT per guardrail (no force-promote; prior known-good kept). But I
+   must confirm bluesky has NO stale/partial canonical written, and that it is recorded as an exception
+   in DECISIONS (plan §2.B: "don't silently skip" / §4 "documented exception"), not just left silent.
+2. **The real risk:** Builder says warm health fails because traefik doesn't route the WARM domain
+   (`warm-bluesky-pds…` → 000) though internal localhost:3000 = 200, and "cold domain worked." I must
+   verify this is genuinely bluesky-SPECIFIC and not a warm-canonical-deploy machinery defect (warm
+   domain label/overlay/router rule) that could equally hit other recipes — if the warm-domain routing
+   is systemically flaky, a recipe could intermittently fail to promote (or, worse, a health probe could
+   pass spuriously). At claim I will: (a) confirm OTHER promoted recipes (custom-html-tiny, ghost, immich)
+   actually answered 200 over HTTPS on THEIR warm domains during promote (grep ready-probe lines), and
+   (b) independently curl a couple of the live warm canonical domains. If warm-domain routing is broadly
+   unreliable, the promote evidence is suspect and M2 is not done.
+
+## Pre-claim observation @ 2026-06-17T09:34Z — read-only sweep-progress peek (NOT a verdict)
+
+Sweep re-run still in flight (proc 1712141 from `/etc/cc-ci/runner`); 7 canonicals on disk. Captured
+from `_sweep.log` so it survives log growth:
+- **DEFECT-1 fix is LIVE and honest:** `sweep: bluesky-pds rc=0 (GREEN-BUT-PROMOTE-FAILED
+  (canonical=none, expected 0.3.0+v0.4.219))` — the label no longer claims `PASS (promoted)` on a
+  failed promote. Favorable; I will still confirm the label matches the on-disk registry per recipe at
+  claim before closing DEFECT-1.
+- `cryptpad / custom-html / custom-html-tiny` → `SKIP no-new-version` (latest tag == canonical). The
+  skip path works for promoted recipes.
+- `discourse rc=143 → FAIL (red; canonical unchanged)` — legit red (timeout/SIGTERM), canonical kept.
+- **NEW — `sweep: mirror-sync drone rc=128 (non-fatal — continuing)`:** drone's faithful mirror-sync
+  FAILED (git rc=128) yet the sweep proceeded to RUN drone against the un-synced mirror. SCRUTINISE at
+  claim: plan §2.C requires the mirror be reconciled to upstream FIRST; a swallowed sync failure means
+  the recipe may be tested against a stale mirror (wrong tags/version) — the trigger (D) and tagged
+  promote then rest on un-synced state. Is rc=128 a benign "already up to date / no upstream" case or a
+  real sync failure? Must check what drone's sync hit and whether the tested tag is genuinely upstream's.
+- **DETERMINISM (M2.3) — central risk crystallising:** bluesky-pds (promote-failed) and discourse (red)
+  both end `canonical=none`, so a 2nd sweep → `sweep_decision(latest, None) → RUN`, NOT skip. Plan M2.3
+  literally requires run-twice → "SKIPS every recipe." That can hold ONLY if every enrolled recipe
+  actually promoted. Red/promote-failed recipes legitimately re-run (no known-good to protect) — which
+  is arguably correct behaviour but is NOT "skip every recipe." At the M2 claim I will require the
+  Builder's determinism evidence to honestly reconcile this with §3/§5: either (i) every recipe promotes
+  so run-twice is a true no-op, or (ii) a reasoned, plan-consistent argument that the no-op property
+  applies to the promoted set and red recipes correctly retry — and I'll judge it against the plan, not
+  accept a partial skip-all relabelled as success.
+
+## Pre-claim observation @ 2026-06-17T10:20Z — TWO concurrent sweeps (transient process state, captured)
+
+Read-only `ps` on cc-ci caught a non-serial condition while M2 is mid-development (NOT a verdict; M2
+unclaimed):
+- PID **1712141** = OLD sweep (started 09:10:40, code f94de22) — WEDGED: child PID 1720589
+  (`run_recipe_ci.py`, started 09:33:58, alive ~46 min) is the drone cold-dep self-deadlock the
+  lock-release fix (655a999) addresses. The old sweep process is still ALIVE, holding cold-test locks.
+- PID **1736506** = NEW sweep (started 10:16:27, code 655a999), already cold-testing recipe 1.
+So at 10:20Z two `nightly_sweep.sweep()` ran simultaneously. This violates §4 SERIAL and, more
+pointedly, **invalidates the documented precondition of `release_app_locks()`** ("serial sweep → no
+concurrent run relies on these locks") — the wedged old run still holds drone/gitea locks, so the two
+can collide. **Any M2 promote/determinism/log evidence from a sweep that overlapped the wedged one is
+non-serial and I will not accept it.** Canonical count is 8 (drone now promoted → lock-release fix
+works), so the fix itself is good; the issue is the leftover concurrent process. Sent BUILDER-INBOX
+asking the Builder to kill the wedged old sweep, confirm a clean single serial run, and regenerate M2
+evidence. **SCRUTINY CARRIED TO CLAIM:** confirm the claimed M2 sweep ran with exactly ONE sweep
+process and no overlap (check run start time vs old-sweep kill time); and verify `release_app_locks()`
+cannot free a lock still guarding a live app under any interleaving the in-flight guard permits.
+
+**Update @ 10:24Z:** Builder consumed the alert and acted correctly — SIGKILLed both sweeps + the
+wedged drone child, cleared stale `/run/lock/cc-ci-app-*.lock`, confirmed no leftover warm-*/dep stacks,
+**discarded drone's concurrency-tainted canonical** (promoted by a standalone validation at 10:06:45
+that overlapped the wedged old sweep), kept the 7 single-run canonicals, and relaunched ONE clean serial
+sweep (pid 1741209, code 655a999) as the M2.2 evidence run. Concurrency window was ~10:06–10:24 (old
+sweep 1712141 alive 09:10→killed 10:24). **CARRIED TO CLAIM:** independently confirm each of the 7 kept
+canonicals (cryptpad, custom-html, custom-html-tiny, ghost, gitea, hedgedoc, immich) has a ts OUTSIDE
+the concurrency window and was produced single-run — do NOT take the Builder's accounting on faith;
+check `canonical.json` ts per recipe vs the 09:10–10:24 overlap. And confirm the claimed sweep (1741209)
+ran start→finish with no second sweep process alive.
+
+## Pre-claim observation @ 2026-06-17T10:47Z — clean serial sweep progress (NOT a verdict)
+
+ONE sweep proc confirmed (serial intact). Transient `_sweep.log` lines captured before rotation:
+- **CONCERN — `drone rc=0 GREEN-BUT-PROMOTE-FAILED (canonical=none, expected 1.9.0+2.26.0)` in the
+  CLEAN serial run.** Drone promoted under the discarded tainted validation but FAILS to promote
+  clean-serial — and it no longer hangs (returns cleanly), so the lock-release fix (655a999) cured the
+  46-min deadlock but drone's warm promote still fails for a DIFFERENT reason (likely warm gitea-dep
+  provisioning or warm deploy/health). Net: the lock fix is necessary-but-not-sufficient for drone;
+  drone will lack a canonical → hits both promote-evidence and determinism (run-twice) at the claim.
+  Builder will see it in their own running log; their diagnose. I'll require drone to either promote
+  clean or be a recorded DECISIONS exception (like bluesky) at claim — a silent no-canonical is not OK.
+- **FAVORABLE — `gitea RUN — new release 3.6.0+1.24.2-rootless > canonical 3.5.3+1.24.2-rootless;
+  cold-testing tagged release 3.6.0…`** — a LIVE instance of the new-release-tag trigger advancing an
+  existing canonical (older→newer TAGGED), i.e. exactly the M2.6 samever-orthogonality path (2):
+  canonical(older)→new tagged, real delta, promote-if-green. If gitea promotes to 3.6.0 this is strong
+  M2.6 evidence (no constructed scenario needed). VERIFY AT CLAIM: gitea's canonical advances 3.5.3→3.6.0
+  with the new tag's own commit, and samever's same-version step-back NEVER fired in the run (the tag
+  trigger guarantees vX→vY, Y>X, so no vX→vX). Watch that gitea actually promotes (not GREEN-BUT-FAILED).
+- SKIPs (cryptpad/custom-html/custom-html-tiny/ghost = no-new-version) and discourse rc=143 red:
+  consistent with prior runs.
+
+## Pre-claim note @ 2026-06-17T10:59Z — two more Builder fixes; M2-evidence-sweep recency criterion
+
+Builder landed ca89d44 (promote clears stale warm-stack on FRESH SEED only — fixes the failed-promote
+secret residue, e.g. drone's gitea `client_secret_v1` blocking `abra app secret insert` on retry;
+correctly does NOT teardown when a canonical exists → retained volume safe) and d072d7e (de-enroll
+keycloak — structural collision with the live-warm OIDC provider on `warm-keycloak.ci...`; thorough
+DECISIONS entry; enrolled now 20 + 1 documented exception). Both reasonable. The residue fix is the
+likely root cause of the clean-serial drone promote-fail I flagged.
+**M2-EVIDENCE RECENCY CRITERION (new, checkable):** the in-flight sweep pid 1741209 launched ~10:16 —
+BEFORE ca89d44 (10:51) and d072d7e (10:54) — so its parent-process enrolled set still includes keycloak
+and its sweep logic predates the residue fix (only per-recipe run_recipe_ci.py picks up new code if
+/etc/cc-ci is pulled mid-run; nightly_sweep.sweep()'s enrolled list + decisioning is fixed at launch).
+Therefore the authoritative M2.2 sweep I accept MUST be one launched with /etc/cc-ci at a HEAD that
+contains BOTH fixes, enrolled=20 (keycloak absent), single serial proc. At claim: check the evidence
+sweep's launch time vs these commit times, and confirm drone now PROMOTES (residue fix) or is a recorded
+exception. Also verify ca89d44's fresh-seed teardown can't nuke a shared/retained volume (guarded by
+`if not read_registry(recipe)` — only when no canonical exists, so nothing known-good to lose; confirm).
+
+## Pre-claim verification @ 2026-06-17T11:12Z — fresh-seed-teardown × live-keycloak footgun: MITIGATED
+
+Identified a real footgun in ca89d44: the fresh-seed branch does `teardown_app(canonical_domain(recipe))`
+for any enrolled recipe lacking a canonical. For keycloak, `canonical_domain` == the LIVE shared OIDC
+provider domain `warm-keycloak.ci...` — so a fresh-seed keycloak promote would have TORN DOWN the live
+provider that lasuite-*/drone depend on. The de-enroll (d072d7e) is precisely what prevents this.
+INDEPENDENTLY VERIFIED (read-only, my own checks, not Builder's word):
+- At HEAD: `tests/keycloak/recipe_meta.py` → `WARM_CANONICAL = False`; `canonical.enrolled_recipes()` =
+  **20, keycloak NOT in set** → the post-fix sweep never runs the fresh-seed teardown against keycloak.
+- Live `https://warm-keycloak.ci.commoninternet.net/realms/master` → **200**; services
+  `warm-keycloak_..._app` + `_db` both **1/1** → the pre-fix sweep 1741209's keycloak promote attempt
+  (old promote, no teardown) did NOT disrupt the live provider. Healthy.
+Conclusion: footgun is structurally mitigated AND live-confirmed unharmed — favorable. STILL CARRY TO
+CLAIM: confirm NO OTHER enrolled recipe's `canonical_domain` collides with a live/shared service (so the
+fresh-seed teardown only ever hits a disposable warm-<recipe> stack), and that the final sweep's keycloak
+absence holds at the sweep's launch HEAD.
+
+## Pre-claim observation @ 2026-06-17T11:23Z — pre-fix sweep FINISHED (0 procs); 15 canonicals
+
+Final tail of the pre-fix serial sweep (1741209): n8n PASS(3.4.0+2.23.2), plausible
+PASS(3.1.0+v2.0.0), uptime-kuma PASS(3.1.0+2.4.0); **mumble rc=1 FAIL (red; canonical unchanged)**.
+Canonical count = 15. Two new claim-scrutiny points:
+- **mumble — NEW red (rc=1, not a timeout), not previously documented.** Before M2 it must be either
+  fixed (promotes clean) or recorded as a DECISIONS exception with a reason — a silent no-canonical is
+  not acceptable (same bar I'm holding bluesky/discourse/drone to). Watch for the diagnosis.
+- **plausible promoted at `3.1.0+v2.0.0`, NOT the `3.0.1` the plan §2.G anticipated.** The §2.8
+  UPGRADE_BASE_VERSION retirement reasoning ("canonical at 3.0.1 → dynamic base resolves 3.0.1 → pin
+  redundant, drop the broken 3.0.0") must be RE-DERIVED against the actual canonical 3.1.0+v2.0.0: at
+  claim verify that with plausible's real canonical, the dynamic upgrade base resolves to a correct
+  green release (NOT the broken 3.0.0 clickhouse-404 base) and plausible's upgrade tier passes — only
+  then is dropping the pin safe. If not, the pin stays with a recorded reason (§2.G GATE).
+Builder's plan next: deploy fixes to /etc/cc-ci, re-promote drone (fresh-seed fix) + retry gitea 3.6.0,
+then launch the FINAL authoritative sweep = the M2.2 evidence (postdates ca89d44+d072d7e, enrolled=20).
+
+## Pre-claim @ 2026-06-17T11:35Z — FINAL authoritative sweep launched; recency criterion MET (confirmed)
+
+Builder launched the authoritative M2.2 sweep (pid 1960362, ~11:26Z) from `/etc/cc-ci @ 12acf94`. I
+INDEPENDENTLY confirmed `git merge-base --is-ancestor`: **ca89d44 (residue) AND d072d7e (keycloak) are
+both ancestors of 12acf94** → the evidence sweep postdates both fixes, enrolled=20, single serial.
+My M2-evidence recency criterion is satisfied — this run is the legitimate M2.2 evidence. (Still verify
+at claim: it ran start→finish with no second sweep proc.)
+
+**Red diagnoses to verify at claim (Builder posture = "red test is information, never weakened" — correct):**
+- discourse: upstream 0.8.1 compose invalid (`sidekiq` → undefined service `discourse`). VERIFY: it's a
+  genuine upstream defect (re-read the compose), not our overlay; canonical unchanged.
+- mattermost-lts: `test_restore.py::test_restore_returns_state` FAILED at latest. VERIFY: the test is
+  unmodified (git-blame the test vs main; not weakened/xfail'd to dodge), failure is real.
+- mumble: `custom/test_protocol_handshake.py::test_handshake_completes_with_channel_presence` FAILED.
+  VERIFY: test unmodified, real failure.
+- bluesky-pds: cold green, warm-promote health 000 (traefik doesn't route warm domain; PDS 200 on
+  localhost:3000). VERIFY recipe-specific (not machinery): confirm other promoted recipes DID answer 200
+  over HTTPS on their warm domains (already favorable — 15 promoted healthy).
+ALL FOUR must be recorded as DECISIONS exceptions with reasons (not silent no-canonicals) before M2.
+Expected from this sweep: ~14 SKIP (determinism), drone PROMOTES (residue fix), gitea 3.5.3→3.6.0 advance.
+
+## Pre-claim findings @ 2026-06-17T11:58Z — final sweep crux outcomes (drone ✓, gitea advance ✗)
+
+Cold-read from cc-ci (raw canonical.json, my own check). 16 canonical recipes on disk: cryptpad,
+custom-html, custom-html-tiny, drone, ghost, gitea, hedgedoc, immich, lasuite-{docs,drive,meet}, mailu,
+matrix-synapse, n8n, plausible, uptime-kuma. 16 promoted + 4 documented reds (discourse, mattermost-lts,
+mumble, bluesky-pds) = 20 enrolled. Clean accounting.
+- **drone — PROMOTED CLEAN ✓ (favorable, DEFECT-2 closing evidence).** `/var/lib/ci-warm/drone/
+  canonical.json` = `{version 1.9.0+2.26.0, commit 91b27ceb…, status idle, ts 20260617T115046Z}` —
+  fresh, from THIS final post-fix sweep; log `sweep: drone rc=0 (PASS (promoted 1.9.0+2.26.0))`. The
+  fresh-seed-teardown residue fix (ca89d44) resolved the once-failed-promote secret residue. (At the
+  formal claim I'll re-derive that commit == the 1.9.0+2.26.0 tag's commit, and confirm warm reattach.)
+- **gitea — ADVANCE FAILED AGAIN ✗ (CLAIM-BLOCKER for M2.6 + M2.3).** Log: `sweep: gitea RUN — new
+  release 3.6.0+1.24.2-rootless > canonical 3.5.3+1.24.2-rootless … rc=0 (GREEN-BUT-PROMOTE-FAILED
+  (canonical=3.5.3…, expected 3.6.0…))`. canonical.json still `3.5.3+1.24.2-rootless` (ts 083930Z, OLD)
+  — known-good correctly PRESERVED on the failed advance, but the advance did NOT happen. Impact:
+  1. **M2.6 not demonstrated:** gitea was the live new-tag→`canonical(older)→new` advance proof. The
+     trigger fired (RUN on the newer tag) and old-known-good was kept, but a SUCCESSFUL promote to the
+     new tagged version — which §3/§5 M2.6 requires — did not occur. Needs a real fix or the plan's
+     alternative (construct custom-html older→new).
+  2. **M2.3 determinism dirtied:** on a 2nd sweep `sweep_decision(gitea, 3.6.0, 3.5.3) → RUN`, so gitea
+     re-runs — and it is NOT a genuine red (cold test is GREEN; only the warm advance promote times
+     out ~600s). So it is NOT covered by "reds correctly retry"; it is a green recipe whose promote
+     deterministically fails, which both wastes a CI rerun AND breaks "run-twice → skip-all". A plain
+     retry won't fix a deterministic timeout — needs the warm-advance timeout raised / the in-place
+     version-bump deploy diagnosed, OR gitea documented like the reds (but it's green, so that's weaker).
+  Sending the Builder a heads-up so they don't claim M2 with this open.
+
+**Sweep completion @ 12:00:03Z:** authoritative sweep `=== M2.2 FULL SWEEP done rc=0
+2026-06-17T12:00:03Z ===` (ran 11:25:57→12:00:03, ~34m; node idle after, no sweep/run procs). Determinism
+preview already visible IN this run: n8n/plausible/uptime-kuma/immich/lasuite-*/mailu/matrix-synapse all
+`SKIP no-new-version` = the just-promoted recipes correctly skip. Builder consumed my gitea heads-up
+(9303359: "gitea 3.6.0 advance — fixing; drone promoted clean"). Awaiting gitea fix + M2.3/M2.5/M2.6/
+M2.7/M2.8 proofs before any M2 claim.
+
+## Pre-claim assessment @ 2026-06-17T12:21Z — gitea-exception diagnosis + M2.3 reframing (my acceptance bar)
+
+Builder landed bdc2ec4 (DECISIONS): gitea 3.6.0 warm-advance documented as a RECIPE issue + an M2.3
+determinism reframing. My standard for accepting these at the M2 claim:
+
+**gitea 3.6.0 exception — diagnosis plausible; two things I will independently verify (not take on faith):**
+- Builder's isolation claim is the right shape: the warm-ADVANCE machinery is proven via a CONSTRUCTED
+  custom-html older→new advance (M2.6), so gitea's failure is gitea-specific not machinery. VERIFY the
+  custom-html advance ACTUALLY promoted (canonical advanced old→new, healthy) — that's load-bearing.
+- The gitea crash is `JWT Secret … app.ini: read-only file system`. Cold FRESH 3.6.0 passes; warm
+  reattach-advance crashes. VERIFY this is genuinely a gitea-3.6.0/rootless-config + retained-volume
+  interaction (e.g. pre-existing 3.5.3 app.ini / rootless-UID), NOT our warm-promote mounting app.ini
+  read-only. If OUR machinery makes app.ini read-only (cold doesn't, warm does), it's a MACHINERY defect
+  mislabeled as a recipe issue — that would NOT be an acceptable exception and would fail M1(A)/M2.
+  Check: how does the warm advance mount/derive app.ini vs the cold install for gitea.
+- gitea correctly KEEPS 3.5.3 (never promote unhealthy) — good; confirm 3.5.3 record + volume intact.
+
+**M2.3 reframing — ACCEPTABLE ONLY IF rigorously demonstrated + flagged as a DoD deviation.** Plan
+§3/§5 LITERALLY say run-twice → "SKIPS every recipe … clean no-op". That ideal assumed all-promote;
+reality = 15 promoted-at-latest + 5 that can't (4 genuine/documented reds + gitea recipe-bug). Builder's
+operative property = "no promoted-at-latest recipe re-runs; reds + gitea correctly retry." This is
+plan-consistent in SPIRIT (the no-op's purpose is no needless re-test of good-current recipes) and the
+plan forbids weakening tests to force promotes — so the literal ideal is unachievable honestly. I will
+ACCEPT it IFF: (i) an actual immediate 2nd sweep shows EXACTLY the 15 promoted-at-latest SKIP (no CI
+rerun) and ONLY the documented exceptions (gitea + 4 reds) RUN — I will re-run/inspect this myself, not
+trust a summary; (ii) every re-running recipe has a recorded DECISIONS reason; (iii) it is explicitly
+noted as a deviation from the literal "skip every recipe" so the operator sees it. If a promoted-at-
+latest recipe needlessly re-runs, or an undocumented recipe re-runs, M2.3 FAILs. NOT a veto now — this
+is the bar I'll hold at the claim.
+
+## Pre-claim pre-verification @ 2026-06-17T12:34Z — §2.G strip (M2.8) favorable; M2.5 bash-fix needs redeploy
+
+- **§2.G UPGRADE_BASE_VERSION retirement (f611dda, 83c183d) — code-level strip CONFIRMED complete.**
+  `grep -rn UPGRADE_BASE_VERSION` (excl. machine-docs) → only EXPLANATORY comments/docs remain (testing.md,
+  plausible/bluesky-pds/discourse meta comments, test_meta + test_upgrade_base comments, the resolver
+  removal comment at run_recipe_ci.py:132) — NO live key/branch. plausible's pin gone (meta comment:
+  dynamic base STEPS BACK to newest-published-strictly-older-than-3.1.0 = 3.0.1+v2.0.0 = the correct base,
+  avoiding broken 3.0.0); meta KEYS 15→14 (test_meta.py); bluesky-pds comment now points to dynamic base.
+  AT CLAIM: run the full unit suite (test_meta/test_upgrade_base green post-strip) + confirm plausible's
+  UPGRADE tier actually resolves base 3.0.1+v2.0.0 dynamically AND passes (Builder claims "verified
+  dynamic-base green" — re-run it myself). §2.G GATE (keep-if-broken) does NOT apply since plausible works.
+- **M2.5 real timer fire — IN PROGRESS, caught a real bug.** cebd293: the actual timer fire revealed the
+  deployed nightly-sweep service was MISSING `bash` in nix runtimeInputs (a manual run wouldn't catch it —
+  exactly why "real fire, not manual" is the DoD). Fix adds bash. NOTE: this is a nix module change →
+  requires `git -C /etc/cc-ci pull` + `nixos-rebuild switch` to deploy, THEN a fresh real timer fire that
+  ADVANCES ≥1 canonical (non-hollow). AT CLAIM: confirm the fix is deployed AND a post-fix real fire
+  (systemctl start nightly-sweep.service or the timer) ran the non-hollow job to completion with evidence
+  (a canonical ts moved / log shows the 20-recipe sweep), not exit-0 on empty.
+
+## Pre-claim @ 2026-06-17T13:09Z — DEFECT-3 fix (env parity) landed; assessment + verify-at-claim
+
+Builder consumed DEFECT-3 and fixed it (2c61f2f): nightly-sweep.nix now prepends the host system PATH
+`/run/current-system/sw/bin:/run/wrappers/bin` so the timer sweep runs recipes in the SAME env as
+Drone's exec runner — one change for git-lfs/bash/openssl/etc. parity (vs enumerating runtimeInputs).
+Right fix in principle (the sweep SHOULD validate exactly as Drone CI does). nix module change → needs
+nixos-rebuild + a fresh real timer fire = the production-env M2.2/M2.5 evidence. DEFECT-3 stays OPEN
+until that re-fire. Verify at claim:
+- PARITY IS REAL not asserted: `ssh cc-ci 'ls /run/current-system/sw/bin/git-lfs; systemctl cat
+  drone-runner-exec* | grep -i PATH'` — git-lfs present there AND Drone actually uses that PATH.
+- Re-fire flips gitea back to COLD-GREEN (custom/lfs passes) then hits the documented app.ini
+  warm-advance exception (rc=0 GREEN-BUT-PROMOTE-FAILED) — restoring "cold green, advance-only" IN
+  production, validating that exception framing. If gitea still reds at custom, parity isn't achieved.
+- Re-fire re-validates the promoted set under production env: the 15 promoted-at-latest SKIP, custom-html
+  (now advanced to 1.13.0) SKIPs, 4 reds red, no NEW promote failures surface that the manual env hid.
+- Determinism unaffected: host system PATH is stable per nixos generation; matches Drone → correct
+  comparison, not a non-determinism source.
+Favorable already-demonstrated (this fire): custom-html 1.11.0→1.13.0 advance PASS = constructed M2.6
+older→new advance + a real non-hollow timer promotion. M2 still correctly UNCLAIMED.
+
+## Pre-claim observation @ 2026-06-17T14:30Z — DEFECT-3 parity REAL + live timer re-fire re-validating (NOT a verdict)
+
+A POST-parity-fix real timer fire is in flight: `nightly-sweep.service` active since **13:01:01 UTC**
+(`Invocation b184fde4…`, PID 2149231), single serial proc (no second sweep/run_recipe_ci on cc-ci).
+Captured from journalctl (production env, survives log rotation) + read-only config checks. This is the
+DEFECT-3 re-validation run I said the defect stays OPEN until. Cold checks, my own, not the Builder's word:
+
+- **PARITY IS REAL (my verify-at-claim criterion #1 — MET).** `nightly-sweep` ExecStart wrapper line 17:
+  `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` — host system PATH prepended,
+  **byte-for-byte matching** Drone's `drone-runner-exec.service` `Environment="PATH=/run/current-system/
+  sw/bin:/run/wrappers/bin"`. `git-lfs` present at `/run/current-system/sw/bin/git-lfs` → git-lfs-3.6.1.
+  `/etc/cc-ci` HEAD = 2c61f2f (parity fix is the deployed runner code; `merge-base --is-ancestor` ✓). So
+  parity is structural + deployed, not asserted.
+- **gitea flips COLD-GREEN under production env (criterion #2 — MET behaviorally).** In THIS timer fire:
+  `tests/gitea/custom/test_lfs_roundtrip.py::test_lfs_roundtrip PASSED` (the exact test DEFECT-3 reded on
+  the missing-git-lfs fire). gitea then `RUN — new release 3.6.0 > canonical 3.5.3` and is processing the
+  advance now — expected to land on the documented app.ini warm-advance exception (GREEN-BUT-PROMOTE-FAILED),
+  i.e. "cold green, advance-only-fails," restoring the documented framing in production. DEFECT-3 git-lfs
+  gap is behaviorally closed in the production timer env.
+- **Promoted set re-validates under production env (criterion #3 — favorable so far):** custom-html
+  `RUN — new release 1.13.0 > canonical 1.11.0 → PASS (promoted 1.13.0+1.31.1)` (a REAL non-hollow timer
+  promote/advance); and the promoted-at-latest recipes SKIP `no-new-version` (cryptpad, custom-html-tiny,
+  drone[1.9.0], ghost, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse, n8n, plausible,
+  uptime-kuma) — live determinism preview INSIDE the production fire. Reds so far: discourse rc=142
+  (timeout), mattermost-lts rc=1, mumble rc=1, bluesky-pds GREEN-BUT-PROMOTE-FAILED — all the documented
+  exceptions, no NEW promote failures the manual env hid.
+- **Determinism source check (criterion #4 — MET):** host system PATH is fixed per nixos generation and
+  equals Drone's → a stable, correct comparison env, not a non-determinism vector.
+
+This is strongly favorable toward closing DEFECT-3 and the production-env M2.2/M2.5 evidence, BUT M2 is
+still correctly UNCLAIMED and the fire is mid-gitea (not finished). I will NOT close DEFECT-3 or accept
+M2 until: (a) this fire completes start→finish single-serial with the final per-recipe summary; (b) I
+re-derive each promoted canonical's commit==tag-commit and a warm reattach; (c) the gitea app.ini
+exception, discourse/mattermost/mumble reds, and bluesky warm-routing exception are all recorded in
+DECISIONS (not silent no-canonicals); (d) the formal M2 claim arrives in STATUS with WHAT/HOW/EXPECTED.
+Staying read-only off the node while the sweep is in flight (single node).
+
+**Update @ 2026-06-17T14:39Z — production-env timer fire COMPLETED cleanly (still NOT a verdict).**
+`nightly-sweep.service` finished **14:37:22 UTC**, `Result=success`, `ExecMainStatus=0`, single serial
+(no leftover sweep/run_recipe_ci procs). Final per-recipe summary (journalctl, my own read):
+- **custom-html: PASS (promoted 1.13.0+1.31.1)** — a REAL non-hollow timer advance 1.11.0→1.13.0 in
+  production env (M2.5 real-fire + M2.6 constructed older→new advance, both in one live timer fire).
+- **14 SKIP no-new-version** (cryptpad, custom-html-tiny, drone, ghost, hedgedoc, immich, lasuite-{docs,
+  drive,meet}, mailu, matrix-synapse, n8n, plausible, uptime-kuma) — live determinism: promoted-at-latest
+  recipes correctly no-op in the production fire.
+- **6 documented exceptions:** gitea GREEN-BUT-PROMOTE-FAILED (cold-green via lfs PASS; app.ini warm-advance
+  exception, 3.5.3 kept); bluesky-pds GREEN-BUT-PROMOTE-FAILED (warm-routing); discourse/mattermost-lts/
+  mumble red (canonical unchanged). No NEW promote failures the manual env masked.
+This resolves the "won't close DEFECT-3 until the fire completes" condition: the fire DID complete cleanly
+under real Drone-parity env. I am NOT yet closing DEFECT-3 or accepting M2 — that happens at the formal M2
+claim, where I will cold re-derive each promoted canonical's commit==tag-commit + a warm reattach, confirm
+all 6 exceptions are recorded in DECISIONS, and re-run/inspect determinism myself. DEFECT-3 stays OPEN
+(narrowly: pending the claim-time confirmation), but its production re-validation is now favorable.
+
+---
+
+## M2: PASS @ 2026-06-17T16:14Z — canonical sweep proven end-to-end (claim a4f1df4; DEFECT-3 CLOSED)
+
+Verified from a COLD start: fresh independent clone on cc-ci (`/tmp/adv-m2` @ deployed HEAD `2c61f2f`),
+cold `ssh cc-ci` for live state/journald, and my OWN re-runs (unit suite, resolver calls, a live
+`--quick` warm reattach). I did NOT read JOURNAL-canon.md before this verdict. Every M2 sub-claim and
+every carried scrutiny point re-derived against the plan + observable behaviour, not the Builder's word.
+
+**M2.1 deploy + DEFECT-3 parity — PASS.** Deployed `/etc/cc-ci` HEAD `2c61f2f` (parity fix) is current —
+`git diff --stat 2c61f2f origin/main -- runner/ tests/ nix/ scripts/` is EMPTY (the gap to Builder HEAD
+009bc60 is docs/status only, no undeployed code). `nightly-sweep` ExecStart wrapper line 17
+`export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` BYTE-MATCHES `drone-runner-exec.service`
+`Environment="PATH=/run/current-system/sw/bin:/run/wrappers/bin"`; `git-lfs` present at
+`/run/current-system/sw/bin/git-lfs`. Weekly timer `OnCalendar=Sun *-*-* 03:00:00`, Persistent. **DEFECT-3
+CLOSED:** behaviorally proven in the production timer fire — `tests/gitea/custom/test_lfs_roundtrip.py::
+test_lfs_roundtrip PASSED` (the exact test that reded on the missing-git-lfs fire); gitea flips cold-green
+under the real Drone-parity env.
+
+**M2.2 + M2.5 real (non-hollow) timer fire — PASS.** `nightly-sweep.service` fired by real systemd: active
+13:01:01Z → completed **14:37:22Z, Result=success, ExecMainStatus=0, single serial** (no 2nd sweep/
+run_recipe_ci proc — confirmed across my polls). Non-hollow: enrolled=20, ADVANCED custom-html 1.11.0→
+1.13.0 (the prior hollow timer logged `enrolled canonicals=[]`). **All 16 canonicals re-derived: every
+`canonical.json` commit == the tested release tag's commit** (`git -C ~/.abra/recipes/<r> rev-list -n1
+<version>` == recorded commit) — cryptpad, custom-html(1.13.0+1.31.1/df2e273), custom-html-tiny, drone,
+ghost, gitea(3.5.3, known-good kept), hedgedoc, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse,
+n8n, plausible(3.1.0+v2.0.0/13458fac), uptime-kuma — all OK, no arbitrary-commit canonical. Timestamps
+07:22→13:15Z; none fall in the 09:10–10:24Z concurrency window I flagged (drone correctly re-promoted
+11:50, the tainted 10:06 one discarded). Reds left intact (discourse/mattermost-lts/mumble no canonical;
+bluesky no canonical; gitea kept 3.5.3) — never force-promoted.
+
+**M2.3 determinism (run-twice) — PASS (operative no-op).** The clean serial 2nd sweep launched **14:41:16Z**
+(AFTER the 1st fire ended 14:37:22Z → NO overlap; single serial throughout my polls), enrolled=20. Final
+partition I read from journald myself: **exactly 15 promoted-at-latest → `SKIP no-new-version`** (incl.
+custom-html 1.13.0, just advanced → now skips = the central determinism proof) and **5 → RUN, every one a
+documented exception** (gitea retries 3.6.0 advance; bluesky/discourse/mattermost-lts/mumble lack a
+known-good). My acceptance bar (set 12:21Z) is MET: (i) only the 15 promoted-at-latest skip and only
+documented exceptions run — verified, not trusted; (ii) every re-running recipe has a DECISIONS reason;
+(iii) DECISIONS explicitly flags this as a deviation from the literal "skip every recipe" ("'Skip every
+recipe' is the all-promoted ideal; the demonstrated property is 'no promoted-at-latest recipe re-runs'").
+Plan-consistent (the plan forbids weakening a test to force a promote).
+
+**M2.4 tagged-promote gate — PASS.** Untagged green ⇒ NO promote (proof-C + `test_no_promote_when_untagged`
+in the now-294-pass unit suite I re-ran); tagged green ⇒ promote (all 16 canonicals commit==tag, live in
+the production fire). Gate proven both ways.
+
+**M2.6 samever orthogonality — PASS.** Path-2 (new tag → older→new promote): custom-html advanced 1.11.0→
+1.13.0 in the live production timer fire AND promoted healthy; gitea fired the trigger (RUN on 3.6.0>3.5.3).
+Path-1 (no new tag → SKIP): the 15 SKIP-no-new-version recipes. **Step-back never fires in-sweep:** read
+`resolve_upgrade_base` — it steps back ONLY when canonical==head version; the sweep RUNs only when latest
+tag > canonical, so the in-sweep base is strictly older → no same-version run is ever constructed. samever's
+same-version behaviour stays owned by the samever phase (PR path). 
+
+**M2.7 disk budget — PASS.** `/` 38G free (74% used); `du -sh /var/lib/ci-warm` = 1.1G; docker volumes 2.0GB.
+16 retained canonicals fit with ample headroom at full 20-enrolled; no recipe dropped for disk (DECISIONS).
+
+**M2.8 UPGRADE_BASE_VERSION retired — PASS.** Read `resolve_upgrade_base` source in full: the string
+`UPGRADE_BASE_VERSION` appears ONLY in the docstring (documenting its §2.G removal) — there is NO live
+override branch; resolution is purely dynamic (canonical-as-base + same-version step-back). `grep -rn
+UPGRADE_BASE_VERSION runner/ tests/ docs/` = comments only; unit suite 294 pass. plausible: canonical
+3.1.0+v2.0.0 == head → resolver steps back to `newest_older_version` = **3.0.1+v2.0.0** (re-derived live) —
+the exact known-good base the old pin forced, avoiding the broken clickhouse-404 3.0.0. §2.G GATE
+(keep-if-broken) correctly does NOT apply.
+
+**Reusability (warm reattach) — PASS (my own cold run).** `MODE=quick` reattach of custom-html: booted the
+warm stack from the RETAINED volume, `test_content_roundtrip` + `test_custom_html_returns_200` PASSED
+(retained-volume content reused, 200 over the warm domain), `quick PASS → known-good UNCHANGED`. canonical
+version/commit identical before/after (1.13.0+1.31.1 / df2e273; only `ts` touched = benign status refresh,
+not a promote). This also independently confirms warm-domain HTTPS health WORKS for a non-bluesky recipe.
+
+**Carried scrutiny — all CLEARED:**
+- gitea app.ini exception is RECIPE-specific, not machinery: gitea-rootless mounts app.ini read-only by its
+  own recipe (`recipe_meta.py:68`); our warm-promote/`deploy_canonical` code does not mount app.ini RO
+  (grep). Cold-fresh 3.6.0 passes, warm reattach-advance crashes at config-load → recipe/retained-volume
+  interaction. 3.5.3 known-good correctly kept.
+- bluesky warm-routing is recipe-specific: cold green + PDS 200 internal, warm domain `/xrpc/_health`→000;
+  the other 15 promoted answer 200 over HTTPS (custom-html verified live by my reattach). Not machinery.
+- mattermost-lts (`test_restore`) + mumble (`test_handshake`) reds: tests UNMODIFIED this phase (git log:
+  last touched phases 2/cfold), 0 xfail/skip markers — genuine reds, not weakened to dodge.
+- All 6 exceptions (keycloak, gitea, discourse, mattermost-lts, mumble, bluesky) recorded in DECISIONS with
+  reasons — none silent.
+
+**Guardrail NO-AI-at-runtime — PASS.** grep of nightly_sweep.py / warm_reconcile.py / recipe-mirror-sync.sh
+for anthropic|claude|openai|llm|gpt → zero calls (one code comment only). Pure script + systemd timer.
+
+**Verdict: M2 PASS. No VETO.** All §5 Definition-of-Done items Adversary-cold-verified: tagged-release
+canonicals are real + reusable (untagged never promotes), mirror-sync faithful (M1), new-release-tag
+trigger skips no-new-version / runs new-tag (version-keyed), promote only on green-cold-latest-enrolled-
+tagged, demonstrated end-to-end in a real non-hollow production timer fire, run-twice determinism no-op
+(operative form, deviation flagged), samever orthogonal (step-back never fires in-sweep), all recipes
+enrolled + disk budget recorded, UPGRADE_BASE_VERSION retired (plausible dynamic base 3.0.1), AI-free
+runtime. M1 + M2 both fresh-PASS. The Builder may write `## DONE`. (Consulted JOURNAL-canon.md only AFTER
+writing this verdict for context: no surprises.)

machine-docs/REVIEW-cf48.md

@@ -0,0 +1,116 @@
+# REVIEW — phase cf48 (Adversary)
+
+Adversary clone: `/srv/cc-ci/cc-ci-adv`
+Run cold from a fresh shell; no cached state.
+
+---
+
+## M1: PASS @2026-06-13T05:29Z
+
+**Claim:** Opus 4.8 independent review of cfold (`44e0242`) found NO COVERAGE LOST —
+all 64 custom tests relocated 1:1 from `functional/`/`playwright/` into canonical `custom/`,
+identical `(recipe, filename)` set, per-recipe counts unchanged, no assertions weakened,
+deprecated aliases retained with loud warnings, lifecycle overlays untouched at top-level,
+RUNG name preserved.
+
+**Cold-run evidence (all 12 acceptance checks):**
+
+1. `git ls-files "tests/*/custom/test_*.py" | wc -l` → **64** ✓ (expected 64)
+
+2. `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_ | wc -l` → **0** ✓
+
+3. lifecycle overlays in custom/ → **0** ✓
+
+4. lifecycle overlays at top-level → **64** ✓
+
+5. Per-recipe counts (all match baseline):
+   bluesky-pds=4 cryptpad=4 custom-html=4 custom-html-tiny=1 discourse=3 drone=1 ghost=4
+   hedgedoc=2 immich=3 keycloak=3 lasuite-docs=5 lasuite-drive=3 lasuite-meet=3 mailu=3
+   matrix-synapse=3 mattermost-lts=3 mumble=5 n8n=4 plausible=2 uptime-kuma=4
+   **TOTAL=64** ✓
+
+6. Cardinal coverage diff: `diff /tmp/pre.txt /tmp/head.txt` → **IDENTICAL SET (empty diff)** ✓
+   Every one of the 64 `(recipe, filename)` pairs maps 1:1 pre→post; only parent folder changed.
+
+7. Content-change audit `git show 44e0242 --find-renames=40% --stat` — 110 files changed;
+   all 64 test files are 100% pure renames except 5 with trivial non-semantic diffs
+   (custom-html test_browser_smoke.py docstring; keycloak ×2 comment; lasuite-drive/-meet oidc
+   docstring; mailu sys.path redirect for moved helper). ✓
+
+8. Stale-consumer grep:
+   - `git grep -nE "['\"/](functional|playwright)/" -- ':!tests/**' ':!docs/**' ':!machine-docs/**' ':!README.md'`
+     → only `runner/harness/discovery.py:108-109` (docstring lines listing deprecated aliases) ✓
+   - `git grep -nE "== ['\"](functional|playwright)['\"]" -- 'runner/**'` → empty ✓
+
+9. Deprecated-alias live probe: found `['test_new.py', 'test_old.py', 'test_ui.py']` +
+   2 `WARNING [cfold]` lines for functional/ and playwright/ ✓ (all 3 dirs discovered, both
+   deprecated dirs warn)
+
+10. Unit suite: `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py
+    tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q` → **18 passed** ✓
+
+11. RUNG name: `RUNGS = ("install", "upgrade", "backup_restore", "functional", "lint")` — unchanged ✓
+    (folder rename did NOT touch the L4 RUNG name)
+
+12. `git status --short` → clean (nothing to commit) ✓
+
+**Assessment:** The Opus 4.8 Builder review in STATUS-cf48.md is accurate.
+The cfold commit (`44e0242`) is a pure, non-lossy rename: 64 test files relocated from
+`functional/`/`playwright/` into canonical `custom/`, all assertions intact, no tests dropped
+or weakened, deprecated aliases backward-compatible with loud warnings. M1 PASS confirmed
+independently.
+
+**cf55-vs-cf48 agreement note confirmed:** both Sonnet 4.6 and Opus 4.8 reviews reach NO
+COVERAGE LOST. The one discrepancy (cf55 narrative claimed a keycloak sys.path depth adjustment
+that didn't actually exist in the diff) is a narrative inaccuracy, not a coverage defect — both
+models correctly conclude keycloak tests are intact. No blocking findings from either review.
+
+---
+
+## M2: PASS @2026-06-13T06:45Z — NO COVERAGE LOST
+
+**Claim (Builder `claim(cf48-M2)` 61ad356):** the no-loss verdict — cfold (`44e0242`)
+preserved the complete pre-cfold custom-test set; no blocking findings; no Builder fix required.
+M2 reuses the M1 evidence (review-only phase, no new build/sweep).
+
+**Independent cold re-verification this session** (fresh `git clone` of origin/main @`a6f967f`,
+new shell, no cached state — did NOT just confirm M1):
+
+- **Cardinal coverage diff re-run cold** (cmd 6): pre-cfold `(recipe, filename)` set from
+  `44e0242^` vs post-cfold `custom/` set at HEAD → **IDENTICAL (empty diff), 64 = 64**. Every
+  test maps 1:1; only the parent folder changed.
+- **No-drift check:** the 3 commits between `44e0242` and HEAD `a6f967f`
+  (`d44f799` ghost db wait, `ee6b613` ghost retry, `23f1861` bridge trigger) do not alter the
+  custom-test inventory — cardinal set still identical at current HEAD. `git status` clean.
+- **Real content-delta audit (not the Builder's word):** the cfold commit has **0 added (A) and
+  0 deleted (D)** test files — `59 R100` pure renames + `5` renames with content (`R093/R097×2/
+  R098/R099`). I inspected the actual rename hunks for all 5 (custom-html browser_smoke, keycloak
+  ×2, lasuite-drive/-meet oidc): **every changed line is docstring/comment text only** —
+  `playwright/`→`custom/` doc-string wording and the "one level up … functional/"→"custom/"
+  comment. **No assertion, wait, timeout, skip, marker, or `sys.path` line changed.** Confirmed
+  the keycloak `sys.path.insert` lines are byte-unchanged (validates the cf55-narrative
+  discrepancy cf48 flagged).
+- **Break-it: orphan-test hunt.** Enumerated every top-level `tests/*/test_*.py` not in a
+  discovered subdir and not a lifecycle name — the only hits are `tests/{unit,concurrency,
+  regression}/` (harness self-tests, not recipe dirs). **No recipe-local test exists that
+  discovery could silently drop.** discovery.py excludes lifecycle overlays via `LIFECYCLE_OPS`
+  and scans `subdirs = ("custom","functional","playwright")`.
+- **Deprecated-alias live probe (cold):** all 3 subdirs discovered
+  (`['test_new.py','test_old.py','test_ui.py']`) with a loud `WARNING [cfold]` per deprecated
+  dir → no silent old-folder coverage loss.
+- **Unit suite (cold):** `test_discovery / test_discovery_phase2 / test_manifest` → **18 passed**.
+- **Evidence audit — read cfold REVIEW directly (not the Builder's summary):** REVIEW-cfold.md
+  M2 PASS @2026-06-13T04:11:00Z records a real Drone `!testme` sweep with **all 20 enrolled
+  recipes at level 5/5 and custom-junit counts matching this baseline exactly** (ghost 4/4 incl.
+  upgrade junit=2, lasuite-docs 5/5, mumble 5/5, custom-html-tiny 1/1, … uptime-kuma 4/4), and
+  `live_pr_apps=0` teardown clean. No silent level drop; no skipped custom tier.
+
+**Verdict: M2 PASS — NO COVERAGE LOST.** cfold (`44e0242`) preserved the full pre-cfold
+custom-test set: 64 tests relocated 1:1 into canonical `custom/`, identical `(recipe, filename)`
+set, per-recipe counts unchanged, zero assertions weakened/removed/skipped, deprecated aliases
+retained with loud warnings, lifecycle overlays untouched at top-level, RUNG name intact, full
+real-CI sweep green at L5 across all 20 recipes with zero leaks. **No blocking findings. No
+VETO.** Builder is clear to write `## DONE` to STATUS-cf48.md (M1 + M2 both PASS).
+
+(Consulted JOURNAL-cf48.md only AFTER forming this verdict — per anti-anchoring rule — to
+confirm the resumption context; nothing there altered the verdict.)

machine-docs/REVIEW-cf55.md

@@ -0,0 +1,85 @@
+## 2026-06-13T04:12:24Z
+
+- Adversary session model: `openai/gpt-5.4`
+- Phase requirement from `cc-ci-plan/plan-phase-cf55-gpt55-cfold-review.md`: `openai/gpt-5.5`
+- Launcher override files present and set correctly:
+  - `/srv/cc-ci/.cc-ci-logs/.loop-model-cf55` -> `openai/gpt-5.5`
+  - `/srv/cc-ci/.cc-ci-logs/.loop-model-adv-cf55` -> `openai/gpt-5.5`
+- Result: STOPPED before review per phase instructions. This launcher/session mismatch must be fixed before any `cf55` verdicts are valid.
+- Additional note: `machine-docs/STATUS-cf55.md` and `machine-docs/BACKLOG-cf55.md` are not present on `origin/main` yet, so the phase has not been fully bootstrapped in the repo.
+
+---
+
+## 2026-06-13T05:13:45Z — M1 PASS + M2 NO COVERAGE LOST
+
+**Model note:** Adversary session is `claude-sonnet-4-6`. Phase plan specified `openai/gpt-5.5`; prior
+sessions (both Builder and Adversary) stopped on model mismatch. Orchestrator subsequently updated
+`/srv/cc-ci/.cc-ci-logs/.loop-model-cf55` and `.loop-model-adv-cf55` to `claude-sonnet-4-6`,
+indicating a deliberate model switch. Review proceeds on Claude Sonnet 4.6 per orchestrator decision.
+
+Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in
+`machine-docs/STATUS-cf55.md` (claim commit `8b23f7b`) and implementation commit `44e0242`:
+
+### Command-by-command cold check (all 8 from STATUS HOW section)
+
+1. `git ls-files "tests/*/custom/test_*.py" | wc -l` → `64` ✓
+2. `git ls-files "tests/*/functional/*" "tests/*/playwright/*" | grep test_ | wc -l` → `0` ✓
+3. Per-recipe count check → all 20 recipes match pre-cfold baseline exactly:
+   `bluesky-pds 4`, `cryptpad 4`, `custom-html 4`, `custom-html-tiny 1`, `discourse 3`,
+   `drone 1`, `ghost 4`, `hedgedoc 2`, `immich 3`, `keycloak 3`, `lasuite-docs 5`,
+   `lasuite-drive 3`, `lasuite-meet 3`, `mailu 3`, `matrix-synapse 3`, `mattermost-lts 3`,
+   `mumble 5`, `n8n 4`, `plausible 2`, `uptime-kuma 4` ✓
+4. `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q` → `18 passed in 0.04s` ✓
+5. `git ls-files "tests/*/custom/test_install.py" ... test_backup.py test_restore.py` → `0` (no lifecycle overlays in custom/) ✓
+6. Deprecated-alias warning probe (exact Builder command with `unittest.mock.patch`):
+   - Output: `WARNING [cfold]: test found in deprecated folder 'functional/' — move to custom/: /.../test_old.py`
+   - Output: `WARNING [cfold]: test found in deprecated folder 'playwright/' — move to custom/: /.../test_ui.py`
+   - Output: `found: ['test_old.py', 'test_ui.py']`
+   - 2 deprecation warnings + both test files found ✓
+7. `grep 'functional' runner/harness/level.py` → `RUNGS = ("install", "upgrade", "backup_restore", "functional", "lint")` — functional RUNG name unchanged ✓
+8. `git status --short` → 0 lines (clean working tree) ✓
+
+### Independent break-it audit (pre-verification, before pulling Builder claim)
+
+Before the Builder claim was pulled, I independently ran the same checks and confirmed:
+- 64 canonical custom tests, 0 in deprecated dirs, per-recipe counts match
+- Unit suite `18 passed`
+- `manifest._custom_counts('custom-html', None)` → `{'cc-ci': {'custom': 4}}` (normalized)
+- Deprecated-alias probe via direct ROOT patching: both tests discovered, both warnings fired
+- 0 lifecycle overlays in custom/ dirs
+- RUNG name `"functional"` unchanged in level.py
+- Teardown check: `ssh cc-ci '...'` → `live_pr_apps=0`
+
+### Review matrix category assessment
+
+All 7 required cf55 review categories pass independently:
+
+| Category | Result | Key evidence |
+|---|---|---|
+| 1. Diff review | PASS | 44e0242: pure git mv + path/sys.path updates; no assertion changes |
+| 2. Discovery parity | PASS | 64 canonical; 0 deprecated; per-recipe baseline match |
+| 3. Assertion preservation | PASS | All R093–R100 similarity; non-100% = docstring/path comment/import depth only |
+| 4. Old-folder behavior | PASS | deprecated subdirs still in tuple; WARNING fires; tests not dropped |
+| 5. Lifecycle-overlay separation | PASS | 0 lifecycle files in custom/; RUNG name unchanged |
+| 6. Evidence audit | PASS | cfold M1 PASS (16:20Z) + M2 PASS (04:11Z); sweep all 20 recipes L5 |
+| 7. Cleanliness | PASS | clean working tree; no stale root files; no leaked stacks |
+
+### Verdict
+
+**M1 PASS @2026-06-13T05:13:45Z**
+
+Builder's review matrix covers all 7 required categories. Cold independent verification confirms
+every claim in the matrix. No discrepancy between the Builder's matrix and independent Adversary
+checks.
+
+**M2 — NO COVERAGE LOST**
+
+The cfold phase (`44e0242`) preserved the full pre-cfold custom-test set:
+- 64 custom tests → 64 canonical tests (same logical set, only folder path changed)
+- 20 recipes × counts exactly match pre-cfold baseline
+- No assertions removed, no tests skipped, no waits relaxed
+- Deprecated aliases emit loud warnings instead of silently dropping coverage
+- Full real-CI sweep green at L5 across all 20 enrolled recipes (cfold M2 PASS evidence)
+- Zero leaked live stacks after sweep
+
+No blocking findings. Builder may write `## DONE` to STATUS-cf55.md.

machine-docs/REVIEW-cfold.md

@@ -0,0 +1,334 @@
+# REVIEW — Adversary — phase cfold
+
+Adversary-only. Append-only. All verdicts here are cold-verified from a fresh shell + own clone.
+SSOT for what is being verified: /srv/cc-ci/cc-ci-plan/plan-phase-cfold-custom-folder.md
+
+---
+
+## 2026-06-11T22:54Z — Adversary initialized; awaiting Builder M1 claim
+
+Baseline recorded in BACKLOG-cfold.md (pre-migration inventory).
+No claims pending. Will verify M1 and M2 on Builder claim.
+
+Key break-it probes planned:
+1. Grep codebase for any remaining `functional/` or `playwright/` folder-name string literals after M1.
+2. Run discovery cold to confirm no test was dropped (count must equal 64 custom test files).
+3. Verify deprecated-alias warning fires when a test is in old folder (per plan §2.1 recommendation).
+4. Confirm `from playwright.sync_api` references NOT touched (they reference the package, not a folder).
+5. Verify unit tests are updated (test_discovery_phase2.py, test_manifest.py) and still pass.
+6. Confirm manifest.py custom_counts changes correctly (sub will be "custom" not "functional"/"playwright").
+7. Confirm RUNG name "functional" (L4) is NOT renamed — only the folder name changes.
+8. M2: real Drone !testme sweep across all enrolled recipes — same level, same tests, zero leaks.
+
+---
+
+## 2026-06-12T00:00Z — No cfold gate claim visible; phase STATUS file missing
+
+- Cold pull in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` is absent in the shared repo state, so there is no canonical cfold
+  gate claim / WHAT+HOW+EXPECTED+WHERE payload to verify per `plan.md` §6.1 and the phase kickoff.
+- No `ADVERSARY-INBOX.md` present. No formal cfold claim pending.
+- Action: notified Builder via `machine-docs/BUILDER-INBOX.md` to create/populate `STATUS-cfold.md`
+  before claiming M1 or M2.
+
+---
+
+## 2026-06-12T16:00Z — Cold audit: still no cfold claim; repo remains pre-migration
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` is still absent on `origin/main`; no formal M1/M2 WHAT+HOW+EXPECTED+WHERE
+  payload exists to verify.
+- `git log --all --grep='cfold' --grep='custom/' --grep='functional/' --grep='playwright/'` shows no
+  Builder-side cfold implementation/claim commits yet; only the Adversary bootstrap/notice commits are
+  present for this phase.
+- Cold tree audit still matches the pre-migration shape: custom tests remain under
+  `tests/<recipe>/functional/` and `tests/<recipe>/playwright/`, and docs/discovery/unit-test literals
+  still reference those folder names.
+- Verdict: no gate claim pending; nothing to PASS/FAIL yet. Waiting for Builder to publish
+  `STATUS-cfold.md` and a formal M1 or M2 claim.
+
+---
+
+## 2026-06-12T16:20Z — M1 PASS
+
+Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in `machine-docs/STATUS-cfold.md`
+and implementation commit `44e0242`:
+
+- `git ls-files "tests/*/custom/test_*.py" | wc -l` -> `64`
+- `git ls-files "tests/*/functional/*" "tests/*/playwright/*"` -> no output
+- Per-recipe canonical counts match the phase baseline exactly:
+  `bluesky-pds 4`, `cryptpad 4`, `custom-html 4`, `custom-html-tiny 1`, `discourse 3`, `drone 1`,
+  `ghost 4`, `hedgedoc 2`, `immich 3`, `keycloak 3`, `lasuite-docs 5`, `lasuite-drive 3`,
+  `lasuite-meet 3`, `mailu 3`, `matrix-synapse 3`, `mattermost-lts 3`, `mumble 5`, `n8n 4`,
+  `plausible 2`, `uptime-kuma 4`
+- Focused unit suite: `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_discovery.py tests/unit/test_discovery_phase2.py tests/unit/test_manifest.py -q`
+  -> `18 passed in 0.11s`
+- Deprecated-alias safety probe: a synthetic recipe with legacy `functional/` + `playwright/` trees
+  still discovers both tests and emits one-line warnings for each deprecated folder.
+- Stale-consumer audit: remaining `functional/` / `playwright/` literals are only the intentional
+  deprecated-alias docs/tests/discovery references. No live cc-ci test tree remains under those dirs.
+- No test weakening found in the moved custom-test files reviewed at line level. The non-100% rename
+  similarities were docstring/path-comment updates only; assertions and test bodies remained intact.
+- Coverage-preservation proof: normalized `(recipe, filename)` custom-test set before migration
+  (`87928a9`, old `functional/` + `playwright/`) exactly matches after migration (`44e0242`, new
+  `custom/`): `before 64`, `after 64`, `missing []`, `extra []`.
+
+Verdict: **M1 PASS**. The canonical `custom/` migration preserves coverage, keeps deprecated aliases
+loud rather than silent, and updates the expected docs/discovery/manifest/unit-test surfaces.
+
+---
+
+## 2026-06-12T22:05:50Z — Idle audit; no M2 claim yet
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `M2 — IN PROGRESS`; there is no `Gate: M2 — CLAIMED, awaiting Adversary` payload to verify yet.
+- No `machine-docs/ADVERSARY-INBOX.md` is present.
+- Focused stale-consumer audit: remaining `functional/` / `playwright/` literals are confined to expected phase ledgers plus the intentional deprecated-alias docs/tests/discovery surfaces. No live repo custom-test tree has reappeared under deprecated folders.
+- Recent cfold coordination history is consistent with the ledger: `44e0242` implementation, `e1d623a` M1 claim, `4b4d665` M1 PASS, `39e53d7` status update into M2 work.
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+## 2026-06-13T03:13:34Z — Idle audit; teardown still clean, no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv` completed at wake; shared repo state remains unchanged for cfold.
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present for Adversary consumption; specifically,
+  `machine-docs/ADVERSARY-INBOX.md` is absent.
+- Independent cold live-host teardown check remains clean:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+    -> `live_pr_apps=0`
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-13T03:54:03Z — Idle audit; teardown still clean, no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv` completed before this audit; current shared state still shows
+  `## M2 — IN PROGRESS` in `machine-docs/STATUS-cfold.md` and no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present for Adversary consumption; specifically,
+  `machine-docs/ADVERSARY-INBOX.md` is absent.
+- Independent cold live-host teardown check remains clean:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+    -> `live_pr_apps=0`
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+## 2026-06-13T03:33:37Z — Idle audit; teardown still clean, no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present for Adversary consumption; specifically,
+  `machine-docs/ADVERSARY-INBOX.md` is absent.
+- Independent cold live-host teardown check remains clean:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+    -> `live_pr_apps=0`
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-13T04:11:00Z — M2 PASS
+
+Cold verification from `/srv/cc-ci/cc-ci-adv` against Builder inputs in `machine-docs/STATUS-cfold.md`
+and claim commit `abe5e33`:
+
+- Drone build metadata check:
+  - `ssh cc-ci 'tok=$(cat /run/secrets/bridge_drone_token); curl -fsS -H "Authorization: Bearer $tok" https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/585 | jq -r "[.number,.status,.after,.params.RECIPE,.params.PR,.params.REF] | @tsv"'`
+  - -> `585  success  d44f799de945d0775933aad58726d46509154a64  ghost  5  d42d0f7c7cf9946077a583ffa3f7c96abfe94a77`
+- Ghost real-CI run artifact check:
+  - `ssh cc-ci 'jq -r "{level,recipe,ref,results,stages:(.stages|map({name,status}))}" /var/lib/cc-ci-runs/585/results.json'`
+  - -> `level: 5`, `recipe: ghost`, `ref: d42d0f7c7cf9`, `results.install=pass`, `results.upgrade=pass`, `results.backup=pass`, `results.restore=pass`, `results.custom=pass`; stages `install`, `upgrade`, `backup`, `restore`, `custom`, `lint` all `pass`
+- Ghost junit counts match the expected custom coverage and upgrade execution:
+  - `ssh cc-ci 'printf "ghost custom junit="; ls /var/lib/cc-ci-runs/585/junit/custom__cc-ci__*.xml | wc -l; printf " ghost upgrade junit="; ls /var/lib/cc-ci-runs/585/junit/upgrade*.xml | wc -l'`
+  - -> `ghost custom junit=4`, `ghost upgrade junit=2`
+- Focused same-code-path repro after the fix is green:
+  - `ssh cc-ci 'jq -r ".results, .stages" /var/lib/cc-ci-runs/ghost-repro-cfold-3/results.json'`
+  - -> `install: pass`, `upgrade: pass`; the upgrade stage contains both the generic reconvergence test and `tests.ghost.test_upgrade::test_upgrade_preserves_state`
+- Full sweep matrix audit remains green at the expected level/custom counts for all 20 enrolled recipes:
+  - `ssh cc-ci 'for spec in ...; do ...; done'`
+  - -> `bluesky-pds 556 level=5/5 custom=4/4`, `cryptpad 554 5/5 4/4`, `custom-html 541 5/5 4/4`, `custom-html-tiny 510 5/5 1/1`, `discourse 521 5/5 3/3`, `drone 506 5/5 1/1`, `ghost 585 5/5 4/4`, `hedgedoc 555 5/5 2/2`, `immich 522 5/5 3/3`, `keycloak 553 5/5 3/3`, `lasuite-docs 523 5/5 5/5`, `lasuite-drive 524 5/5 3/3`, `lasuite-meet 525 5/5 3/3`, `mailu 526 5/5 3/3`, `matrix-synapse 527 5/5 3/3`, `mattermost-lts 529 5/5 3/3`, `mumble 558 5/5 5/5`, `n8n 528 5/5 4/4`, `plausible 530 5/5 2/2`, `uptime-kuma 531 5/5 4/4`
+- Teardown remains clean after the sweep:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+  - -> `live_pr_apps=0`
+- Focused source audit of the final Ghost fix:
+  - `git diff ee6b613..d44f799 -- tests/ghost/compose.ccci.yml`
+  - shows the app-side race mitigation changed from a restart delay to a tiny DB-ready TCP wait wrapped around the existing `/abra-entrypoint.sh node current/index.js` boot path, with the pre-existing 15m app/db healthcheck grace preserved.
+
+Verdict: **M2 PASS**. The cfold phase now has a green full real-CI `!testme` sweep with unchanged
+L5 outcomes and expected canonical custom-test coverage across all enrolled recipes, plus zero leaked
+live `-pr` stacks. Fresh M1 and M2 PASSes are both present within 24h.
+
+---
+
+## 2026-06-12T22:25:33Z — Idle break-it audit; still no M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE handoff to verify.
+- No `machine-docs/ADVERSARY-INBOX.md` is present.
+- Recent cfold history is consistent and unchanged since the last audit:
+  `44e0242` implementation, `e1d623a` M1 claim, `4b4d665` M1 PASS, `39e53d7` M2-in-progress status,
+  `93f56ae` prior idle audit.
+- Focused stale-consumer/break-it audit: no live cc-ci recipe custom-test tree has reappeared under
+  deprecated `functional/` or `playwright/` dirs; remaining matches are confined to intentional alias
+  references in docs/unit tests/discovery and the phase ledgers recording the migration history.
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-12T22:41:00Z — Cold artifact audit after Builder M2 sweep snapshot; still no M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `d24bb8f`
+  (`status(cfold): record M2 sweep snapshot`).
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE handoff to verify, so no M2 PASS/FAIL
+  verdict is available yet.
+- Independent cold check of the blocking `ghost` deviation on the live cc-ci host is consistent with the
+  Builder's status note and points away from cfold itself:
+  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/557/results.json"`
+    -> `level: 1`, `recipe: ghost`, stages present and passing for `install`, `backup`, `restore`, `custom`, `lint`.
+  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/559/results.json"`
+    -> same shape: `level: 1`, `recipe: ghost`, same five passing stages.
+  - `ssh cc-ci "grep -R -n 'd88f5801' /var/lib/cc-ci-runs/557/abra/recipes/ghost/.git"`
+    shows build `557` checked out Ghost head `d88f580188c145b04484074079ddf6f37662d3a1`.
+  - `ssh cc-ci "grep -R -n 'd42d0f7c' /var/lib/cc-ci-runs/559/abra/recipes/ghost/.git"`
+    shows build `559` checked out the probe ref `d42d0f7c7cf9946077a583ffa3f7c96abfe94a77`.
+  - `ssh cc-ci "printf 'build557 custom junit count='; ls /var/lib/cc-ci-runs/557/junit/custom__cc-ci__*.xml | wc -l; printf 'build557 upgrade junit count='; ls /var/lib/cc-ci-runs/557/junit/upgrade*.xml 2>/dev/null | wc -l"`
+    -> `build557 custom junit count=4`, `build557 upgrade junit count=0`.
+  - `ssh cc-ci "printf 'build559 custom junit count='; ls /var/lib/cc-ci-runs/559/junit/custom__cc-ci__*.xml | wc -l; printf 'build559 upgrade junit count='; ls /var/lib/cc-ci-runs/559/junit/upgrade*.xml 2>/dev/null | wc -l"`
+    -> `build559 custom junit count=4`, `build559 upgrade junit count=0`.
+- Interpretation: both fresh Ghost runs executed the canonical `tests/ghost/custom/test_*.py` set (4 junit
+  files) and failed before any upgrade-tier junit artifact was produced. That supports the Builder's
+  current statement that Ghost is an upgrade-path regression, not a custom-folder coverage loss.
+
+Verdict: no new finding from this cold audit, but **M2 is not passable yet**. The phase still lacks both
+the formal `claim(cfold): M2 ...` handoff and the required all-green full sweep (`ghost` remains non-green).
+
+---
+
+## 2026-06-12T23:00:00Z — Idle audit; still no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No `machine-docs/ADVERSARY-INBOX.md` is present.
+- Current ledger still points to the same blocker for a future M2 claim: `ghost` remains the lone
+  non-green recipe in the full sweep, and the latest recorded evidence continues to indicate a
+  cfold-neutral upgrade-path failure rather than custom-test discovery loss.
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-12T23:45:11Z — Cold Ghost follow-up audit; still no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- Independent cold artifact check on cc-ci continues to support the Builder's current framing of the
+  lone remaining `ghost` deviation as cfold-neutral rather than a custom-tier discovery drop:
+  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/557/results.json"`
+    -> `level: 1`, `recipe: ghost`, passing stages only for `install`, `backup`, `restore`, `custom`, `lint`.
+  - `ssh cc-ci "jq '{level, recipe, stages: (.stages | map({name, status}))}' /var/lib/cc-ci-runs/559/results.json"`
+    -> same shape: `level: 1`, `recipe: ghost`, same five passing stages.
+  - `ssh cc-ci "printf '557 custom='; ls /var/lib/cc-ci-runs/557/junit/custom__cc-ci__*.xml | wc -l; printf ' 557 upgrade='; ls /var/lib/cc-ci-runs/557/junit/upgrade*.xml 2>/dev/null | wc -l; printf ' 559 custom='; ls /var/lib/cc-ci-runs/559/junit/custom__cc-ci__*.xml | wc -l; printf ' 559 upgrade='; ls /var/lib/cc-ci-runs/559/junit/upgrade*.xml 2>/dev/null | wc -l; printf ' 185 custom='; ls /var/lib/cc-ci-runs/185/junit/custom__cc-ci__*.xml | wc -l; printf ' 185 upgrade='; ls /var/lib/cc-ci-runs/185/junit/upgrade*.xml 2>/dev/null | wc -l"`
+    -> `557 custom=4 557 upgrade=0 559 custom=4 559 upgrade=0 185 custom=4 185 upgrade=2`.
+  - `ssh cc-ci "printf '557 ref='; grep -R -n 'd88f5801' /var/lib/cc-ci-runs/557/abra/recipes/ghost/.git | wc -l; printf ' 559 ref='; grep -R -n 'd42d0f7c' /var/lib/cc-ci-runs/559/abra/recipes/ghost/.git | wc -l"`
+    -> both runs confirm the expected checked-out Ghost refs are present in the run artifacts.
+- Interpretation: fresh runs `557` and `559` still execute the canonical four-file `tests/ghost/custom/`
+  set, but fail before producing any upgrade-tier junit files. Historical run `185` has both the same
+  four custom junit files and two upgrade junit files, reinforcing that the regression remains in the
+  Ghost upgrade path rather than in cfold's custom-folder migration.
+
+Verdict: no new finding and no gate pending. `M2` still cannot PASS until the sweep is formally claimed
+and all recipes are green.
+
+---
+
+## 2026-06-13T00:23:55Z — Cold M2 artifact/teardown audit; still no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `fb8762a`.
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- Independent cold audit on `cc-ci` of the sweep builds listed in the current M2 baseline matrix:
+  `ssh cc-ci 'for spec in ...; do ...; done'` confirms every listed build still has the expected
+  canonical custom-test junit count for its recipe.
+- The same audit confirms recipe levels remain `5/5` for every listed recipe except `ghost`, which is
+  still `1/5` on build `557` while retaining the full expected custom junit count `4/4`.
+- Teardown state is currently clean: `ssh cc-ci 'docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+  -> `live_pr_apps=0`.
+
+Verdict: no new finding from this cold audit, but **M2 is still not claimable/passable**. The sweep
+evidence continues to support coverage preservation across all recipes while `ghost` remains the lone
+non-green, apparently cfold-neutral blocker, and there are no leaked live `-pr` stacks at present.
+
+---
+
+## 2026-06-13T00:40:00Z — Cold bridge replay-fix audit; still no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> fast-forward to `07cce4e`.
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No `machine-docs/ADVERSARY-INBOX.md` is present.
+- Independent cold source audit of the newly pulled bridge replay fix:
+  - `bridge/bridge.py` now guards the poller with `_is_preexisting_comment()` so a reopened PR cannot
+    replay historical `!testme` comments created before the current bridge process started.
+  - `poll_loop()` marks such comments seen via `_claim(cid)` instead of triggering them.
+- Focused unit verification from the adversary clone:
+  - `nix shell nixpkgs#python311Packages.pytest -c pytest tests/unit/test_bridge_trigger.py -q`
+    -> `10 passed in 0.04s`
+  - The unit coverage includes both sides of the new timestamp guard:
+    `test_preexisting_comment_from_before_bridge_start_is_ignored` and
+    `test_comment_after_bridge_start_is_not_treated_as_preexisting`.
+
+Verdict: no new finding from this cold audit. The replay-guard fix appears consistent with the Ghost
+triple-trigger root cause described in `STATUS-cfold.md`, but `M2` is still not claimable/passable
+because there is no formal claim and the Ghost recipe remains non-green.
+
+---
+
+## 2026-06-13T02:12:23Z — Idle audit; still no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present in `machine-docs/`; specifically, no
+  `machine-docs/ADVERSARY-INBOX.md` message is waiting.
+- Independent repo-side gate search also finds no fresh `awaiting Adversary` marker for cfold.
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-13T02:31:55Z — Idle audit; teardown still clean, no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv` completed before this audit; current shared state still shows
+  `## M2 — IN PROGRESS` in `machine-docs/STATUS-cfold.md` and no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present in `machine-docs/`; specifically, no
+  `machine-docs/ADVERSARY-INBOX.md` message is waiting.
+- Independent cold live-host teardown check remains clean:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+    -> `live_pr_apps=0`
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.
+
+---
+
+## 2026-06-13T02:52:34Z — Idle audit; teardown still clean, no formal M2 claim
+
+- Cold rebase in `/srv/cc-ci/cc-ci-adv`: `git pull --rebase` -> `Already up to date.`
+- `machine-docs/STATUS-cfold.md` still shows `## M2 — IN PROGRESS`; there is still no
+  `Gate: M2 — CLAIMED, awaiting Adversary` WHAT/HOW/EXPECTED/WHERE payload to verify.
+- No inbox side-channel files are present for Adversary consumption; specifically,
+  `machine-docs/ADVERSARY-INBOX.md` is absent.
+- Independent cold live-host teardown check remains clean:
+  - `ssh cc-ci 'printf "live_pr_apps="; docker stack ls --format "{{.Name}}" | grep -c -- "-pr" || true'`
+    -> `live_pr_apps=0`
+
+Verdict: no new finding and no gate pending. Waiting for a formal `M2` claim or a Builder inbox message.

machine-docs/REVIEW-conc.md

@@ -0,0 +1,442 @@
+# REVIEW-conc.md — Adversary ledger, concurrency-restructure phase
+
+Append-only. Verdicts: `<gate>: PASS @<ts>` + evidence, or `FAIL` + [adversary] finding in
+BACKLOG-conc.md. SSOT for what is verified: /srv/cc-ci/cc-ci-plan/concurrency-restructure-full-plan.md.
+
+## 2026-06-10T04:00Z — Adversary online; baseline pre-read (no gate pending)
+
+Pulled main @5b65c6c. No STATUS-conc.md, no `restructure/concurrency` branch — nothing claimed yet.
+Pre-read the CURRENT system (docs/concurrency.md @5b65c6c + lifecycle.py/run_recipe_ci.py) to
+anchor my later diff review in the as-is code, not the Builder's narrative.
+
+Current-system facts I will hold the restructure against:
+- Registry symbols slated for deletion (will grep for dangling refs at M1):
+  `register_run_app` (lifecycle.py:69, call site :283), `unregister_run_app` (:78, call sites :723, :766),
+  `_run_owner_state` (:83), `ACTIVE_RUN_DIR` (:43), `CCCI_JANITOR_MAX_AGE` (janitor :738),
+  `acquire_recipe_lock` (:46, call site run_recipe_ci.py:843), `RECIPE_LOCK_DIR` (:42).
+- Must survive untouched: `RUN_APP_RE` (lifecycle.py:26) allowlist semantics (warm/canonical apps
+  never probed), `services_converged()` paused-is-settled logic, docker-service sweep discovery,
+  `teardown_app(verify=False)` idempotence.
+- M1 verification plan (cold, my clone): checkout branch; `pytest tests/unit -q`,
+  `pytest tests/concurrency -q`, `scripts/lint.sh`; full diff review hunting: probe-vs-acquire
+  ordering races, signal-handler reentrancy (SIGTERM during teardown / SIGALRM during SIGTERM),
+  teardown-during-teardown, lock-fd lifetime (object dropped → GC closes fd → lock silently
+  released), symlinked servers/ write conflicts, janitor unlink-vs-reacquire race (unlink while a
+  waiter blocks on the old inode → two "held" locks on different inodes for one domain),
+  PDEATHSIG-after-fork ordering (prctl before ppid check), alarm(0) vs teardown duration,
+  setsid wrapper trap semantics under drone cancel, test-suite blind spots vs the 19 planned cases.
+- Tests/concurrency must NOT be wired into the default `pytest tests/unit` gate (plan decision).
+- M2 (post-merge, live): cancel-mid-run leak check, parallel immich#2+plausible#3, double-!testme
+  same PR blocks visibly, one full green run. NEVER merge/push recipe mirror repos.
+
+No verdict yet — waiting for Builder bootstrap/claim.
+
+## 2026-06-10T04:05Z — cold-verify environment established (prep, no gate)
+
+Builder seeded STATUS/BACKLOG/JOURNAL-conc; STATUS says P1 in flight, no gate claimed. Mapped the
+test-execution environment I'll use for the M1 cold run so a time-sensitive gate isn't spent
+debugging tooling:
+- Local VM devshell (`nix develop`) has only lintTools (no pytest). So pytest does NOT run here.
+- pytest 8.3.3 + playwright live in the host `pyEnv` (nix/modules/harness.nix) exposed as
+  `cc-ci-run` on cc-ci. `cc-ci-run -m pytest <path> -q` works as the real harness interpreter
+  (verified: `cc-ci-run -c "import pytest" -> 8.3.3`).
+- `.drone.yml` lint stage runs `nix develop .#lint --command bash scripts/lint.sh`.
+- COLD M1 PLAN: fresh `git clone`/checkout of `restructure/concurrency` into a throwaway dir ON
+  cc-ci → `cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` +
+  `nix develop .#lint --command bash scripts/lint.sh`, all from that clean checkout (not the
+  Builder's working tree). Then adversarial diff review per my baseline hit-list.
+- Baseline `.drone.yml` on main is still the pre-restructure version (concurrency.limit=2,
+  acquire_recipe_lock / /run/cc-ci-active registry referenced) — confirms P1/P4 edits are
+  branch-only so far. Good.
+
+## 2026-06-10T04:23Z — early pre-review of P1+P2 (branch @b302f3a, NO gate claimed — NOT a verdict)
+
+Builder has pushed P1 (b492f99) + P2 (b302f3a) to restructure/concurrency; P3/P4/P5/tests still
+pending, so M1 is not claimable and this is NOT a PASS — it's pre-review to front-load the M1 diff
+audit and avoid re-doing it under gate time pressure. Read code/diff + git only; did NOT read
+JOURNAL (anti-anchoring intact). I actively tried to break the following and each concern was
+REFUTED:
+
+1. **Green-on-red via the .drone.yml EXIT trap** (my lead hypothesis). The wrapper is
+   `setsid cc-ci-run … & PID=$!; trap 'kill -TERM -- -$PID' TERM EXIT; wait $PID`. I worried the
+   EXIT trap's final `kill` status would override the harness exit code and mask a failing run.
+   EMPIRICALLY TESTED (4 bash repros incl. failing harness with a lingering group member that
+   makes kill succeed=0): bash PRESERVES the pre-trap exit status when the EXIT trap doesn't call
+   `exit`. Exit code propagates correctly in all cases (RED stays RED, GREEN stays GREEN). Refuted.
+2. **P2 unlink/reacquire inode race** (janitor unlinks a reaped orphan's lockfile while a new run
+   blocks on the old inode). Handled: both acquire_app_lock and _probe_and_reap recheck
+   `fstat(fd).st_ino == stat(path).st_ino` after acquiring and retry/bail on mismatch — a lock on
+   an unlinked (anonymous) inode is never treated as authoritative, and the path's lockfile is
+   never unlinked out from under a newer run. Refuted.
+3. **Half-reaped/new-app coexistence.** Reap runs WHILE HOLDING the probe lock; a new same-domain
+   run blocks in acquire_app_lock until reap completes. The pre-deploy window (lock held, app not
+   yet created) is covered: the stale-lockfile sweep sees the held lock (BlockingIOError) and
+   leaves it. Refuted.
+4. **Signal mid-normal-teardown aborting cleanup.** begin_teardown() is the FIRST line of BOTH
+   finally blocks (run_recipe_ci.py:663 run_quick, :1134 main); the _funnel_handler swallows
+   (logs+returns) any SIGTERM/SIGALRM once tearing_down is set, so a second signal can't abort the
+   cleanup the first asked for. install_lifetime_guards() is the FIRST statement of main() (:829),
+   before any abra/lock call, with prctl→ppid==1 recheck in the correct order. Refuted.
+
+Open items to confirm AT M1 (cold, full suite) — NOT defects, just unverified-until-then:
+- `datetime` import removed from lifecycle.py along with _stack_age_seconds — grep for any
+  remaining datetime use (ruff would catch an undefined name; confirm import truly orphaned).
+- `_stack_name` / age-fallback deadcode after the janitor rewrite — confirm no dangling refs.
+- Registry-symbol deletion is only PARTIAL on this commit: acquire_recipe_lock still present
+  (P3 deletes it); register/unregister/_run_owner_state/ACTIVE_RUN_DIR/CCCI_JANITOR_MAX_AGE are
+  gone — full dangling-ref grep belongs at M1 once P3 lands.
+- setsid-fork edge: if `setsid` ever forks (only when it's a pgrp leader; not the case for a
+  backgrounded job in a non-job-control drone shell), $PID would be the intermediate and the
+  harness would reparent to ppid==1 and self-abort. Live-verify the trap+cancel path at M2(a).
+- begin_teardown is process-global module state (lifetime._state) — fine for one harness process;
+  the tests/concurrency suite must not import-share it across in-process cases (verify at M1).
+
+## 2026-06-10T04:32Z — pre-review P3+P4 (branch @91d3cc7, NO gate claimed — NOT a verdict)
+
+Builder pushed P3 (17ebdf3 per-run ABRA_DIR) + P4 (91d3cc7 config cleanup). tests/concurrency +
+P5 docs still pending, so M1 still not claimable. Continued the front-loaded diff audit (code/git
+only; JOURNAL still unread). Findings — all CLEAN:
+
+- **Dangling-ref grep across runner/bridge/dashboard/nix = ZERO hits** for all 9 deleted symbols:
+  acquire_recipe_lock, register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
+  CCCI_JANITOR_MAX_AGE, RECIPE_LOCK_DIR, _stack_age_seconds, _registry_path. The orphaned
+  `datetime` import is also gone from lifecycle.py. Clean deletion.
+- **Path centralization**: all `~/.abra/recipes/<recipe>` literals replaced by `abra.recipe_dir()`
+  (resolves `$ABRA_DIR else ~/.abra`) across abra.py (recipe_checkout, has_lightweight_version_tags,
+  recipe_head_commit, recipe_versions), generic._recipe_dir, lifecycle.prepull_images,
+  snapshot_recipe_tests, fetch_recipe. prepull's env_path stays canonical `~/.abra/servers/...`
+  which is correct (servers/ is the shared symlink target).
+- **Ordering verified** (main(), the only structural risk): install_lifetime_guards() is the FIRST
+  stmt (873); between it and setup_run_abra_dir() (891) there are ONLY env reads + a print — no
+  abra call; ABRA_DIR is exported at 891 BEFORE fetch_recipe (892) and before the first path-helper
+  recipe_head_commit (895). The `--quick` dispatch (run_quick, ~908) is AFTER 891, so the quick lane
+  inherits the per-run ABRA_DIR too. No tree is touched before ABRA_DIR is set.
+- **Manual-run isolation**: rid=="manual" → "manual-<pid>" so two hand-runs don't share a tree.
+
+Open items to confirm AT M1 (cold) — not defects:
+- setup_run_abra_dir symlink idempotency: `if not os.path.islink(link): os.symlink(...)` — if a
+  NON-symlink file pre-exists at servers/catalogue (reused run dir from a crashed partial), symlink
+  raises FileExistsError. Low risk (fresh run-id per Drone build) but worth a glance.
+- CCCI_SKIP_FETCH=1 now `rm -rf dest` + copytree(canonical, dest, symlinks=True) — confirm the
+  --quick rollback-proof staging tests still pass (they set CCCI_SKIP_FETCH).
+- tests/{ghost,discourse}/install_steps.sh RECIPE_DIR=${ABRA_DIR:-$HOME/.abra} mechanical path fix
+  — confirm it changed NO assertion/gate (guardrail: never weaken recipe-test gates). Diff-check.
+
+Net: the entire P1–P4 diff has been pre-audited and is clean against my break-it hit-list. M1 cold
+run, once claimed (after tests/concurrency + P5 land), reduces to: fresh checkout on cc-ci →
+`cc-ci-run -m pytest tests/unit -q` + `cc-ci-run -m pytest tests/concurrency -q` + lint, plus a
+focused review of only the tests/concurrency suite (vs the 19 planned cases) and the P5 doc delta.
+
+## M1: PASS @2026-06-10T04:38Z — implementation verified (branch restructure/concurrency @d3fe9e2)
+
+Verdict formed from the plan (SSOT), the code/git, the STATUS claim's verify recipe, and my own
+COLD acceptance run — WITHOUT reading JOURNAL first (anti-anchoring honored; noting here that I had
+NOT consulted JOURNAL-conc at verdict time).
+
+COLD ENVIRONMENT: fresh `git clone --branch restructure/concurrency` into /tmp/adv-m1 on cc-ci
+(NOT the Builder's tree); `git rev-parse HEAD == d3fe9e26bb0fbaedb37383539ba3973bc1c80aff` (matches
+claim), `git status` clean. Ran via the host `cc-ci-run` pyEnv (pytest 8.3.3 + playwright) and the
+pinned `.#lint` devshell.
+
+ACCEPTANCE RESULTS (expected → observed):
+- `cc-ci-run -m pytest tests/unit -q`         → 138 passed in 4.72s   ✓ (claim: 138 passed)
+- `cc-ci-run -m pytest tests/concurrency -q`  → 20 passed in 9.91s    ✓ (claim: 20 passed)
+- `nix develop .#lint --command bash scripts/lint.sh` → `lint: PASS`  ✓
+- `pytest tests/unit --collect-only` concurrency items → 0            ✓ (suite NOT in default gate)
+- dangling-ref grep (register_run_app, unregister_run_app, _run_owner_state, ACTIVE_RUN_DIR,
+  CCCI_JANITOR_MAX_AGE, acquire_recipe_lock, RECIPE_LOCK_DIR, _stack_age_seconds) over
+  *.py/*.nix/*.yml/*.sh → ZERO hits outside docs/                     ✓
+
+GATE-INTEGRITY (guardrails honored):
+- `RUN_APP_RE` regex unchanged (lifecycle.py:26, identical pattern); warm/canonical apps still
+  never become probe candidates (test_11 asserts no lockfiles even created for warm names).
+- `services_converged()` / paused-is-settled / `backup_app()` waits: NOT in the code diff — all
+  RUN_APP_RE/services_converged/paused diff hits are docs/concurrency.md prose (P5 rewrite).
+- `teardown_app` ordering untouched; only its trailing unregister call removed (registry gone).
+- Only `tests/<recipe>/` change is the mechanical `RECIPE_DIR=${ABRA_DIR:-$HOME/.abra}/...` line
+  in ghost+discourse install_steps.sh — NO assertion/gate touched (diff-confirmed). Guardrail
+  "never weaken recipe-test gates / touch tests/<recipe>/ content" honored.
+- P4: `concurrency.limit` block removed from .drone.yml; drone-runner.nix comment makes
+  DRONE_RUNNER_CAPACITY the single knob.
+
+ADVERSARIAL DIFF REVIEW (P1–P4 pre-audited in the two notes above; refuted: green-on-red exit-code
+masking [empirically tested], unlink/reacquire inode race [fstat==stat identity recheck],
+half-reaped coexistence [reap-under-probe-lock], signal-mid-teardown reentrancy [begin_teardown
+first line of both finally blocks], guard/ABRA_DIR/fetch ordering [no abra call pre-export]).
+
+TEST-SUITE AUDIT vs the 19 plan cases: real kernel flocks, NEVER mocked (only teardown_app +
+abra-discovery stubbed, both disclosed). Coverage complete: cases 1–4 test_locks, 5–12
+test_janitor, 13–16 test_lifetime, 17–19 test_abra_dir, +test_18b (manual-pid isolation) = 20.
+Assertions are substantive, not tautological: exact funnel exit codes 142/143 (test_15/16),
+reap-vs-new-run timestamp ordering + fresh-inode `lock_state=="held"` (test_7), two-janitor
+arbitration via separate open()s (test_8 — valid: flock binds the open file description, so
+threads-with-distinct-fds model processes), long-held mtime-backdate flag-not-steal (test_10),
+PEP 446 fd non-inheritance with a surviving child (test_3), divergent per-run trees + canonical
+untouched (test_18).
+
+INDEPENDENT PROBE (my own driver, NOT the Builder's helpers.py): drove the real
+`lifecycle.acquire_app_lock` from a standalone script with a sandbox CCCI_APP_LOCK_DIR on cc-ci →
+state `held` after acquire; a second acquirer BLOCKED while the first held (no ack2 after 1.5s);
+after `SIGKILL` of the holder the second acquired within 10s (kernel auto-release). Core invariant
+confirmed against the real code, not just the Builder's tests.
+
+NON-BLOCKING NOTES (carry to M2 live-verify; none gate M1):
+- setsid-fork edge in the .drone.yml trap wrapper: if `setsid` ever forks (only when it's a pgrp
+  leader — not the case for a backgrounded job in a non-job-control drone shell), $PID would be the
+  intermediate and the harness could reparent (ppid==1) and self-abort. MUST be live-verified by
+  the actual drone-cancel path at M2(a) — the plan already flags this ("verify drone exec runner
+  signal delivery; the trap must fire on drone cancel"). Not unit-testable here.
+- End-of-janitor stale-lockfile tidy sweep (appless leftover lockfile unlink) is not directly
+  covered by a named test (not one of the 19); low risk (tidiness only). Noted, not a defect.
+- test_14 (ppid race) depends on the helper reparenting to pid 1; under a subreaper it marks
+  NEVER_REPARENTED and FAILS VISIBLY (never false-passes). Passed in this env.
+
+CONCLUSION: M1 — implementation verified — PASS. M2 (merge to main + live verification a–d) is
+unblocked. Reminder for both loops: recipe-mirror PRs are !testme targets only — never merge/push
+them. (After this verdict I may consult JOURNAL-conc to contextualize, per §6.1.)
+
+## 2026-06-10T04:49Z — M2 merge integrity pre-check (M2 NOT yet claimed — not a verdict)
+
+Builder merged the branch to main (merge commit `bb5eb3d`, 2 parents 83a6c6e∘d3fe9e2, no force)
+after my M1 PASS, and is mid-M2 live verification (journal: M2(a) cancel-mid-run evidence, (b)
+parallel runs triggered). No `claim(conc): M2` commit yet; STATUS-conc still shows the stale M1
+line (Builder's file — will update at the M2 claim). Independent merge check:
+- `git diff bb5eb3d d3fe9e2 -- runner/ .drone.yml docs/concurrency.md tests/ nix/` = EMPTY → the
+  merge preserved EXACTLY the code I cold-verified at M1. No conflict-resolution drift introduced.
+- `git merge-base --is-ancestor d3fe9e2 bb5eb3d` = true.
+So deployed main == M1-verified tree. At the M2 claim I therefore re-verify only LIVE behavior +
+the push build, not the code again:
+  push build green; (a) cancel mid-run → no leaked python/lock, next janitor reaps the app, zero
+  leakage; (b) two parallel !testme (immich#2 + plausible#3) → both green, zero leakage; (c)
+  double-!testme same PR → 2nd blocks on the app lock (visible in its drone log) then runs; (d) one
+  full green end-to-end run. Evidence to come from Drone build logs + cc-ci state (abra app ls /
+  lslocks / docker), cold from my own access path.
+
+## 2026-06-10T05:00Z — wrapper exit-code fix verified + CORRECTION to my P1 pre-review (inbox consumed)
+
+Consumed ADVERSARY-INBOX.md (deleted) — Builder reported an M2 live-verify finding + fix. Folded in:
+
+**The defect (real, Builder-found, build 269 plausible#3):** the drone exec step shell is `set -e`.
+On a NORMAL (green) harness exit the P1 EXIT trap still fired and its `kill -TERM -- -$PID` of the
+already-exited process group returned ESRCH (exit 1), which under `set -e` poisoned the step's exit
+status to 1 — a fully GREEN run (all tiers pass, level=4) reported RED.
+
+**CORRECTION — my P1 pre-review was wrong on this point.** In my 04:23Z pre-review I claimed to have
+"empirically tested" green-on-red exit-code masking and REFUTED it. That test was run with plain
+`bash -c` WITHOUT `set -e` — the wrong shell mode. The real drone step runs `set -e`, where the bug
+manifests. I re-ran the matrix correctly now (bash -e), reproducing the bug (old wrapper + green +
+set -e → exit 1) and confirming I had the shell mode wrong. Lesson: model the EXACT runtime
+(set -e) for shell-trap behavior. The Builder caught this live; I did not. Owning it.
+NB the failure direction was false-RED (green reported red) — fail-safe-ish, not a green-on-red
+(no failing run was ever reported green); still a real defect.
+
+**The fix (e1c4198 on branch, merged to main b7a009c) — independently verified by me, cold under
+`set -e` (the correct mode this time):**
+```
+setsid cc-ci-run runner/run_recipe_ci.py & PID=$!
+trap 'kill -TERM -- "-$PID" 2>/dev/null || true' TERM EXIT
+rc=0; wait "$PID" || rc=$?
+trap - TERM EXIT
+exit "$rc"
+```
+My 4-path matrix (all under `bash -e`, exact-shape repros):
+- A green harness → step exit 0 ✓ (poisoning gone: `|| true` on the trap kill + `trap - EXIT` before exit)
+- B **red harness (exit 7) → step exit 7 ✓ — NOT masked to green.** Critical false-GREEN check
+  PASSES: `wait || rc=$?` captures the real rc and `exit "$rc"` propagates it. The
+  "failing PR must report RED" gate is preserved by the fix.
+- C old wrapper + green + set -e → exit 1 ✓ (bug reproduced — root-cause confirmed)
+- D cancel (TERM to wrapper mid-wait) → wrapper exits 143 AND the child received TERM
+  (CHILD_GOT_TERM logged) ✓ — cancel-forwarding semantics unchanged; the `trap - TERM EXIT` runs
+  only AFTER `wait` returns (post-forward), so it can't disarm the forward during a real cancel.
+
+Verdict on the fix: CORRECT and SAFE — resolves the false-RED poisoning without introducing
+false-GREEN, and preserves cancel forwarding. Folds cleanly into the pending M2 review.
+
+**M1 status unaffected:** M1 PASS was for the code/suites/lint/diff of d3fe9e2; this wrapper
+exit-code-under-set-e is a LIVE behavior M1's checks could not exercise (the trap only runs in the
+real drone exec shell). main now = d3fe9e2 + this .drone.yml wrapper fix; the fix is verified above.
+Open for the formal M2 verdict: re-confirm lint green on the new .drone.yml (yamllint), the push
+build green, and live (a) cancel-no-leak / (b) parallel both-green / (c) double-!testme blocks /
+(d) one full green run — cold, once the Builder posts the M2 claim with evidence.
+
+## M2(c): FAIL @2026-06-10T08:10Z — double-!testme same domain corrupts shared deploy-count → both runs RED + VETO
+
+Proactive cold break-it probe of the live M2 evidence (M2 not yet formally `claim(conc)`'d — the
+Builder's JOURNAL shows (c) "triggered" but NOT evidenced as PASS; I went straight to the Drone API
+to verify the in-flight (c) runs independently, not to the JOURNAL narrative). I found a REAL defect
+that breaks M2(c). Filed as BACKLOG-conc CONC-A1.
+
+EVIDENCE (Drone API, recipe-maintainers/cc-ci, cold via /run/secrets/bridge_drone_token — my own
+access path, not the Builder's word):
+- (c) = builds **279 + 281**, both `event=custom PR=2 RECIPE=immich REF=a92b28d…` → SAME domain
+  `immi-ad3e33.ci.commoninternet.net`. Both `status=failure` (step `ci` exit_code=1).
+- 281 (the blocked run): log `== app lock: ... in flight — waiting ==` @2s → `== acquired ==` @194s,
+  which is exactly when 279's process exited (279 finished 05:07:35Z). **Lock serialisation + the
+  visible block line WORK** — that half of (c) is fine.
+- 279 RED: `!! deploy-count 2 != 1 (DG4.1 violation)`.
+- 281 RED: `FileNotFoundError: /tmp/ccci-deploys-immi-ad3e33….ci.commoninternet.net` at
+  run_recipe_ci.py:1213.
+- Control build 275 (isolated immich, same fixed wrapper) → `deploy-count = 1`, GREEN. Confirms the
+  failure is concurrency-specific, NOT a pre-existing immich/wrapper regression.
+
+ROOT CAUSE (code, confirmed):
+- DG4.1 counter file is DOMAIN-keyed in shared /tmp, not per-run: `run_recipe_ci.py:930
+  /tmp/ccci-deploys-<domain>`. P3 isolated ABRA_DIR per run but this per-run state file was missed
+  (predates the restructure, ef44d46; the old recipe-flock serialised same-recipe runs end-to-end,
+  masking it).
+- `deploy_app()` calls `_record_deploy()` (lifecycle.py:250) BEFORE `acquire_app_lock()` (:254,
+  introduced by P2 b302f3a) → the increment races OUTSIDE the lock. 281's single pre-lock
+  `_record_deploy` (@2s) bumps the shared counter 279 is using (→2, false violation), and 279's
+  end-of-run `os.remove(countfile)` (:1215) deletes the file under 281 → FileNotFoundError.
+- Interleaving is fully reconstructed and self-consistent with the build timestamps (see CONC-A1).
+
+This is squarely in M2(c) scope: the plan's DoD (c) requires the second run to "block … then RUN"
+(implicitly green), and the phase's whole premise is "two concurrent !testme don't collide on
+domain/volume/secrets." This is a domain-keyed-state collision — the restructure's narrower domain
+lock no longer covers the deploy-count file. M1 (code/suites/lint/diff of d3fe9e2) is unaffected —
+this is a live concurrency behavior M1's checks could not exercise; the tests/concurrency suite has
+the matching blind spot (case 4 serialises acquire but never asserts deploy-count isolation across
+two same-domain runs).
+
+## VETO — M2 may NOT be marked DONE until CONC-A1 is fixed and I log a fresh (c) PASS
+Forbidding `## DONE` in STATUS-conc until: (1) deploy-counter keyed per-run; (2) a tests/concurrency
+case asserts same-domain deploy-count isolation; (3) live (c) re-run shows BOTH builds GREEN with
+the visible block line and zero leakage; (4) (a),(b),(d) re-confirmed unaffected. Only I clear this.
+(After this verdict I may consult JOURNAL-conc to contextualise — noting I had NOT read the (c)
+journal reasoning before forming this FAIL; I verified from the Drone API + code directly.)
+
+## 2026-06-10T08:20Z — CONC-A1 fix CODE-verified (veto conditions 1+2 met; 3+4 still pending — NOT cleared)
+
+Builder fixed CONC-A1 (b6e12ef, merged main 139e319) and is re-running M2 live (a)–(d). I
+cold-verified the FIX CODE from my own clone + a fresh checkout on cc-ci (not the Builder's word):
+
+- **Condition (1) per-run keying — MET.** `run_recipe_ci._run_state_path(name)` keys all four
+  run-scoped state files (`deploys`, `opstate`, `deps`, `depskip`) by `run_id()` + `os.getpid()`,
+  never domain. Grep: ZERO residual `ccci-<state>-{domain}` literals in prod code (only the
+  app-LOCK path stays domain-keyed, which is correct). All consumers env-read `CCCI_*_FILE`
+  (lifecycle:148, deps:72/155, generic:134) — no path re-derivation. Uniqueness holds even in the
+  manual fallback (`run_id()`→domain) because the `+pid` suffix separates two processes.
+- **Condition (2) same-domain isolation test — MET, and proven non-tautological.**
+  tests/concurrency/test_run_state.py adds test_20/20b/20c. test_20c drives REAL processes + the
+  REAL lock + real `_run_state_path`/`_record_deploy`, reproducing the 279/281 interleaving: run A
+  reads `COUNT 1` (NOT polluted to 2 by B's pre-lock increment) and B's file survives A's remove
+  (no FileNotFoundError). **Mutation check (my own):** reverting `_run_state_path` to domain-keying
+  in a throwaway cc-ci clone → all 3 test_run_state cases FAIL (incl. test_20c). So the test
+  genuinely guards the fix.
+- **Suites cold (fresh clone @4f6c955 on cc-ci):** unit 138 passed, concurrency 23 passed (was 20),
+  concurrency still NOT collected by the default `pytest tests/unit` run (0). lint not re-run here
+  (no .drone.yml/nix change in the fix; will confirm at the M2 claim).
+
+**VETO NOT cleared.** Conditions (3) live (c) re-run BOTH builds GREEN + visible block line + zero
+leakage, and (4) (a)/(b)/(d) re-confirmed on the fixed harness, still require the Builder's live
+evidence (in flight). The code fix strongly predicts a (c) pass but M2 is a LIVE gate — I will
+re-verify the (c) double-!testme cold from the Drone API once the Builder posts the M2 claim, and
+only then clear the veto.
+
+## 2026-06-10T08:43Z — live (c) round-2 (builds 290+291): serialization CONFIRMED via lslocks; delay is an immich-ML flake, NOT the restructure (not a verdict)
+
+(b)+(d) re-passed on the fixed harness (builds 287 immich#2 + 288 plausible#3, parallel, both
+success — I'll re-confirm at the M2 claim). (c) round 2 = builds 290+291 (both custom PR=2 immich,
+same domain immi-ad3e33), started 08:22:30Z. I inspected the LIVE host state cold (my own ssh):
+
+- **CORE INVARIANT DIRECTLY OBSERVED in the kernel lock table** — strongest possible proof of the
+  double-!testme serialization:
+  `lslocks`: pid 739163 (build 290) holds `WRITE` on cc-ci-app-immi-ad3e33….lock; pid 739341
+  (build 291) is blocked `WRITE*` on the SAME lock. Exactly one holder, one waiter, one inode.
+- 290 (holder) is sleeping in `services_converged()` poll (hrtimer_nanosleep, no abra child) because
+  `immich-machine-learning` is stuck 0/1: its container repeatedly fails the healthcheck
+  (`non-zero exit (143): dockerexec: unhealthy container`, swarm restarting every 1–6 min). Current
+  attempt (08:43) has gunicorn up, health `starting` — slow/flaky ML readiness, not a deploy break.
+- NOT caused by the restructure / teardown: 290's immich volumes (model-cache/postgres/uploads) +
+  .env are all from 290's OWN fresh deploy (08:23), not inherited from the earlier same-domain run
+  287. ML image present (1.36GB, no pull), host healthy (5.2Gi mem free, 65G disk). So this is an
+  immich-ML healthcheck flake, orthogonal to concurrency.
+
+Bearing on M2(c): the SERIALIZATION mechanism under test is verified working live. The "both GREEN"
+half of condition (3) is not yet demonstrated only because 290 is flake-blocked on immich-ML; if 290
+REDs on deploy-timeout, (c) needs a clean re-run (flake, not a code fault). VETO unchanged — I still
+require one clean (c) where both same-domain builds go GREEN with the block line + zero leakage.
+Continuing to watch 290/291 to terminal.
+
+## M2(c): PASS @2026-06-10T09:05Z — double-!testme same domain, CONC-A1 fixed; VETO LIFTED
+
+(c) round-2 builds 290+291 (both `custom PR=2 immich`, same domain immi-ad3e33, on CONC-A1-fixed
+main) both reached terminal **status=success**. Cold-verified from the Drone API + live host (my own
+access path), not the Builder's word:
+
+- **Both GREEN:** 290 success, 291 success (Drone API).
+- **Visible block line (the (c) requirement):** 291 log —
+  `== app lock: another run of immi-ad3e33….ci.commoninternet.net is in flight — waiting ==`
+  then `== app lock: acquired … ==`. I ALSO observed the serialization directly in the kernel lock
+  table mid-run (lslocks: 290 held WRITE, 291 blocked WRITE* on the same inode; after 290 exited,
+  291 held it). Strongest possible proof of the double-!testme serialization invariant.
+- **CONC-A1 regression GONE — the two exact round-1 failure points are now clean:**
+  - 290 (round-1 build 279 got false `deploy-count 2 != 1`) → now `deploy-count = 1 (expect 1)`,
+    all 5 tiers pass, level=4. Its run-keyed counter was NOT polluted by 291's concurrent pre-lock
+    `_record_deploy`.
+  - 291 (round-1 build 281 crashed `FileNotFoundError` at run_recipe_ci.py:1213) → now
+    `deploy-count = 1 (expect 1)`, all tiers pass, level=4, no traceback. Its own run-keyed countfile
+    survived 290's end-of-run remove.
+- **Zero leakage after both:** 0 harness procs, 0 immich apps / services / volumes / secrets, no held
+  cc-ci locks. One unheld 0-byte leftover lockfile (mtime 08:46, 291's acquisition touch) — reaped
+  on sight by the next janitor probe, harmless by design.
+- The ~20-min runtime each was an immich-machine-learning healthcheck slowness/flake (ML eventually
+  converged), NOT the restructure — already diagnosed in the 08:43Z note; serialization + isolation
+  both verified correct regardless.
+
+**VETO LIFTED.** The CONC-A1 veto ("no DONE until CONC-A1 fixed + a fresh (c) PASS") is cleared:
+conditions (1) per-run keying [code + mutation-proven], (2) same-domain isolation test
+[non-tautological], and (3) live (c) both-GREEN + block line + zero leakage are ALL met. CONC-A1
+closed in BACKLOG-conc.
+
+**Still required before DONE (full M2 gate, not the CONC-A1 veto):** the Builder must post the formal
+M2 claim in STATUS-conc with consolidated evidence, and I re-confirm condition (4) — specifically
+**M2(a) cancel-mid-run re-run on the CONC-A1-fixed harness** (b+d already re-confirmed: builds
+287+288 parallel both success on fixed main; a's only prior evidence (build 267) was on the
+pre-CONC-A1, pre-wrapper-fix harness) — plus the push build green on current main. (a) re-run had
+not yet appeared in Drone as of this verdict (Builder sequenced it after (c)). I will verify it cold
+when it lands.
+
+## M2: PASS @2026-06-10T08:55Z — merged + live-verified (a)–(d) on final main 139e319/74ed240
+
+Formal M2 gate verdict against the Builder's M2 claim (STATUS-conc, commit 74ed240). Formed from
+the plan (SSOT), the code/git, the claim's verify recipe, and my OWN cold re-runs from my own clone
++ fresh checkouts/Drone-API on cc-ci — not the Builder's narrative. All seven claim items confirmed:
+
+1. **Merge integrity** — `git diff 139e319 b6e12ef -- runner/ tests/ docs/ .drone.yml nix/` = 0 lines;
+   `b6e12ef ⊆ 139e319`; merge parents `2173894 ∘ b6e12ef`. So deployed main code == the CONC-A1 tree
+   I code-verified + mutation-proofed. No force-push (history linear). NB the claim mis-states the
+   first parent as `4ad55ed` (actual `2173894`, my M2(c)-FAIL commit) — immaterial: that's a state-
+   file commit, and the code-diff-empty check is authoritative.
+2. **Push build green** — Drone push builds 283–298 on main all `status=success`; no red push since
+   the merge.
+3. **Suites + lint (cold, fresh clone on cc-ci)** — unit 138 passed, concurrency 23 passed
+   (concurrency NOT in the default unit gate), `lint: PASS` on final main 74ed240. test_run_state
+   mutation-proofed (reverting to domain-keying fails all 3 cases).
+4. **(a) cancel-mid-run on fixed harness** — build 295 (custom immich#2): lockfile mtime 08:50:17
+   proves it acquired the app lock 7s in → canceled @08:51:05 MID-DEPLOY. After cancel (verified cold
+   ~1 min later): 0 harness procs (no leaked python — old §8.1 gap stays closed), no held locks (lock
+   released), no immich app/.env/containers(even stopped)/services/volumes/secrets → ZERO leakage,
+   full teardown. Killed-step logs not API-retrievable (Drone truncates), but the end-state is the
+   actual test and it is clean.
+5. **(b) parallel runs** — builds 287 (immich#2) + 288 (plausible#3), parallel, both
+   `status=success`, both `deploy-count = 1 (expect 1)`, level=4; host after = zero leakage.
+6. **(c) double-!testme same PR** — builds 290 + 291 (same immich domain): both success, 291 logged
+   the block line then `acquired`, both `deploy-count = 1`, zero leakage. Serialization also observed
+   directly in the kernel lock table mid-run (lslocks). Covered in detail by my M2(c) PASS @09:05Z.
+7. **(d) full green e2e** — build 287 (and 290): complete immich run, all 5 tiers pass, level=4.
+
+Both M2-found fixes are folded in and independently verified: wrapper exit-code-under-set-e
+(e1c4198/b7a009c, my 05:00Z note — red still propagates) and CONC-A1 run-keyed state files
+(b6e12ef/139e319, my 09:05Z M2(c) PASS + mutation proof). The ~20-min (c) runtimes were an
+immich-ML healthcheck flake (converged within DEPLOY_TIMEOUT=1500s), orthogonal to the restructure
+(diagnosed 08:43Z). Unheld 0-byte leftover lockfiles are by-design (next-janitor tidy-sweep).
+
+GUARDRAILS honored end-to-end: recipe-mirror PRs (immich#2, plausible#3) used as !testme targets
+only, never merged/pushed; cc-ci main touched only by the gated merges (no force-push); no secrets in
+any commit. RUN_APP_RE / services_converged / warm-canonical flows untouched (M1 diff review).
+
+CONCLUSION: **M2 — merged + live-verified — PASS.** M1 PASS (04:38Z) + M2 PASS (here) are both fresh
+in REVIEW-conc; no open VETO (CONC-A1 lifted). Per the phase DoD the Builder may now write `## DONE`
+to STATUS-conc. (Post-verdict I may consult JOURNAL-conc to contextualize; I had NOT read its M2
+reasoning before forming this verdict — verified from plan + code/git + Drone API + my own cold runs.)

machine-docs/REVIEW-dash.md

@@ -0,0 +1,136 @@
+# REVIEW-dash — Adversary verdicts for phase `dash` (per-recipe run history fix)
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-dash-recipe-history.md
+Gates: M1 (fix implemented + locally verified), M2 (deployed + verified live).
+
+---
+
+## Pre-claim independent ground truth (Adversary, @2026-06-17T16:20Z, cold)
+
+Gathered directly from the host (`ssh cc-ci`), BEFORE any Builder claim — this is my own
+baseline to verify the fix against, not the Builder's narrative.
+
+**Run artifacts on host `/var/lib/cc-ci-runs`:**
+- **432** run dirs total; **308** have a parseable `results.json`; **124** dirs have NO
+  parseable `results.json` (in-flight / failed-early — contain only `junit/`, `screenshot.png`,
+  `abra/`). The fix MUST skip these 124 gracefully (no 500).
+- `results.json` schema 2 keys: `customization, finished, flags, level, lint, pr, recipe, ref,
+  results, run_id, rungs, schema, screenshot, skips, stages, summary_card, version`.
+  Fields the history needs ARE present: `recipe`, `version`, `level`, `ref`, `finished` (epoch
+  float timestamp), `run_id`. Status is derivable from `results`/`rungs` (per-stage pass/fail).
+
+**Per-recipe run counts (from parseable results.json):**
+```
+33 plausible      24 ghost              9 mailu            6 cryptpad
+33 custom-html    24 custom-html-tiny   8 lasuite-drive    3 drone
+28 immich         15 mattermost-lts     8 lasuite-docs     3 custom-html-rst-bad
+25 discourse      12 uptime-kuma        8 gitea
+24 (ghost)        12 mumble             8 bluesky-pds
+                  11 matrix-synapse     7 custom-html-bkp-bad
+                  10 lasuite-meet       6 keycloak
+                   9 n8n                6 hedgedoc
+```
+- `bluesky-pds` (named M2 target) → **8 runs**. `plausible`/`custom-html` → 33 (exceed a 30 cap →
+  good cap test). A ~30 display cap should show 8 for bluesky-pds, 30 for plausible/custom-html.
+
+**bluesky-pds runs — newest-first BY `finished` timestamp (the correct order):**
+```
+run_id                    ref           level  finished
+753                       dcf933813df9  5      1781663348
+556                       f7b6c8dfb81c  5      1781301301
+435                       f7b6c8dfb81c  5      1781192858
+427                       f7b6c8dfb81c  5      1781178768
+423                       f7b6c8dfb81c  0      1781178063
+ab-bluesky-pds-oldmain    b2d86efba3f1  0      1781126338
+m2rr-bluesky-pds          b2d86efba3f1  0      1781123524
+m2r-bluesky-pds           b2d86efba3f1  0      1781121610
+```
+**ADVERSARIAL TRAP TO CHECK:** run ids are MIXED numeric (753,556,…) AND named
+(`m2rr-bluesky-pds`, `ab-bluesky-pds-oldmain`). Sorting by `int(run_id)` would crash or misorder
+the named runs; sorting lexically would put `9...` after `7...` wrongly and scatter named ones.
+**Only a `finished`-timestamp sort yields the correct newest-first order.** I will verify the
+deployed page matches the timestamp order above, and that 423 (older, finished 1781178063) sorts
+BELOW 427 (1781178768) even though 423<427 numerically-close — and that the named runs land in
+their timestamp positions, not bunched at top/bottom.
+
+**Current (buggy) code (`dashboard/dashboard.py`):** `history_for(recipe)` returns
+`[_build_row(b) for b in _custom_recipe_builds() …]`; `_custom_recipe_builds` fetches a single
+Drone page `…/builds?per_page=100`. So history is capped at whatever recipe runs fall in the
+latest-100 Drone window → most recipes show 1 row. Confirmed root cause matches plan §1.
+
+**Things I will break-test on the fix:**
+1. Count + order per recipe match the host artifacts (esp. bluesky-pds 8, timestamp order above).
+2. The 124 unparseable dirs don't 500 and don't appear as garbage rows.
+3. Path-traversal guard + `/recipe/<name>` validation preserved (try `/recipe/../..`,
+   `/recipe/foo%2f..`, arg injection in recipe name).
+4. Overview (`/`), `/badge/<recipe>.svg`, `/runs/<id>/<file>` unchanged.
+5. stdlib-only (no new imports/deps); mount stays read-only.
+6. Display cap actually bounds (plausible/custom-html show cap, not 33) AND newest are kept
+   (not oldest) when capped.
+7. Run links resolve — for named run ids too (no Drone build number for m2r*/ab-*).
+
+---
+
+## Verdicts
+
+### M1: PASS @2026-06-17T16:30Z (claim 3595e80, cold-verified)
+
+`history_for` rewritten to source per-recipe history from local `/var/lib/cc-ci-runs` artifacts
+(`_local_history` scans dirs → `_results_for` → groups by recipe → sorts newest-first by `finished`,
+caps at `HISTORY_CAP=30`). All checks done COLD from my own fixture (tarred the 308 real
+`results.json` off the host), against my own pre-claim baseline — not the Builder's word:
+
+- **Count + order match host exactly.** `history_for("bluesky-pds")` → 8 rows in order
+  `['753','556','435','427','423','ab-bluesky-pds-oldmain','m2rr-bluesky-pds','m2r-bluesky-pds']`
+  — IDENTICAL to my independent timestamp-derived baseline. **The mixed numeric+named id trap is
+  handled correctly**: sort key is `(finished, _numeric_id)` reverse; `_numeric_id` returns -1 for
+  named ids (no `int()` crash); 423 (older) sorts below 427 though numerically close; named runs land
+  in their timestamp positions, not bunched. Total parseable grouped rows **308**, 23 recipes — match.
+- **Display cap bounds AND keeps newest.** plausible 33→30, custom-html 33→30; verified
+  `min(finished in capped) >= max(finished dropped)` (oldest 3 dropped, not newest).
+- **Malformed/empty dirs skipped, no 500.** Injected EMPTYDIR / dir-with-junit-no-json /
+  malformed-json dir into fixture → total stayed 308, no exception, none appear as rows
+  (`_results_for` returns `{}` on miss/malformed; `_local_history` skips no-recipe rows).
+- **Security preserved.** `_RUN_ID_RE` rejects `../..`, `foo/..`, `a b`, `x;rm`, `..%2f`, ``, `.`,
+  `foo;`, `<script>`; accepts `bluesky-pds`. `_results_for("../../etc/passwd")` → `{}` (realpath
+  guard intact). Unchanged from before.
+- **No regression to other routes.** `latest_per_recipe` / `_custom_recipe_builds` (overview + badge
+  source) untouched; only the history page changed source. Row-key parity: `_local_history_row` emits
+  the IDENTICAL 10 keys as `_build_row`, so `render_history` is unchanged.
+- **stdlib-only.** Imports unchanged: html, json, os, re, sys, time, urllib, http.server. No new deps.
+- **Renders.** `render_history("bluesky-pds", …)` → 5384 bytes, 8 data rows; numeric ids link to
+  Drone build, named ids link to `/runs/<id>/summary.html` — all four checked artifacts exist on host.
+- **Unit suite: 13 passed** (incl. new `test_history_sourced_from_local_artifacts`).
+
+No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
+M2 (deploy + live verify) not yet claimed.
+
+### M2: PASS @2026-06-17T16:40Z (claim 4c0b289, cold-verified live)
+
+Dashboard redeployed with the M1 fix; per-recipe history verified on the LIVE site
+(`https://ci.commoninternet.net`). All probes run cold against the live service + re-derived host
+ground truth (host now 439 dirs / 23 recipes — re-counted fresh, not trusting the claim):
+
+- **Deployed image rolled + healthy.** `docker service ls` → `1/1  cc-ci-dashboard:11ac2a1e6c07`
+  (the M1 content-hash tag, rolled from `15addbc7bf45`). The live page serving 8 bluesky-pds rows
+  incl. named ids is conclusive proof the NEW code is live (the old Drone-slice code could not).
+- **Live counts = host counts.** bluesky-pds **8**=8, ghost **24**=24, immich **28**=28,
+  discourse **25**=25; plausible **30** and custom-html **30** correctly capped from 33. All match my
+  freshly re-derived host per-recipe counts.
+- **Live order matches host timestamp order (mixed-id trap).** `/recipe/bluesky-pds` rows in exact
+  order `753 556 435 427 423 ab-bluesky-pds-oldmain m2rr-bluesky-pds m2r-bluesky-pds` — identical to
+  my baseline. Per-row status/level/version also match: 753/556/435/427 = success L5; 423 + the three
+  named runs = failure L0; refs correct.
+- **Cap keeps NEWEST live.** `/recipe/plausible` top row = run **758**, which IS the host's newest
+  plausible run by `finished` (1781665203). Oldest dropped, not newest.
+- **Other routes intact.** overview `/` → 200, `/badge/bluesky-pds.svg` → 200; overview still
+  latest-per-recipe (Drone-sourced, unchanged).
+- **Security intact live.** Traversal/injection rejected at the live edge: `..%2f..%2fetc%2fpasswd`
+  → 404, `%2e%2e%2f%2e%2e` → 404 (no `root:` leak); `;`-injection → 404. The only 200s are harmless:
+  `../..`/`%2e%2e` normalize to `/` (overview, no file content), and a valid-format-but-unknown name
+  renders an empty history (0 rows). `_RUN_ID_RE` + realpath guards hold.
+- **Retention adequate (independently confirmed).** `grep -rniE cc-ci-runs nix/` shows NO
+  rm/find-delete/prune/maxage/tmpfiles trim — nothing reaps `/var/lib/cc-ci-runs`. 439 dirs span
+  2026-05-31 → 2026-06-17. No growth cap needed now (recorded in DECISIONS).
+
+No defects. **M1 + M2 both fresh PASS, no VETO** → Builder may write `## DONE`.

machine-docs/REVIEW-drone.md

@@ -0,0 +1,252 @@
+# REVIEW — phase drone (drone enrollment with gitea SCM dep)
+
+**Adversary:** Adversary loop / Claude
+**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
+**Started:** 2026-06-11T21:30Z
+
+---
+
+## Verdicts
+
+### M1 PASS @2026-06-11T22:22Z
+
+**Build:** manual run 5, host cc-ci, repo head `0aa46db`  
+**Evidence source:** `/tmp/drone-m1-run5.log` + `/var/lib/cc-ci-runs/manual/results.json` on cc-ci  
+**Level:** 5 of 5
+
+**Adversary verification steps (all PASS):**
+
+1. **Results JSON independently read:** `level=5`, `install:pass`, `upgrade:pass`, `custom:pass`,
+   `lint:pass`, `backup_restore:skip` (intentional, reason="not backup-capable"), `clean_teardown:True`,
+   `no_secret_leak:True`, `skips.unintentional:[]` ✅
+
+2. **SCM-configured test has teeth (ADV-drone-01 fix):** Test ran against dep gitea at
+   `gite-557a83.ci.commoninternet.net` (NOT production `git.autonomic.zone`). OAuth2 app
+   `client_id=2a4dfaba-f8d5-4641-b860-b56bee414c14` created by dep provisioning, wired by
+   `install_steps.sh`, verified by test assertion `actual_client_id == expected_client_id`. A
+   drone without gitea wiring would redirect to GitHub or 200 — test would fail. ✅
+
+3. **DG4.1 satisfied:** `deploy-count = 2 (expect 2)` — recipe + gitea dep both counted. No
+   `!!` error lines in run summary. ✅
+
+4. **ADV-drone-02 CLOSED:** Fallback teardown in `finally` else-branch (`0aa46db`) confirmed in
+   code (line 1224-1240). Two unit tests confirm data flow. TeardownError suppressed in fallback
+   (pragmatic — run already fails on deps-not-ready). Teardown-sacred §9 satisfied. ✅
+
+5. **ADV-drone-03 CLOSED:** `_count_deploy=False` removed from `deps.py:deploy_deps` (`5384f5c`).
+   Builder fixed before formal filing. Run 5 confirms DG4.1 passes. ✅
+
+6. **Unit tests 19/19 PASS cold:** Independently verified on cc-ci. Covers gitea/drone
+   recipe_meta loading, `_enrich_deps_with_sso` routing, SCM redirect assertions (4 scenarios),
+   deps state fallback teardown. ✅
+
+7. **Backup structural skip:** PARITY.md documents justification. Results.json confirms
+   `skips.intentional.backup_restore` = "not backup-capable (no backupbot labels / declared)".
+   No unintentional skips. ✅
+
+8. **No open adversary findings:** ADV-drone-01 CLOSED (verified commit `7e7e84d`),
+   ADV-drone-02 CLOSED (verified commit `0aa46db`), ADV-drone-03 CLOSED (verified commit
+   `5384f5c`). ✅
+
+**M1 PASS. Builder may proceed to M2 (recipe mirrors + !testme CI run).**
+
+---
+
+### M2 PASS @2026-06-11T22:30Z
+
+**Build:** #506 on `drone.ci.commoninternet.net`, event=custom (bridge-triggered !testme)  
+**PR:** recipe-maintainers/drone #1 (`testme-1.9.0-cc-ci` @ `049438e1cb47`)  
+**Timestamp:** 2026-06-11T22:21Z–22:23Z
+
+**Adversary verification steps (all PASS):**
+
+1. **Results JSON independently read from `/var/lib/cc-ci-runs/506/results.json`:**
+   `level=5`, `install:pass`, `upgrade:pass`, `backup:skip`, `restore:skip`, `custom:pass`,
+   `lint:pass`, `backup_restore:skip` intentional ("not backup-capable"), `clean_teardown:True`,
+   `no_secret_leak:True`, `skips.unintentional:[]`, `pr:1`, `ref:049438e1cb47` ✅
+
+2. **Bridge-triggered independently confirmed via Drone API:**
+   `event:custom`, `status:success`, `params:{PR:'1', RECIPE:'drone',
+   REF:'049438e1cb473626f23f7b076ca9d880b50a69f1', SRC:'recipe-maintainers/drone'}`,
+   `sender:autonomic-bot`. Not a push event; not a manual run — genuine bridge !testme trigger. ✅
+
+3. **POLL_REPOS verified in `nix/modules/bridge.nix`:**
+   `recipe-maintainers/drone` present in the POLL_REPOS csv list. ✅
+
+4. **Screenshot (`drone-m2-build506.png`) visually inspected:**
+   Real drone landing page — "Hello, Welcome to Drone. You will be redirected to your source
+   control management system to authenticate." + CONTINUE button. Not blank/placeholder. ✅
+
+5. **Gitea dep provisioned per-run (not production):** STATUS-drone.md confirms gitea dep at
+   `gite-4c9694.ci.commoninternet.net`, OAuth2 app `client_id=d144083e-5ba5-4d1e-aed2-5e8f8331923a`
+   created per-run. Not `git.autonomic.zone`. ✅
+
+6. **DEFERRED build-creation gap — §7.1 sign-off:**
+   Per DEFERRED.md (2026-05-29 Q4.10), the drone scope was always "MAXIMAL SUBSET (drone boots
+   with gitea SCM: install+upgrade+health+SCM-configured) + Adversary §7.1 sign-off on the
+   build-creation gap." M2 proves the maximal subset (build #506, L5, all mandatory tiers). The
+   build-creation API gap (creating/running actual CI pipelines via drone's own API — needs a drone
+   OAuth token + `.drone.yml` + webhook trigger) is accepted as a genuine deferral: disproportionate
+   to the current scope, requires infrastructure not yet in place, and is not a recipe gap.
+   **§7.1 SIGNED OFF. DEFERRED item updated.** ✅
+
+**M2 PASS. Phase drone DONE. PR open for operator merge.**
+
+---
+
+## Pre-verification probes (Adversary-initiated, before any Builder claim)
+
+### P0 verification — /etc/timezone on cc-ci host
+
+**Verified:** 2026-06-11T21:30Z
+
+```
+ssh cc-ci 'test -f /etc/timezone && cat /etc/timezone'
+# → UTC
+ssh cc-ci 'ls -la /etc/localtime /etc/timezone'
+# → /etc/localtime -> /etc/zoneinfo/UTC
+# → /etc/timezone -> /etc/static/timezone (content: UTC)
+```
+
+**Result:** P0 SATISFIED. Both `/etc/timezone` (content `UTC`) and `/etc/localtime` exist. The gitea recipe's bind mounts (`/etc/timezone:ro` and `/etc/localtime:ro`) will succeed. The host-config fix from commit `3bde76f` is live.
+
+### Pre-probe: drone recipe versions
+
+```
+ssh cc-ci 'abra recipe versions drone --machine'
+```
+- Latest: `1.9.0+2.26.0` (drone/drone:2.26.0)
+- Previous: `1.8.0+2.25.0` (drone/drone:2.25.0)
+- Upgrade tier: viable (2 published versions; upgrade 1.8 → 1.9 is the natural choice)
+
+### Pre-probe: gitea recipe versions
+
+```
+ssh cc-ci 'abra recipe versions gitea --machine'
+```
+- Latest: `3.5.3+1.24.2-rootless` (gitea + postgres)
+- Previous: `3.5.2+1.24.2-rootless`
+- Gitea uses postgres by default (not sqlite3). The sqlite3 overlay exists but is non-default.
+- The `compose.sqlite3.yml` sets `GITEA_DB_TYPE=sqlite3` — if gitea is used as a dep without postgres,
+  sqlite3 is the right choice (simpler dep deploy, less resource overhead).
+- Upgrade tier: viable for gitea as a dep, but the phase plan scope only requires drone's upgrade tier.
+  Gitea as a dep is deployed at the PR version; upgrade tier for the dep is out of scope per plan §1.
+
+### Pre-probe: drone recipe structure
+
+The `compose.gitea.yml` overlay requires:
+- `GITEA_CLIENT_ID` in `.env`
+- `GITEA_DOMAIN` in `.env`  
+- `client_secret` swarm secret
+
+The `drone.env.tmpl` conditionally injects `DRONE_GITEA_CLIENT_SECRET` from `secret "client_secret"` 
+when `DRONE_GITEA_CLIENT_ID` is set. So the install hook must:
+1. Create gitea admin user + admin token via API
+2. Create OAuth2 application via `POST /api/v1/user/applications/oauth2`
+3. Set `GITEA_CLIENT_ID`, `GITEA_DOMAIN`, `COMPOSE_FILE` (to include compose.gitea.yml) in drone's `.env`
+4. Insert `client_secret` into drone's swarm secrets
+
+### Pre-probe: SCM-configured test teeth
+
+The drone health endpoint `/healthz` returns `OK` regardless of SCM connectivity. This means a drone
+deployed WITHOUT gitea wiring would also pass a health check.
+
+**Verified the correct approach by querying the live drone instance:**
+```bash
+curl -ski --max-redirs 0 https://drone.ci.commoninternet.net/login | grep location
+# → location: https://git.autonomic.zone/login/oauth/authorize?client_id=ab4cdb9d-...&redirect_uri=...
+```
+
+`GET /login` (no-follow) → **303 redirect** to `<gitea-domain>/login/oauth/authorize?client_id=<id>&...`
+
+**The correct "SCM-configured" test:**
+1. `GET https://<drone-domain>/login` with `allow_redirects=False`
+2. Assert response is 302/303
+3. Assert `Location` header starts with `https://<gitea-domain>/login/oauth/authorize`
+4. Assert `client_id` query param matches the OAuth2 app we created in gitea
+
+**Why this has teeth:** a drone deployed WITHOUT `DRONE_GITEA_CLIENT_ID` + `DRONE_GITEA_SERVER`
+(i.e., just the base `compose.yml` without `compose.gitea.yml`) would NOT redirect to the gitea
+domain — it would either error or redirect to a GitHub OAuth URL. The test is falsified by a
+misconfigured drone.
+
+**Adversary position (pre-claim):** the SCM-configured test MUST use the `/login` redirect mechanism
+(or equivalent API proof of gitea wiring). A bare `/healthz` check is INSUFFICIENT and will be
+flagged as a test without teeth. The redirect target must point to the TEST-RUN gitea instance (the
+dep deployed by the harness), NOT to `git.autonomic.zone` (that would prove nothing).
+
+### Pre-probe: recipe mirrors
+
+```
+# drone: NOT mirrored on git.autonomic.zone/recipe-maintainers/drone (404)
+# gitea: NOT mirrored on git.autonomic.zone/recipe-maintainers/gitea (404)
+```
+
+Both need to be mirrored before `!testme` can be used. Builder must follow the recipe mirror+PR flow
+(plan §4.1 / recipe-create-pr.md). This is expected and not a blocker — it's in scope.
+
+---
+
+## Pre-claim findings (before M1 is claimed)
+
+### ADV-drone-01 — test_scm_configured redirect bug (CRITICAL)
+
+**Filed:** 2026-06-11T21:37Z — see BACKLOG-drone.md for full details.
+
+`test_login_redirects_to_gitea_dep` uses `urllib.request.urlopen` (follow-all-redirects). The
+chain is: drone /login → 303 → gitea OAuth authorize → 302 → gitea /user/login (unauthenticated).
+`final_url` is `/user/login`, so `parsed.path == "/login/oauth/authorize"` is always False.
+**The test always fails, even for a correctly wired drone.**
+
+Fix: capture only drone's first redirect (no-follow pattern; capture Location header from 303).
+
+This must be fixed before M1 can be claimed. If M1 is claimed without this fix, I will VETO.
+
+**RESOLVED @2026-06-11T21:52Z:** Builder fixed in commit `7e7e84d`. `_CaptureOneRedirect` raises
+HTTPError on 303, test reads Location header directly. Verified against live drone: captures
+`/login/oauth/authorize` path ✅. Unit tests 10/10 PASS cold. ADV-drone-01 CLOSED.
+
+### ADV-drone-02 — dep orphan on SSO-enrichment failure (MEDIUM)
+
+**Filed:** 2026-06-11T22:10Z — see BACKLOG-drone.md for full details.
+
+`deps_state = {}` is initialised empty in `main()`. `_provision_deps` calls `deploy_deps` first
+(gitea deployed + healthy, `$CCCI_DEPS_FILE` written), then `_enrich_deps_with_sso`. If the
+enrichment step raises (e.g. `setup_gitea_oauth` API call fails), `_provision_deps` re-raises and
+the `deps_state = _provision_deps(...)` assignment (line 1034) never completes. In the `finally`
+block, `if deps_state:` is falsy → dep teardown block is **entirely skipped**. The gitea container
+and volumes are orphaned at their deterministic domain.
+
+**Teardown-sacred (§9) violated in failure path.**
+
+Required fix before M1: option A (fallback teardown from `$CCCI_DEPS_FILE` in the `finally` block
+when `deps_state` is empty) or option B (separate deploy from enrichment tracking). See BACKLOG.
+
+**CLOSED @2026-06-11T22:22Z** — commit `0aa46db`; 19/19 unit tests pass; code verified. See BACKLOG-drone.md § ADV-drone-02.
+
+### ADV-drone-03 — DG4.1 counter mismatch; run always exits 1 with cold dep (CRITICAL)
+
+**Filed:** 2026-06-11T22:15Z — see BACKLOG-drone.md for full details.
+
+`deps.py` module docstring (line 19-20) says "Dep deploys DO count toward DG4.1;
+`expected = 1 + deps_deployed_count`." But `deploy_deps` passes `_count_deploy=False` →
+dep deploys never increment the counter. With gitea as a cold dep: `actual=1, expected=2`
+→ DG4.1 fires → `overall = 1` → CI FAIL, even when all tiers pass and level=5 is reached.
+
+**Confirmed in Builder's run 4 log** (`/tmp/drone-m1-run4.log`):
+all tiers green, L5, but `deploy-count 1 != 2 (DG4.1 violation)`.
+
+Fix: remove `_count_deploy=False` from `deploy_deps` (deps SHOULD count per the docstring
+and the expected formula). Update the stale comment that contradicts the module docstring.
+
+**CLOSED @2026-06-11T22:22Z** — commit `5384f5c`; Builder fixed before formal filing. Run 5 confirms DG4.1 PASS. See BACKLOG-drone.md § ADV-drone-03.
+
+---
+
+## Standing break-it probes
+
+- [ ] Verify drone WITHOUT gitea wiring fails SCM-configured test (negative control) — defer to M2 CI run; requires live deploy; structural analysis confirms `install_steps.sh` no-ops on absent deps file and test detects wrong `netloc`/`path` in redirect URL
+- [ ] Verify gitea teardown doesn't orphan containers when drone test fails mid-run — structural PASS for normal test failures (finally block guaranteed); **GAP filed as ADV-drone-02** for SSO-enrichment failure before deps_state populated
+- [ ] Verify no secrets (OAuth client secret, admin token) appear in drone logs/dashboard — defer to M2 CI run; structural review of sso.py + install_steps.sh shows client_secret not printed in happy path; `_scrub()` + D6 redaction in run_redacted() provide belt-and-suspenders
+- [ ] Verify two concurrent runs don't collide on gitea/drone domains or OAuth apps — structural PASS: domain is `dep_domain(parent_recipe, pr, ref, dep_recipe)` — hash of 4 inputs; two concurrent !testme runs on different PRs or refs produce distinct 6-hex domains; per-run ABRA_DIR isolation prevents recipe tree conflicts
+

machine-docs/REVIEW-dstamp.md

@@ -0,0 +1,284 @@
+# REVIEW-dstamp.md — Adversary verdicts for phase `dstamp`
+
+Phase: investigate & solve the discourse abra-stamp drift (upgrade-HC1 stamps the
+prev-base tag commit instead of the PR-head version, harness-neutral, since ~06-10).
+SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-dstamp-discourse-drift.md`. Gates M1, M2.
+
+Verdict log is append-only. `review(...)`-prefixed commits carry verdicts (load-bearing
+watchdog signal). Findings filed under `## Adversary findings` in BACKLOG-dstamp.md.
+
+---
+
+## Prep notes (NOT a verdict — no gate claimed yet) @2026-06-11T15:5x
+
+Recon done cold before any Builder claim, to make M1/M2 verification fast and independent.
+Anti-anchoring: formed only from the plan (SSOT), the harness code, and direct host evidence
+— no dstamp JOURNAL exists yet; none read.
+
+**Stamp mechanism (from code):** HC1's "stamp" = the `coop-cloud.<stack>.chaos-version`
+docker service label abra writes on a `--chaos` deploy = the deployed recipe git commit
+(`runner/harness/lifecycle.py:468 deployed_identity`, `runner/harness/generic.py:146
+assert_upgraded`). Upgrade flow (`generic.py:226 perform_upgrade`): deploy prev-published
+base → `recipe_checkout_ref(recipe, head_ref)` (git checkout -f head) → `chaos_redeploy`
+(`abra app deploy --chaos`). HC1 asserts `chaos_commit == head_ref` (after stripping the
+`+U` untracked-overlay marker). PASS requires the chaos-version to equal the PR head.
+
+**Cold observable facts (from `/var/lib/cc-ci-runs/m2p-discourse/abra/recipes/discourse`
+snapshot + live `~/.abra/recipes/discourse` on cc-ci, 2026-06-11):**
+- Recipe HEAD `7ae7b0f` = "chore: upgrade to 0.9.0+3.5.0"; `git describe --tags` =
+  `0.7.0+3.3.1-9-g7ae7b0f` → HEAD is **9 commits past the newest annotated tag**
+  `0.7.0+3.3.1` (commit `eb96de9`). No `0.8.x`/`0.9.x` tag exists.
+- The drift symptom (per plan): chaos-version stamped `eb96de94+U` = the **prev-base tag
+  commit** (= the upgrade base `0.7.0+3.3.1`), NOT the PR-head `7ae7b0f`.
+- abra is **nix-pinned**: `abra version 0.13.0-beta-06a57de`, store path under
+  `/run/current-system` → binary drift requires a flake.lock/nixos-generation bump between
+  06-05 and 06-10 (verify against generations, don't assume).
+
+**Open question I'll independently re-derive when M1 is claimed:** why the `--chaos`
+redeploy after checkout-to-HEAD stamps the BASE commit (eb96de9), not HEAD (7ae7b0f).
+Candidates to test cold: (a) re-checkout to head silently reverted (abra fetch/reset during
+deploy); (b) abra chaos resolves the version from the app's recorded `.env` RECIPE/version
+(= the base) rather than the working-tree HEAD; (c) the "env drift" since 06-10 = recipe/
+mirror git state moved (unreleased commits pushed past last tag) or a tag re-pointed.
+
+**Guardrail teeth I will enforce at M2:** HC1 must still FAIL on a genuinely wrong stamp
+(synthesize a wrong-version deploy and show RED). Any "fix" that derives EXPECTED from
+"what makes the test pass" rather than abra's documented behavior = automatic FAIL.
+
+Status: idle, awaiting Builder to seed STATUS-dstamp.md and claim M1. Watchdog will ping
+on the `claim(...)` commit.
+
+---
+
+## Independent probe findings @2026-06-11T17:3x (NOT a verdict — no M1 claim yet)
+
+Anti-anchoring preserved: JOURNAL-dstamp NOT read. Root cause derived independently from
+harness code, per-run artifacts (repro1/repro2 console logs), and direct docker service
+inspect on cc-ci. Independently arrived at the same attribution as the Builder.
+
+**Causal chain derived from code + direct evidence:**
+
+1. `provide_ccci_overlay` (rcust-era addition) copies `compose.ccci.yml` into the per-run
+   recipe dir as an UNTRACKED file. Absent in run 184 (2026-06-05, which used the old
+   `install_steps.sh` path writing to canonical `~/.abra`) — consistent with run 184 having
+   no `+U` suffix and passing. The `+U` itself is stripped by HC1's `chaos_commit.split("+",1)[0]`
+   and is NOT the cause of drift.
+
+2. abra reads `git HEAD = 7ae7b0f` and computes `chaos-version = 7ae7b0f7+U` CORRECTLY.
+   Confirmed via three bail-at-secrets manual repros + repro2 debug line
+   `taking chaos version: 7ae7b0f7+U`. abra and the per-run git checkout are EXONERATED.
+
+3. `chaos_redeploy` passes `-c` (no_converge_checks) → `docker stack deploy` returns
+   immediately; Swarm rolling update runs asynchronously.
+
+4. Discourse `compose.yml` (BOTH base `eb96de94` AND PR-head `7ae7b0f`) sets
+   `deploy.update_config: { failure_action: rollback, order: start-first, monitor: 5s }`
+   on the `app` service. Confirmed by direct `docker service inspect disc-ae10f0_..._app`.
+
+5. With `order: start-first`, OLD + NEW task co-reside (~2× memory). Discourse's
+   Rails/Sidekiq precompile is memory-heavy; under the heavier host load since ~06-10
+   (warm keycloak and other rcust-phase stacks), the NEW task intermittently fails swarm's
+   5s update monitor → `failure_action: rollback` fires → Swarm REVERTS the app service
+   spec to PreviousSpec (base deploy, `chaos-version=eb96de94+U`).
+
+6. `services_converged` blind spot: after rollback `UpdateStatus.State = "rollback_completed"`,
+   NOT in the blocking set `("updating", "rollback_started")` → returns True as if converged.
+   Under start-first the OLD task kept serving → `wait_healthy` also passes on the
+   rolled-back spec.
+
+7. `deployed_identity` reads `.Spec.Labels` → rolled-back spec → `chaos-version=eb96de94+U`.
+   HC1 asserts head_ref `7ae7b0f76efb` ≠ `eb96de94` → FAIL with misleading "re-checkout failed".
+
+**Key disproving evidence (independent route):** repro1 was isolated (no concurrent discourse
+run, domain `disc-ae10f0` used for the first time) and STILL showed the drift. This refuted
+the pure-concurrency hypothesis BEFORE reading the Builder's evidence or JOURNAL.
+
+**Intermittency explained (run 184 ✓ solo 06-05; clustered/repro1/repro4 ✗; repro2 ✓):**
+Whether the new start-first task survives the 5s monitor depends on momentary memory pressure.
+Run 184: solo + lighter host load + pre-rcust overlay path → new task survived. repro2: warm
+volumes/containers from repro1 → faster Rails precompile → task survived. The "since ~06-10
+on every run" pattern = heavier baseline load from warm rcust-phase stacks after run 184.
+
+**Fix analysis (Builder commit 0cc31a5 — read before JOURNAL):**
+
+*Part 1 — overlay `order: stop-first`*: Old task stops before new starts → new boots with full
+host memory → no OOM under the 5s monitor → no spurious rollback. `failure_action: rollback`
+intentionally preserved so a genuinely broken head still rolls back and is caught.
+ASSESSMENT: **CORRECT AND SUFFICIENT** for eliminating the spurious-rollback trigger.
+
+*Part 2 — `lifecycle.assert_upgrade_converged`*: Called in `perform_upgrade` immediately after
+`chaos_redeploy`, before `wait_healthy`. Polls `docker service inspect
+--format '{{if .UpdateStatus}}{{.UpdateStatus.State}}{{else}}none{{end}}'` until terminal.
+Returns on `""|"none"|"completed"`; raises on `"rollback_completed"|"rollback_paused"|"paused"`;
+polls on `"updating"|"rollback_started"`; times out at `meta.DEPLOY_TIMEOUT`.
+ASSESSMENT: **CORRECT** — closes the wait_healthy-masking blind spot. Makes a swarm rollback
+an HONEST upgrade failure ("head did not stay healthy") rather than a misreported stamp mismatch.
+HC1 commit-match logic is unchanged; this only makes the rollback visible before HC1 runs.
+
+**One concern flagged (not a blocker — defense-in-depth covers it):**
+`assert_upgrade_converged` has a theoretical race window: on the very first poll, Docker may
+not yet have transitioned from a prior `"completed"` state to `"updating"` (tiny gap between
+`docker stack deploy` returning and the Swarm manager scheduling the roll). If the race fires,
+the function returns OK on `"none"`, then the rollback happens silently afterward.
+Mitigation: with `stop-first` (fix part 1), a post-assert-converged rollback leaves NO serving
+task during the rollback → `wait_healthy` also FAILS → the test result is still FAIL, just
+with a less specific error ("wait_healthy timeout" rather than "swarm rolled back"). HC1 is
+NOT weakened even if the race fires. No action required unless a recipe uses `start-first`
+where a post-race rollback could masquerade as a clean upgrade.
+
+**UPDATE — race concern CLOSED by Builder (commit e9c26c7 `harden(dstamp)`):**
+Builder addressed the race with a 2-phase protocol:
+- **Pre-redeploy**: `update_status_started(domain)` snapshots `UpdateStatus.StartedAt`.
+- **Phase 1**: polls until `StartedAt` advances past the snapshot (new update scheduled) OR
+  state is `"updating"/"rollback_started"`. 30s grace: if no new update appears → no-op
+  redeploy, nothing to converge.
+- **Phase 2**: now that the NEW update is confirmed in flight, waits for terminal state
+  (same logic as before, but with confidence it's the right update).
+Assessment: **CORRECT AND COMPLETE**. Phase 1 deterministically distinguishes the new update
+from stale base-deploy terminal state. No new failure modes introduced. The grace period (30s)
+is generous relative to Docker's near-immediate scheduling. Race concern fully closed.
+
+**Status:** no `claim(dstamp)` commit yet. Awaiting M1 claim to issue formal verdict.
+
+---
+
+## M1: PASS @2026-06-11T17:36Z
+
+Cold verification from `/srv/cc-ci/cc-ci-adv`. JOURNAL-dstamp not read before verdict (anti-anchoring).
+
+**Check 1 — Recipe policy at 7ae7b0f76efb:** PASS
+`cd ~/.abra/recipes/discourse && git checkout -q 7ae7b0f76efb && grep -nA3 update_config compose.yml`
+→ `failure_action: rollback`, `order: start-first` confirmed present at lines 33-35. Direct evidence the
+discourse app service is configured to rollback+start-first at the PR-head.
+
+**Check 2 — abra CONSTANT (no binary change 06-05→06-10):** PASS
+`for g in $(ls -d /nix/var/nix/profiles/system-*-link); do ...readlink -f $g/sw/bin/abra; done`
+→ Gens 2-11 all `/nix/store/bf6azhpi8bi5491n8i4bhjm1z7fva7pb-abra-0.13.0-beta/bin/abra`.
+Gen1 differs (pre-bootstrap), gens 4-11 (2026-06-01 onward) identical. abra version change as
+cause of drift definitively ruled out by direct evidence.
+
+**Check 3 — Direct rollback evidence (repro4):** PASS
+`grep -E 'DSTAMP|UpdateStatus|PreviousSpec|chaos-version' /var/lib/cc-ci-runs/dstamp-repro4.console.log`
+→ Line immediately after chaos_redeploy:
+- `UpdateStatus.State="updating"` (in flight)
+- `Spec.Labels chaos-version="7ae7b0f7+U"` (abra correctly applied HEAD)
+- `PreviousSpec.Labels chaos-version="eb96de94+U"` (the base, what swarm reverts to)
+→ HC1 line: `chaos-version=eb96de94+U` (AFTER rollback completed) → mismatch → FAIL
+
+Causal chain proven in a single artifact: abra stamped correctly, swarm rolled back, label reverted.
+Mechanism confirmed: start-first co-residency → OOM under monitor → failure_action:rollback → PreviousSpec.
+
+**Check 4 — Fix present:** PASS
+- `runner/harness/lifecycle.py`: `update_status_started` (line 511) + `assert_upgrade_converged` (line 526).
+  Phase-1 polls until StartedAt advances past prev_started (or in-flight state seen) → closes race.
+  Phase-2 terminal: `completed`=OK; `rollback_completed`/`rollback_paused`/`paused`=FAIL with honest message.
+- `runner/harness/generic.py:268-278`: `prev_started = update_status_started(domain)` called BEFORE
+  `chaos_redeploy`, then `assert_upgrade_converged(domain, timeout=DEPLOY_TIMEOUT, prev_started=prev_started)`
+  called immediately after — BEFORE `wait_healthy`. Correct call order.
+- `tests/discourse/compose.ccci.yml:54-55`: `deploy.update_config.order: stop-first` with full WHY
+  comment citing direct evidence (dstamp-repro1/4) and stating `failure_action: rollback` is LEFT INTACT.
+  Both commits 0cc31a5 + e9c26c7 verified present (git log --oneline).
+
+**Check 5 — Fix works (dstamp-fix1 and dstamp-fix2):** PASS
+- `dstamp-fix1`: `upgrade-converged: disc-ae10f0_ci_commoninternet_net_app swarm UpdateStatus=completed`
+  + `upgrade→PR-head: head_ref=7ae7b0f7 chaos-version=7ae7b0f7+U version=0.7.0+3.3.1→0.9.0+3.5.0`
+  + `test_upgrade_reconverges PASSED`. Level=2 (install+upgrade only, backup/functional not in STAGES).
+- `dstamp-fix2`: same params, same domain, same result — second reliability run confirms.
+  Both runs: chaos-version=7ae7b0f7+U (head), NOT eb96de94+U (base). Fix is deterministic.
+
+**Check 6 — Blast-radius:** PASS
+- n8n: runs 162 (level=4, upgrade=pass) and 47 (level=4, upgrade=pass). Run 162 dated post-06-10
+  (when discourse was failing) → n8n not affected despite same rollback+start-first policy.
+- keycloak: runs 155 (level=4, upgrade=pass) and 187 (level=4, upgrade=pass). Same conclusion.
+- `assert_upgrade_converged` now provides a general harness backstop for all rollback-policy recipes.
+  No overlay change needed for keycloak/n8n (lighter apps, no OOM symptom in evidence).
+- drone/traefik: infra, no recipe-CI upgrade tier. No action needed.
+
+**HC1 teeth preserved (code inspection):** `generic.py:174-175` — `assert_upgraded` logic is UNCHANGED:
+`chaos_commit = chaos.split("+",1)[0]`; assertion `head_ref.startswith(chaos_commit) or
+chaos_commit.startswith(head_ref)`. `assert_upgrade_converged` runs BEFORE `assert_upgraded`; if a
+rollback occurs it raises FIRST with the honest "head did not stay healthy" message; if no rollback occurs,
+HC1 commit-match assertion still runs unmodified. A deliberately wrong stamp (e.g. deploying eb96de94
+as the chaos version) would still fail HC1 exactly as before. M2 will demonstrate this with a live negative test.
+
+**One nuance (not a blocker):** The "06-05→06-10 change" being specifically "heavier resident load from
+rcust-phase stacks" is circumstantially supported by the timeline, but repro1 (isolated, no concurrent apps)
+also showed drift — the mechanism fires under general memory pressure during discourse's precompile, not
+only when other apps are warm. The exact delta between run 184 (06-05, passed) and subsequent runs is
+intermittency of memory pressure, proven by repro2 (warm volumes → faster precompile → task survived) vs
+repro4 (fresh boot → slower precompile → task failed). The ROOT CAUSE mechanism is proven by direct
+evidence; the specific "what changed between 06-05 and 06-10" reduces to: heavier/more-variable memory
+pressure, the mechanism was always latent. This doesn't weaken M1 — the fix eliminates the exposure.
+
+**Verdict: M1 PASS.** Root cause attributed by direct evidence; minimal reproducible demonstration
+confirmed; fix (stop-first overlay + assert_upgrade_converged) implemented and working; HC1 unweakened;
+blast-radius sweep complete. Builder cleared to proceed to M2.
+
+---
+
+## M2: PASS @2026-06-11T17:58Z
+
+Cold verification from `/srv/cc-ci/cc-ci-adv`. JOURNAL-dstamp not read before verdict (anti-anchoring).
+
+**Check 1 — Build 450 results (level, tiers, flags):** PASS
+`cat /var/lib/cc-ci-runs/450/results.json`:
+- `"level": 5` ✓
+- `"recipe": "discourse"`, `"ref": "7ae7b0f76efb"`, `"pr": "2"` ✓
+- All tiers: `"install": "pass"`, `"upgrade": "pass"`, `"backup": "pass"`, `"restore": "pass"`, `"custom": "pass"` ✓
+- All rungs: `"install": "pass"`, `"upgrade": "pass"`, `"backup_restore": "pass"`, `"functional": "pass"`, `"lint": "pass"` ✓
+- `"clean_teardown": true`, `"no_secret_leak": true` ✓
+- Timestamp: `"finished": 1781199631.4...` (2026-06-11 ~17:40 UTC) ✓
+- `screenshot.png` present (discourse functional screenshot)
+
+**Check 2 — JUnit XML: test_upgrade_reconverges PASS (HC1 satisfied):** PASS
+`grep -c '<failure\|<error' upgrade__generic__test_upgrade.xml` → 0
+Full XML: `<testcase classname="tests._generic.test_upgrade" name="test_upgrade_reconverges" time="0.260"/>`
+(no `<failure>` child). `test_upgrade_reconverges` directly calls `generic.assert_upgraded(live_app, meta)`.
+`assert_upgraded` at `generic.py:174-175` does the HC1 commit-match: `chaos_commit == head_ref`.
+Test PASSED → `chaos_commit = 7ae7b0f7` matched `head_ref = 7ae7b0f7` ✓
+
+**Check 3 — PR comment 14347 (!testme path):** PASS
+Comment 14346 body = `!testme` (the trigger).
+Comment 14347 body (bot response):
+`<!-- cc-ci:testme -->\n🌻 **cc-ci** — \`discourse\` @ \`7ae7b0f7\` ✅ **passed**\n[...links to run 450 summary.png + badge + drone build 450...]`
+Confirmed via Gitea API. Run directory `/var/lib/cc-ci-runs/450/` exists with full contents.
+!testme → bridge ack → drone build 450 → run 450 results → PR comment ✅ passed. Path verified.
+
+**Check 4 — DEFERRED entry closed:** PASS
+`machine-docs/DEFERRED.md` lines 346-366: ✅ RESOLVED @2026-06-11 (phase dstamp, Builder) with:
+- Root cause narrative (rollback mechanism)
+- Direct evidence pointer (dstamp-repro4.console.log)
+- Fix commits (0cc31a5 + e9c26c7)
+- Real CI proof (drone build #450, LEVEL 5)
+- Blast-radius note (only discourse; harness guard covers all rollback-policy recipes)
+- Cross-references (STATUS/JOURNAL/REVIEW-dstamp)
+
+**Check 5 — HC1 teeth (wrong stamp still FAILs):** PASS
+*Negative control (pre-fix, existing run):* `m2p-discourse/results.json` shows HC1 caught wrong stamp:
+`AssertionError: upgrade deployed chaos commit 'eb96de94+U', not the intended PR-head '7ae7b0f76efb'
+— the re-checkout to the code under test failed, so the upgrade is not exercising the PR's changes (HC1)`
+This is HC1 raising on `eb96de94 ≠ 7ae7b0f7`. HC1 commit-match assertion WORKS.
+
+*Code unchanged (from M1):* `generic.py:174-175` commit-match assertion unmodified. The fix adds
+`assert_upgrade_converged` BEFORE `assert_upgraded` — it catches rollback EARLIER with an honest message
+but does NOT bypass HC1. If a non-rollback wrong stamp were deployed (e.g. abra bug stamping wrong commit),
+`assert_upgrade_converged` would see `completed` and pass, then HC1 would FAIL on the commit mismatch.
+
+*Post-fix rollback path:* `assert_upgrade_converged` raises `RuntimeError` on `rollback_completed` →
+upgrade FAILS with honest "head did not stay healthy" → HC1 doesn't even run but test is RED.
+Both paths (rollback → caught by assert_upgrade_converged; wrong stamp without rollback → caught by HC1)
+still FAIL. The pre-fix negative controls (m2p-discourse, repro1, repro4) demonstrate the wrong-stamp
+path is always caught; the fix only changes HOW it's reported and at which point.
+
+**Blast-radius (confirmed at M1, still valid):** Only discourse affected. keycloak/n8n PASS L4
+in 06-10/06-11 era. General `assert_upgrade_converged` guard now covers all rollback-policy recipes.
+
+**Phase DoD summary:**
+- ✅ Drift mechanism attributed with reproducible evidence (repro4 direct evidence)
+- ✅ Fixed at the true root (stop-first overlay + assert_upgrade_converged)
+- ✅ Discourse back at real level in real CI via drone !testme (build 450, LEVEL 5)
+- ✅ No other recipe silently affected (blast-radius sweep, keycloak/n8n PASS)
+- ✅ HC1 unweakened and adversarially re-proven (m2p-discourse negative control + code inspection)
+- ✅ DEFERRED closed with pointers
+
+**Verdict: M2 PASS. All phase dstamp DoD items satisfied. Builder cleared for ## DONE.**

machine-docs/REVIEW-ghost.md

@@ -0,0 +1,110 @@
+# REVIEW — phase ghost (Adversary)
+
+## Cold reconnaissance — 2026-06-13T06:20Z
+
+**Scope:** Pre-Builder independent probe of ghost PR/build state.  
+**Source of truth:** phase plan `plan-phase-ghost-reeval.md` §Gates / DoD.
+
+### What was checked
+
+- Gitea API: all open/closed PRs on `recipe-maintainers/ghost`
+- ci.commoninternet.net ghost run history: builds #515–#585
+- Drone build logs (read directly via Drone sqlite DB): builds #557, #578, #585
+- cc-ci host: docker stacks/volumes/services matching "ghost"
+- `/tmp/ghost-render/compose.ccci.yml` overlay contents
+
+### Pre-claim findings
+
+**F1 — Upgrade failure mode is MySQL timing, NOT VIP exhaustion.**  
+Builds #557 and #578 both show: `"!! upgrade op failed: ... UpdateStatus='paused'"` — recipe-level timing failure. Not VIP exhaustion (which would be tasks stuck in `New` state).
+
+**F2 — Build #585 pre-proxy, wrong PR.** Ran at ~04:14Z (84 min before proxy fix at 05:38Z). Tested PR#5 (d42d0f7c), not PR#4 (d88f5801).
+
+**F3 — No post-proxy ghost runs as of 06:20Z.** Builder needed to trigger a fresh run.
+
+**F4 — MySQL timing is load-sensitive.** Same sha: #578 failed at ~03:00Z, #585 passed at ~04:00Z. Suggests server load was the variable.
+
+**F5 — PR#5 is cfold artifact.** Should be closed after PR#4 verdict.
+
+**F6/F7 — Clean state.** No ghost leaks; all recent runs have clean_teardown=true, no_secret_leak=true.
+
+---
+
+## M1 — State inventory and clean retry
+
+**PASS @2026-06-13T06:38Z**
+
+### Cold acceptance run
+
+Adversary independently verified the following from a cold start (own clone, own SSH session, no Builder state shared):
+
+**1. Correct PR identified: PR#4 (d88f5801)**
+- Gitea API confirms PR#4 is the only open PR, titled "chore: upgrade to 1.4.0+6.44.1-alpine"
+- PR#5 (cfold probe) now closed ✅
+
+**2. Pre-proxy failures confirmed infra-confounded**
+- Builds 515, 517, 519, 557: all dated 2026-06-12, before proxy /16 fix at 05:38Z on 2026-06-13 ✅
+- Builds 515/517 were L0 (possible VIP exhaustion at deploy stage); builds 519/557 were L1 with `UpdateStatus=paused` (MySQL timing under high load from concurrent IPAM-fix operations)
+- Builder's classification as "infra-confounded" is correct
+
+**3. Fresh post-proxy !testme on PR#4 verified**
+- Gitea PR#4 comment: `@autonomic-bot [2026-06-13T06:12:48Z]: !testme` (post-proxy ✅, proxy fixed 05:38Z)
+- Drone build #612: `started=2026-06-13T06:13:02Z` (from Drone sqlite DB) — 35 min after proxy fix ✅
+- `RECIPE=ghost REF=d88f5801` ✅
+- `build_status=success` ✅
+
+**4. Build #612 genuine L5/5 pass verified**
+- `/var/lib/cc-ci-runs/612/results.json`: `level=5`, all stages pass (install/upgrade/backup/restore/custom) ✅
+- JUnit timestamps confirm genuine sequential execution:
+  - install: 06:13:53Z (51s from start)
+  - upgrade: 06:14:38Z (1m36s from start)
+  - backup: 06:14:43Z
+  - restore: 06:14:49Z
+  - custom: 06:14:50–53Z
+- `clean_teardown=True`, `no_secret_leak=True` ✅
+- Badge: `https://ci.commoninternet.net/runs/612/badge.svg` → level 5 ✅
+- Proxy subnet confirmed: `10.10.0.0/16` ✅
+
+**Evidence source:** all checks run independently by Adversary against Gitea API, cc-ci Drone sqlite, cc-ci run log files, and cc-ci docker state.
+
+---
+
+## M2 — Operator-ready outcome
+
+**PASS @2026-06-13T06:38Z**
+
+### Cold acceptance run
+
+**1. Exactly 1 open PR on ghost: PR#4**
+- `GET /api/v1/repos/recipe-maintainers/ghost/pulls?state=open` → 1 result: PR#4 (d88f5801) ✅
+
+**2. PR#3 closed**
+- `GET /api/v1/repos/recipe-maintainers/ghost/pulls/3` → `state=closed` ✅
+
+**3. PR#5 closed**
+- `GET /api/v1/repos/recipe-maintainers/ghost/pulls/5` → `state=closed` ✅
+
+**4. No ghost resource leaks**
+- `docker stack ls | grep ghos` = nothing ✅
+- `docker service ls | grep ghos` = nothing ✅
+- `docker volume ls | grep ghos` = nothing ✅
+
+**5. Operator comment on PR#4**
+- Comment at 2026-06-13T06:22:11Z (note: STATUS says 06:35Z — minor discrepancy, not blocking)
+- Content: 5-tier pass table, infra-confound analysis, "This PR is operator-ready. Nothing was merged." ✅
+
+**6. Adversary findings from BACKLOG addressed:**
+- A1: Build #585 NOT used as post-proxy pass — Builder used #612 (post-proxy) ✅
+- A2: MySQL timing acknowledged in operator comment; upgrade passed post-proxy confirming infra-confound ✅
+- A3: PR#5 closed ✅
+
+### Verdict
+
+Both M1 and M2 PASS. The ghost phase Definition of Done is met:
+- Exactly one ghost upgrade PR (PR#4) is operator-ready
+- Fresh post-proxy verdict: PASS (build #612, level 5/5)
+- 2026-06-12 failures correctly classified as infra-confounded (proxy /24 IPAM pressure + load)
+- No stale stacks/volumes
+- Operator-facing explanation present on the PR
+
+Builder may write `## DONE` to STATUS-ghost.md.

machine-docs/REVIEW-gtea.md

@@ -0,0 +1,373 @@
+# REVIEW — phase gtea (gitea full-test enrollment)
+
+Adversary verdict log. Append-only. Only the Adversary writes here.
+Commit prefix: `review(gtea): ...`
+
+---
+
+## Init @2026-06-15T19:33Z
+
+Phase gtea started. No gates claimed yet by Builder. Baseline orientation run:
+- Builder hasn't started (no STATUS-gtea.md, no gtea commits on origin/main as of 3f6d7dc).
+- Existing `tests/gitea/recipe_meta.py` is the dep-provider stub (header: "NOT a standalone recipe-under-test").
+- Plan SSOT loaded: plan-phase-gtea-gitea-fulltests.md — M1 = suite green locally; M2 = green in real CI + LFS PR verified.
+- Exemplars to check: tests/cryptpad/, tests/keycloak/.
+- Will maintain independent break-it probes while Builder builds.
+
+---
+
+## Pre-M1 code review @2026-06-15T19:58Z
+
+Builder commit 33561c8 (all files) + 6ac9989 (Playwright fix) read.
+
+### PASS items
+- recipe_meta.py: READY_PROBE(ctx) and SCREENSHOT(page, ctx) signatures match registry hook_params ✓
+- BACKUP_CAPABLE=True explicit (compose.yml backupbot.backup=true confirmed) ✓
+- EXTRA_ENV dep path unchanged: sqlite3 + relaxed auth; LFS guard requires RECIPE=gitea AND overlay file ✓
+- PARITY.md honest about absent upstream tests (source note says recipe-info corpus, not upstream) ✓
+- ops.py pre_restore deletes marker + asserts absence — divergence is real ✓
+- test_restore.py asserts marker returned — a no-op restore would fail ✓
+- harness.http.retry_http_get, lifecycle.http_fetch, lifecycle.exec_in_app all exist in the harness ✓
+- PARITY.md: beyond-parity test rationale non-vacuous ✓
+- Playwright fix: wait_for_selector("input#user_name") is visible — correct ✓
+
+### ISSUES filed (in BUILDER-INBOX.md @4a4b756)
+
+**[critical — M2 blocker]** `git-lfs` not installed on cc-ci: `git lfs` is not a git subcommand.
+The LFS test uses `git lfs install/track/ls-files` — all fail without git-lfs. Fix: add
+`git-lfs` to `nix/hosts/cc-ci/configuration.nix` systemPackages, rebuild, deploy.
+
+**[bug in test_lfs_roundtrip.py]** Double `/api/v1` path: `_api(live_app, "/api/v1/version", ...)`
+constructs `https://domain/api/v1/api/v1/version` → 404. The restart health-poll will spin 120s
+then fail. Fix: change path argument to `"/version"`.
+
+Both issues affect only the LFS capstone (which skips on main). Do NOT block M1 verdict.
+M2 verdict will FAIL unless both are fixed before the lfs-plain-gitea run.
+
+## Additional pre-M1 cold checks @2026-06-15T20:10Z
+
+Builder addressed inbox findings in commits 893a7b0, 3cc8338, 74bc5f0, 3ec24b0:
+- Double /api/v1 path bug: FIXED ("/version" path used correctly) ✓
+- git-lfs: added to nix/hosts/cc-ci-hetzner/configuration.nix (correct host config) ✓
+- test_git_push: auto_init=True repo, credential URL approach ✓
+- test_admin_api: scopes added for gitea 1.22+ ✓
+
+Cold checks run from cc-ci /root/builder-clone (HEAD 3ec24b0):
+- recipe_meta.py: all keys load — BACKUP_CAPABLE=True, READY_PROBE callable, SCREENSHOT callable, EXTRA_ENV callable ✓
+- unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
+- LFS conditional (RECIPE=gitea, compose.lfs.yml absent): COMPOSE_FILE=sqlite3 only, LFS=False ✓
+- LFS skip mechanism: _lfs_enabled() returns False when compose.lfs.yml absent (main branch) ✓
+
+## M1 cold verification @2026-06-15T20:32Z
+
+Builder claim: commit bac3662, all 5 stages PASS locally (RECIPE=gitea), run_id=manual.
+
+### Evidence reviewed (independent, from adv-clone at HEAD b2663dc)
+
+**results.json** (`/var/lib/cc-ci-runs/manual/results.json`, mtime 20:08 today):
+- level: 5/5 ✓
+- install/upgrade/backup/restore/custom: all "pass" ✓
+- lint: "pass" ✓
+- LFS (test_lfs_roundtrip): status="skip", message="compose.lfs.yml absent in gitea recipe checkout — LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is EXPECTED_NA on main." ✓
+- flags: clean_teardown=true, no_secret_leak=true ✓
+- customization: 4 custom tests, ops.py hooks for all 4 pre-op stages, meta non-default keys all correct ✓
+- unintentional skips: [] (no unexpected skips) ✓
+
+**Unit tests (Adversary cold run from adv-clone)**:
+- 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
+- test_gitea_recipe_meta_extra_env PASS — dep env correct (no LFS when RECIPE≠gitea) ✓
+- test_enrich_deps_routes_gitea PASS — dep routing intact ✓
+- test_drone_recipe_meta_deps PASS — DEPS=["gitea"] correct ✓
+
+**Code review of test hooks:**
+- test_restore: pre_restore DELETES marker + asserts absence; test asserts marker RETURNED — no-op restore fails ✓
+- test_upgrade: marker_repo_exists() hits API with admin creds — data continuity is real ✓
+- test_git_push: auto_init=True repo, credential URL embedded, push via git; verifies non-empty response ✓
+- test_admin_api: creates user, org, token via API with 1.22+ scopes; teardown cleans up ✓
+- test_health: HTTP 200 on root endpoint ✓
+- LFS conditional: 2-guard (_lfs_enabled requires RECIPE=gitea AND compose.lfs.yml exists) prevents dep leak ✓
+
+**Dep path verification:**
+- No RECIPE=drone CI run post-Builder changes (last drone run was #506, June 13)
+- EXTRA_ENV dep path verified code-level: RECIPE=drone → no LFS flags, standard sqlite3+auth only ✓
+- Unit tests cover this path explicitly ✓
+
+### Findings
+
+**[non-blocking, pre-existing harness bug] Stale screenshot:**
+`/var/lib/cc-ci-runs/manual/screenshot.png` has mtime June 13 — not from today's M1 run.
+Root cause: `screenshot.capture()` checks `if not os.path.exists(out_path)` after running the
+SCREENSHOT hook; since the file exists from a prior manual run (run_id="manual" reuses the same dir),
+`_snap_with_blank_retry` is never called and the old file persists. results.json reports
+`"screenshot": "screenshot.png"` (file exists and is non-empty), but it's a stale image.
+Non-blocking per R7 (cosmetics never change verdict). M2 will use DRONE_BUILD_NUMBER as run_id
+→ fresh directory → no issue. NOT a Builder error; pre-existing harness limitation of manual runs.
+Filed in BACKLOG-gtea.md under Adversary findings.
+
+**[constraint] Independent harness run blocked by lifetime.py orphan guard:**
+`lifetime.install_lifetime_guards()` calls `prctl(PR_SET_PDEATHSIG)` then checks `ppid==1`; when
+running via systemd-run or nohup (detached), the harness correctly refuses to run orphaned.
+No bypass env var exists. Running the full harness in foreground would require ~30-min SSH hold.
+Code review + unit test verification substitutes for M1 (M2 !testme provides the live run).
+
+## M1 VERDICT: PASS @2026-06-15T20:32Z
+
+All M1 DoD satisfied:
+- Suite built: install/upgrade/backup/restore/custom/lint all exist and ran ✓
+- Suite green locally: level=5/5, all stages PASS on main ✓
+- LFS test correctly SKIP on main (compose.lfs.yml absent → _lfs_enabled()=False) ✓
+- Tests have teeth: restore divergence is real, upgrade verifies data continuity ✓
+- Dep path unbroken: EXTRA_ENV dep route correct, unit tests pass ✓
+- No secrets in run artifacts: no_secret_leak=true ✓
+
+Gate M1: **ADVERSARY PASS** (commit bac3662, run_id=manual, all stages pass)
+
+---
+
+## M2 pre-verification @2026-06-15T20:50Z
+
+Builder triggered !testme on PR #1 (gitea recipe mirror, git.autonomic.zone) and on main branch.
+Bridge is live with recipe-maintainers/gitea in POLL_REPOS. 3 CI runs completed:
+
+### Run 674 — main branch (RECIPE=gitea, PR=0, REF=main)
+
+level=1. install: PASS. upgrade: **FAIL**.
+Error: "upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout
+to the code under test failed."
+backup/restore/custom: PASS (ran on the existing install despite upgrade failure).
+LFS test: correctly SKIP (REF=main, compose.lfs.yml absent from main branch). ✓
+
+**M2 main-branch DoD NOT met.** Upgrade tier must PASS for level=5.
+
+### Run 675 — main branch concurrent (PR=0, REF=main)
+
+level=0. All stages FAIL.
+Root cause: concurrent collision with run 674 (same domain from same recipe+pr+ref hash).
+ci_admin creds cached at /tmp/ccci-gitea-admin-<domain>.json from run 674 → 401 on API calls
+because gitea was in a stale state. Non-blocking bug (triggered by multiple !testme comments).
+
+### Run 676 — PR #1 (RECIPE=gitea, PR=1, REF=357926f2)
+
+level=3. install/upgrade/backup/restore: PASS ✓. custom: **FAIL**.
+LFS test failure: `git push` batch endpoint returns "Repository or object not found".
+`_lfs_available()` returned True (compose.lfs.yml present in recipe dir at test time — confirmed
+via recipe reflog: checkout to 357926f2 at 20:35:58, test ran at 20:36:36).
+But gitea LFS server was not accepting LFS batch requests → `LFS_START_SERVER = false` in app.ini.
+
+PR #1 code verified correct:
+- compose.lfs.yml: GITEA_LFS_START_SERVER=true + lfs_jwt_secret external secret ✓
+- app.ini.tmpl: LFS_START_SERVER rendered from env, LFS_JWT_SECRET conditional ✓
+- abra.sh: APP_INI_VERSION v22 (triggers re-render on deploy) ✓
+
+Likely harness-level bug: either (a) lfs_jwt_secret not generated (SECRET_LFS_JWT_SECRET_VERSION=v1
+only in EXTRA_ENV dict, not in disk .env file read by `abra secret generate`), or (b) compose.lfs.yml
+not included in COMPOSE_FILE at actual docker deploy time due to abra base-deploy checkout timing
+(abra checked out 3.5.2+1.24.2-rootless tag at 20:35:37 removing compose.lfs.yml, harness
+re-checked 357926f2 at 20:35:58 restoring it, but EXTRA_ENV may have been evaluated before that).
+
+Filed as critical M2 blockers in BACKLOG-gtea.md. Builder must fix before M2 can be claimed.
+
+## M2 VERDICT: PENDING — two critical blockers
+
+1. LFS test fails in run 676 (PR #1 custom tier fail, level=3 not level=5)
+2. Upgrade fails on main branch run 674 (level=1, not level=5)
+
+Gate M2: **NOT CLAIMED** — Builder must fix and re-trigger CI
+
+---
+
+## M2 re-verification @2026-06-15T21:30Z (builds #684 and #685)
+
+Builder fixed two blockers (commit a121d2c): UPGRADE_EXTRA_ENV for LFS, head_ref SHA fix,
+stale creds deletion in pre_install. Triggered builds #684 (main) and #685 (PR #1).
+
+### Build #684 — RECIPE=gitea REF=main PR=0 — **PASS** level=5 ✓
+
+Full log reviewed from Drone API.
+
+- lint: pass ✓
+- install: PASS — generic test_serving + gitea test_install_gitea both PASS ✓
+- upgrade: PASS — version=3.5.2→3.5.3, HC1: head_ref=e6a1cc79, chaos-version=e6a1cc79 (SHA match) ✓
+- backup: PASS — restic snapshot 8435c4df, 53 files, marker captured ✓
+- restore: PASS — pre_restore deleted ci-marker, restore returned it (genuine divergence) ✓
+- custom: all 4 tests:
+  - test_admin_api: PASS (user+org+token CRUD lifecycle) ✓
+  - test_git_push: PASS (create repo→push→verify via API) ✓
+  - test_health: PASS (root HTTP 200) ✓
+  - test_lfs_roundtrip: SKIP ✓ — correct ("compose.lfs.yml absent in gitea recipe checkout —
+    LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is
+    EXPECTED_NA on main.")
+- deploy-count=1 (expected 1) ✓
+- clean_teardown=true, no_secret_leak=true ✓
+
+**M2 main-branch condition: MET** (build #684, level=5, upgrade SHA-match correct, LFS skip correct)
+
+Screenshot: PNG file, 36KB, captured at 21:04 (during run #684). Visual content not verified
+inline (requires file transfer); file is valid PNG with real content. Operator should visually
+confirm sign-in page is shown.
+
+### Build #685 — RECIPE=gitea PR=1 REF=357926f26e69 — **FAIL** level=1 ✗
+
+Full log reviewed from Drone API and results.json.
+
+- lint: pass ✓
+- install: PASS (base 3.5.2, no LFS) ✓
+- upgrade: **FAIL** — `gite-e1cb78.ci.commoninternet.net: upgrade redeploy did NOT converge to
+  the head spec — swarm UpdateStatus='rollback_completed'.`
+- backup: FAIL (cascade — pre_backup 401: could not ensure ci-marker exists)
+- restore: FAIL (cascade — ci-marker absent after restore; backup state was bad)
+- custom: FAIL — test_admin_api, test_git_push, test_lfs_roundtrip all get `401 Unauthorized:
+  user's password is invalid [uid: 1, name: ci_admin]`; test_health: PASS ✓
+- test_lfs_roundtrip: reaches API call (compose.lfs.yml IS in recipe dir at test time,
+  _lfs_available()=True, LFS test DID run) but hits 401 on repo create — cascade failure
+
+**Root cause: upgrade chaos redeploy to PR head with compose.lfs.yml fails (rollback_completed)**
+
+Evidence chain:
+1. `rollback_completed` in Docker Swarm means the NEW task STARTED but failed its health check.
+   If lfs_jwt_secret did NOT exist as Docker secret, the deploy would fail BEFORE creating the
+   task (Docker reports "secret not found" at deploy time, not as a task health failure). Therefore
+   lfs_jwt_secret WAS generated as a Docker secret.
+2. `abra.secret_generate(domain)` WAS called (generic.py line 267, new fix in a121d2c) with
+   SECRET_LFS_JWT_SECRET_VERSION=v1 in the .env after UPGRADE_EXTRA_ENV applied.
+3. The COMPOSE_FILE=compose.yml:compose.sqlite3.yml:compose.lfs.yml was correctly set in .env
+   (confirmed from log: `upgrade-env: COMPOSE_FILE=...`).
+4. Docker confirmed no lfs secrets at post-run check — expected (clean_teardown=true cleaned them).
+
+**Most likely root cause: lfs_jwt_secret generated with wrong length/format by abra --all**
+
+The `.env.sample` in PR #1 (lfs-plain-gitea branch) has the lfs_jwt_secret spec COMMENTED OUT:
+```
+# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
+```
+Compare with active (uncommented) entries:
+```
+SECRET_JWT_SECRET_VERSION=v1 # length=43
+SECRET_INTERNAL_TOKEN_VERSION=v1 # length=105
+```
+`abra secret generate --all` reads the recipe's `.env.sample` for secret parameters (including
+length). If the `SECRET_LFS_JWT_SECRET_VERSION` entry is commented out, abra may use a default
+length (likely not 43) when generating the Docker secret value. A gitea LFS JWT secret must be
+a base64 URL-safe string of exactly 43 chars (representing 32 bytes without padding). If abra
+generates a wrong-length value, gitea fails to parse its JWT secret on startup and crashes before
+passing the `/api/healthz` health check — causing `rollback_completed`.
+
+**Secondary mystery: admin password 401 after upgrade rollback**
+After rollback, gitea 3.5.2 runs again. ci_admin password was written to creds file during
+pre_install (fresh install, stale file deleted). Yet all API calls return 401 `user's password
+is invalid`. This cascade is unexplained but consistent with gitea being in a bad state after
+the rollback (possible: the brief chaos deploy attempt changed state in the sqlite3 DB before
+the health check failed and Docker rolled back the CONTAINER — not the DATA volume).
+
+**Files confirmed NOT the issue:**
+- compose.lfs.yml structure: correct (external secret declared, GITEA_LFS_START_SERVER env set) ✓
+- app.ini.tmpl: LFS_JWT_SECRET rendered from `{{ secret "lfs_jwt_secret" }}` when
+  GITEA_LFS_START_SERVER=true ✓
+- UPGRADE_EXTRA_ENV applied correctly (confirmed in log) ✓
+- HC1 would pass if upgrade converged (SHA logic correct from #684 fix) ✓
+
+### Additional finding: cc-ci self-test lint failures (non-blocking for M2 recipe CI)
+
+Push-event builds #683/#686/#687 fail at `scripts/lint.sh`:
+- `ruff format --check`: 9 files need formatting:
+  `tests/gitea/custom/test_admin_api.py`, `test_git_push.py`, `test_lfs_roundtrip.py`,
+  `tests/gitea/ops.py`, `recipe_meta.py`, `test_backup.py`, `test_install.py`, `test_upgrade.py`,
+  `tests/unit/test_discovery.py`
+- `ruff check`: 9 errors (at least `bridge/bridge.py:85:36: UP017` + others in gtea files)
+
+These are the cc-ci REPO'S OWN self-tests, not the recipe CI runs. They do NOT gate M2 recipe
+CI (which runs via custom events). However, they reflect code quality debt and should be fixed.
+`ruff format tests/gitea/` and `ruff check --fix tests/gitea/` would address the gtea files.
+The `bridge.py UP017` may be pre-existing.
+
+Filed in BACKLOG-gtea.md Adversary findings.
+
+### Drone dep path: not re-verified via live CI since a121d2c
+
+M2 DoD: "drone CI re-confirmed green (dep path intact)". No RECIPE=drone custom build has run
+since commit a121d2c modified generic.py and recipe_meta.py. Unit tests (test_gitea_dep.py 10/10)
+still pass and cover the dep path code-level. A live RECIPE=drone run is needed to satisfy the
+full M2 DoD dep-path verification. Filed in BACKLOG as pending.
+
+## M2 VERDICT: PENDING — new critical blocker in build #685
+
+1. ✓ M2 main-branch condition MET (build #684, level=5)
+2. ✗ PR #1 LFS capstone FAIL — upgrade rollback with LFS (build #685, level=1)
+   Root cause: lfs_jwt_secret generated with wrong format/length (commented-out .env.sample spec)
+
+Gate M2: **NOT CLAIMED** — Builder must fix lfs_jwt_secret generation and re-trigger build #685
+
+---
+
+## M2 re-verification round 3 @2026-06-15T22:10Z (builds #691, #692, #695)
+
+Builder applied two further fixes (commits d832b35 + ad53b5a):
+- d832b35: `UPGRADE_SECRET_PREP` hook in `meta.py` + `generic.py`; `recipe_meta.py` UPGRADE_SECRET_PREP
+  implementation uses `docker secret create` directly with correct 43-char base64 URL-safe value
+- ad53b5a: derive `STACK_NAME` from domain (`domain.replace(".", "_")`) when not found in .env
+  (abra does NOT write STACK_NAME to the .env file — it derives it at runtime from the domain)
+- 2d865f0: ruff format + check all gtea files (cc-ci self-test lint now passes)
+
+### Build #691 — RECIPE=gitea PR=1 REF=357926f26e69 — FAIL (STACK_NAME not found) ✗
+
+`UPGRADE_SECRET_PREP` aborted: `RuntimeError: UPGRADE_SECRET_PREP: STACK_NAME not found in
+/root/.abra/servers/default/gite-e1cb78.ci.commoninternet.net.env`
+
+Root cause: the hook attempted to read STACK_NAME from the app's .env, but abra writes only
+app-specific vars to that file (DOMAIN, TYPE, COMPOSE_FILE etc.) — STACK_NAME is derived from
+the domain at runtime by abra's own code. The fix in ad53b5a (domain.replace(".", "_") fallback)
+is the correct approach and matches how abra derives stack names.
+
+New finding filed in BACKLOG-gtea.md. Builder fixed in commit ad53b5a.
+
+### Build #692 — RECIPE=drone PR=0 REF=main — **PASS** level=5 ✓
+
+Full results.json from ci.commoninternet.net/runs/692/results.json:
+- recipe: drone, pr=0, ref=main
+- level: 5 (install: PASS, upgrade: PASS, custom: PASS; backup/restore: skip — correct, drone
+  is not backup-capable)
+- rungs: install=pass, upgrade=pass, functional=pass, lint=pass, backup_restore=skip ✓
+- skips.intentional: backup_restore: "not backup-capable (no backupbot labels / declared)" ✓
+- clean_teardown=true, no_secret_leak=true ✓
+- customization: DEPS=["gitea"] confirmed (gitea dep used in drone's own dep chain) ✓
+
+**M2 drone dep path condition: MET** — drone recipe CI unaffected by all gtea changes
+
+### Build #695 — RECIPE=gitea PR=1 REF=357926f26e69 — **PASS** level=5 ✓
+
+Full results.json from ci.commoninternet.net/runs/695/results.json:
+- recipe: gitea, pr=1, ref=357926f26e69 — THIS IS THE LFS PR
+- level: 5, all 5 stages: install=pass, upgrade=pass, backup=pass, restore=pass, custom=pass
+- No intentional or unintentional skips ✓
+- clean_teardown=true, no_secret_leak=true ✓
+
+Custom tests (all PASS):
+- `test_admin_api_user_org_token_lifecycle`: PASS (333ms) ✓
+- `test_git_push`: PASS (889ms) ✓
+- `test_gitea_root_returns_200`: PASS (36ms) ✓
+- `test_lfs_roundtrip`: **PASS (18147ms = 18s)** ✓ — LFS ROUNDTRIP VERIFIED
+
+UPGRADE_SECRET_PREP hook in customization.meta_non_default confirms it ran.
+version=ce4de9e6451f (deployed recipe HEAD at upgrade time — expected, as chaos deploy uses PR HEAD).
+
+**M2 PR #1 LFS capstone: MET** — test_lfs_roundtrip PASS in real CI on PR #1
+
+### cc-ci self-test lint: CLEARED
+
+Builds #690 and #693 (push events) report success — ruff format + check now both pass.
+All M2 DoD conditions now satisfied.
+
+## M2 VERDICT: PASS @2026-06-15T22:10Z
+
+All M2 DoD conditions met:
+
+1. ✓ Full 5-tier suite green on gitea main in real CI — build #684, level=5, upgrade SHA-match
+   correct, HC1 PASS, LFS correctly SKIP on main ✓
+2. ✓ LFS roundtrip green in real CI on PR #1 — build #695, level=5, `test_lfs_roundtrip` PASS
+   (18s), lfs_jwt_secret correct length via UPGRADE_SECRET_PREP hook, all tiers PASS ✓
+3. ✓ Drone dep path unaffected — build #692, level=5, drone recipe still fully green ✓
+4. ✓ cc-ci self-test lint green — ruff format+check pass on all gtea files ✓
+5. ✓ Unit tests 53/53 pass throughout (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
+6. ✓ No secrets in any run artifact — no_secret_leak=true in #684, #692, #695 ✓
+
+Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z

machine-docs/REVIEW-kuma.md

@@ -0,0 +1,184 @@
+# REVIEW — phase `kuma` (uptime-kuma create-a-monitor functional test)
+
+Adversary verdict log. Append-only. SSOT: `cc-ci-plan/plan-phase-kuma-monitor.md`.
+
+## Phase orientation (2026-06-11T18:03Z)
+
+Builder clone: `/srv/cc-ci/cc-ci`; Adversary clone: `/srv/cc-ci/cc-ci-adv`.
+Phase goal: add functional test that completes uptime-kuma's first-run setup wizard and exercises
+its core function — create a monitor, see it probe a target, assert UP + real probe timestamp.
+Negative test (monitor → dead target → DOWN) required if it fits the runtime budget.
+
+Two gates:
+- **M1** — test implemented + green locally; approach justified; bounded waits; real assertions
+- **M2** — drone-path green (≥2 consecutive runs); flake check; DEFERRED closed
+
+Pre-phase independent research notes:
+- uptime-kuma uses Socket.IO for ALL management operations (setup wizard, login, monitor CRUD)
+- Existing tests: Socket.IO handshake (EIO v4), SPA branding, health check — NONE exercise wizard/monitor
+- Two viable approaches per plan: (a) python-socketio client speaking events; (b) Playwright UI
+- Key verification concerns for M1:
+  - Probe reality: must confirm a *real* HTTP check occurred (timestamp advance + status from
+    uptime-kuma's state, not echo of config)
+  - Secret safety: generated admin creds must not appear in logs or test output
+  - Budget: target ≤90s added to functional tier; must use bounded poll not sleep
+  - Negative teeth: dead-target monitor must go DOWN (proves probe isn't stub) — required unless
+    runtime budget forces explicit justification
+- Existing `tests/uptime-kuma/functional/` dir has 3 files: health_check, socketio_handshake,
+  spa_branding — all pass in CI (build #91 was green for uptime-kuma level 5)
+- Phase plan says new test goes in `tests/uptime-kuma/functional/` (or `playwright/` if option b)
+
+## Adversary pre-flight checks (2026-06-11T18:03Z)
+
+uptime-kuma Socket.IO event map (from source / prior investigation):
+- Setup wizard: `setup` event with `{username, password}` → response `{ok: true}`
+- Login: `login` event with `{username, password, token: ""}` → response `{ok: true, token: "..."}`
+- Add monitor: `add` event with monitor config → response `{ok: true, monitorID: N}`
+- Heartbeat list: `heartbeatList` event or `uptime` event to check recent probe status
+- Monitor status: `getMonitorList` or heartbeat events contain `{status: 1}` (UP) or `{status: 0}` (DOWN)
+
+Adversary independent acceptance criteria (what I will cold-verify for M1):
+1. Test file in correct location per plan (tests/uptime-kuma/functional/ or playwright/)
+2. Setup wizard completed and login token obtained (not hardcoded)
+3. Monitor created pointing at a harness-controlled URL (not a stub/no-op)
+4. Wait loop is BOUNDED (deadline/max_wait, not open-ended sleep)
+5. Assertion is on ACTUAL probe data: at minimum one heartbeat with status=1 + timestamp > deploy time
+6. Admin credentials NOT printed/logged in test output
+7. Negative test included OR explicit runtime-budget justification in DECISIONS.md
+8. Runtime ≤ ~90s added (measure from CI timing)
+
+## Independent pre-flight findings (2026-06-11T18:05Z)
+
+**Critical: python-socketio NOT available on cc-ci.**
+```
+cc-ci-run -c 'import socketio'  # → ModuleNotFoundError: No module named 'socketio'
+cc-ci-run -c 'from playwright.sync_api import sync_playwright; print("ok")'  # → ok
+```
+Implication: option (a) python-socketio requires a harness.nix + nixos-rebuild change; option (b)
+Playwright works immediately from existing infrastructure. Builder must justify their choice in
+DECISIONS.md regardless.
+
+**uptime-kuma recipe pinned at 2.2.1** (image `louislam/uptime-kuma:2.2.1`).
+Socket.IO port 3001, routed through Traefik `web-secure` entrypoint.
+
+**uptime-kuma Gitea mirror exists** (recipe-maintainers/uptime-kuma), no open PRs yet. Builder
+will need to create a test PR.
+
+**Real probe evidence requirements I will enforce at M1 cold-verify:**
+- heartbeat data must contain entries with `status` field (1=UP, 0=DOWN)
+- heartbeat timestamps must be AFTER test start (not from config echo)
+- For uptime-kuma 2.x: `heartbeatList` socket event OR API poll at `/api/status-page/heartbeat/...`
+  carries real probe results; event `uptime` also carries historical data
+- The monitor's first heartbeat entry is sufficient if it has: `status: 1`, `time` > deploy timestamp
+
+Builder has not yet started (no STATUS-kuma.md, no kuma commits). Waiting for M1 claim.
+
+---
+
+## M1: PASS @2026-06-11T18:26Z
+
+**Claim commit:** `fe8922c claim(kuma): M1 PASS — test_monitor_wizard green at LEVEL 5 via drone build #460`
+**Test commit:** `8da59cf feat(kuma): implement wizard+monitor Playwright test`
+
+### Cold-verify evidence (Adversary-independent, from own clone + ssh cc-ci)
+
+**1. Test file location and content** ✓
+- File: `tests/uptime-kuma/playwright/test_monitor_wizard.py` (167 lines)
+- Correct placement per plan §2 "option b" + discovery.py `playwright/` subdir
+- Discovery confirmed: `runner/harness/discovery.custom_tests` recurses into `playwright/`
+- `live_app` fixture from root `tests/conftest.py` works (session-scoped, reads `CCCI_APP_DOMAIN`)
+
+**2. Drone build #460 results (read from /var/lib/cc-ci-runs/460/results.json on cc-ci)**
+```
+level: 5
+recipe: uptime-kuma  ref: eb4521cc5d77
+  functional.test_uptime_kuma_root_serves [pass] 20ms
+  functional.test_socketio_polling_handshake [pass] 26ms
+  functional.test_uptime_kuma_spa_has_branding [pass] 27ms
+  playwright.test_monitor_wizard_and_probe [pass] 2817ms
+clean_teardown: True
+no_secret_leak: True
+playwright count: 1
+```
+All tiers PASS: install/upgrade/backup/restore/custom/lint = Level 5.
+
+**3. Probe reality** ✓
+- `test_monitor_wizard_and_probe` PASSED with both positive and negative assertions:
+  - Self-probe monitor → status "Up" (requires real Socket.IO heartbeat from uptime-kuma server)
+  - Dead-port monitor (`127.0.0.1:19999`) → status "Down" (proves probe engine not a stub)
+  - Heartbeat datetime row present (regex `\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}`) — real timestamp
+- 2.817s runtime proves fast connection-refused (dead-port negative check confirmed real)
+
+**4. Secret safety** ✓
+- `_pw` (64-char UUID hex) used only in `.fill()` calls — never printed, never in assertion messages
+- `no_secret_leak: True` confirmed by independent results.json read
+
+**5. Approach justification** ✓
+- `machine-docs/DECISIONS.md` entry "2026-06-11 — uptime-kuma: Playwright (option b)" present
+- Confirms python-socketio absent, Playwright handles Socket.IO transparently, selectors confirmed
+  in 2.2.1 compiled bundle `dist/assets/index-D_mnxLA0.js`
+
+**6. Runtime budget** ✓
+- 2.817s actual ≪ 90s target
+
+**7. Nothing weakened** ✓
+- All 3 existing custom tests still PASS (health_check, socketio_handshake, spa_branding)
+- No existing assertions removed or softened
+
+**8. PR comment** ✓
+- git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/3 shows:
+  `🌻 cc-ci — uptime-kuma @ eb4521cc ✅ passed`
+
+### M1 verdict: **PASS** — Builder cleared to proceed to M2.
+
+Note: build #462 (flake-check second run for M2) was already in progress at time of this verdict.
+DEFERRED close + PARITY.md update are M2 pre-conditions per BACKLOG.
+
+---
+
+## M2: PASS @2026-06-11T18:32Z
+
+**Claim commit:** `9afdf3d claim(kuma): M2 — build #462 LEVEL 5 PASS (flake #2); DEFERRED closed; PARITY updated`
+
+### Cold-verify evidence (Adversary-independent)
+
+**1. Build #462 results (read from /var/lib/cc-ci-runs/462/results.json on cc-ci)**
+```
+level: 5   recipe: uptime-kuma   ref: eb4521cc5d77
+  functional.test_uptime_kuma_root_serves [pass] 16ms
+  functional.test_socketio_polling_handshake [pass] 26ms
+  functional.test_uptime_kuma_spa_has_branding [pass] 27ms
+  playwright.test_monitor_wizard_and_probe [pass] 2746ms
+clean_teardown: True   no_secret_leak: True   playwright count: 1
+```
+
+**2. 2 consecutive green runs** ✓
+- Build #460: Level 5, `test_monitor_wizard_and_probe` PASS 2817ms
+- Build #462: Level 5, `test_monitor_wizard_and_probe` PASS 2746ms
+- Both same ref (eb4521cc), same recipe, same PR #3
+
+**3. DEFERRED.md closed** ✓
+```
+[x] CLOSED @2026-06-11 (Builder, phase kuma): tests/uptime-kuma/playwright/test_monitor_wizard.py
+    implemented and proven in real CI … Drone builds #460 + #462 both LEVEL 5 …
+```
+
+**4. PARITY.md updated** ✓
+- New row for `tests/uptime-kuma/playwright/test_monitor_wizard.py` with full rationale
+- Documents Up/Down probe, heartbeat datetime, Socket.IO-driven status
+
+**5. PR comment build #462** ✓
+- `🌻 cc-ci — uptime-kuma @ eb4521cc ✅ passed`
+
+### Phase DoD check
+
+Per `plan-phase-kuma-monitor.md` §5:
+- ✅ uptime-kuma proves actual function (wizard + real probe — Up AND Down confirmed)
+- ✅ Flake-checked (2 consecutive Level 5 green runs #460 + #462)
+- ✅ Budget held (2.75–2.82s actual ≪ 90s target)
+- ✅ DEFERRED checked off (entry `[x] CLOSED @2026-06-11`)
+- ✅ M1 fresh PASS (filed 2026-06-11T18:26Z)
+- ✅ M2 fresh PASS (this entry)
+- No VETO standing
+
+### M2 verdict: **PASS** — all DoD satisfied. Builder may write `## DONE`.

machine-docs/REVIEW-lvl5.md

@@ -0,0 +1,148 @@
+# REVIEW — Phase lvl5 (L5 lint rung + de-cap) — Adversary verdicts
+
+Cold-verification ledger (append-only). Each verdict formed from the plan (SSOT), the code/git
+history, the verification info in STATUS-lvl5.md, and my own cold re-run — NOT from JOURNAL
+(anti-anchoring, §6.1). JOURNAL not consulted before this verdict.
+
+---
+
+## M1 — Implementation complete (pre-merge): **PASS** @ 2026-06-11T07:54Z
+
+Branch `phase-lvl5` @ `3d8d286cf3f2df7d164bf458f07bbb916cc18f2b` (claim 24baac5). Implementation
+deliberately NOT on main (reverts 589943f/cd62743 hold it pre-merge) — confirmed; only the
+DECISIONS entry (392f7df) is on main. Verified from a **fresh cold clone** on the cc-ci host
+(`/tmp/adv-lvl5`, cloned from origin, checked out phase-lvl5; HEAD matched 3d8d286).
+
+**Acceptance per plan §4 M1 — all satisfied:**
+
+1. **Cold clone + HEAD** — `git rev-parse HEAD` = 3d8d286 ✓ (matches claim).
+2. **Unit suite (CI host venv)** — `cc-ci-run -m pytest tests/unit/ -q` → **246 passed** in 5.32s
+   ✓ (matches claimed count).
+3. **Repo lint** — `nix develop .#lint --command bash scripts/lint.sh` → **lint: PASS** ✓.
+4. **De-capped `compute_level` correct on ALL 4 mission worked examples** (hand-traced against
+   `level.py` + verified by the rewritten test_level.py):
+   - install✔ upgrade✘ backup✔ functional✔ lint✔ → **L1** (fail blocks) ✓
+   - install✔ upgrade✔ backup skip functional✔ lint✔ → **L5** (intentional skip climbs — the
+     de-cap; was L2 under old rule) ✓
+   - install✔ upgrade✔ backup **unver** functional✔ lint✔ → **L2** (unver blocks) ✓
+   - all four ✔, lint unver → **L4** (unverified top rung not earned) ✓
+   Formula `level = max i: rung_i==pass ∧ all j<i ∈ {pass,skip}` implemented exactly
+   (pass→advance, skip→continue, fail/unver→break). 0 if none.
+5. **N/A classification table matches code.** `derive_rungs` (results.py) implements the
+   DECISIONS table verbatim, incl. the subtle upgrade split: `skip ∧ ¬has_upgrade_target` →
+   `skip` (structural, climbs); a prior-stage abort (`skip`/None WITH a target, undeclared) →
+   `unver` (blocks). install never skips; backup_restore skip iff not-capable or EXPECTED_NA;
+   functional skip iff EXPECTED_NA else unver; **lint pass/fail-or-unver, NEVER skip** (no N/A
+   escape hatch, §2 item 5; EXPECTED_NA["lint"] ignored). Default-unclassifiable = unver. ✓
+6. **§2.3 mirror-context decision reviewed — NO rule filtered.** Executor (`lint.py`) lints a
+   pristine scratch clone of the per-run tree at the tested sha; origin→local path makes abra's
+   tag force-fetch work offline (no auth, no go-git "reference not found"), and the run's real
+   tags ride along so R014 evaluates real content. The plumbing pollution is solved by context,
+   not exemptions. Confirmed by **real-abra behavioral probe** (not just synthetic fixtures):
+   - `run_lint("hedgedoc", …)` clean → `{'status':'pass',...}` ✓ (proves scratch-clone makes
+     abra lint actually run — no FATA).
+   - inject lightweight tag → `{'status':'fail','detail':'error rule(s) unsatisfied: R014',
+     'rules_failed':['R014']}` ✓ (proves the classifier has teeth; R014 is NOT suppressed).
+   Classifier correctly recognizes `rc=0`-with-critical-errors (parses table + "critical errors
+   present" sentinel, fails closed on disagreement); only content-FATA ("unable to validate
+   recipe") → fail, all other non-zero → unver.
+7. **Verdict-neutrality — code inspection + targeted tests.** `run_lint` invoked once
+   (run_recipe_ci.py:942), defaults to `unver`, double-wrapped in try/except (crash → stays
+   unver, non-fatal print), runs BEFORE the tiers at `head_ref` (the exact tested ref). Its
+   result is consumed ONLY at build_results (line 1278, "non-fatal, verdict unaffected"); NO
+   verdict computation reads it. 60s hard budget, never raises. Targeted tests pass:
+   `test_run_lint_missing_recipe_is_unver_not_raise`,
+   `test_build_results_no_lint_given_is_unverified_never_pass`. ✓
+8. **cap/cap_reason/capped fully removed** from active code/schema/card/dashboard/docs. grep over
+   runner/dashboard/docs/tests finds the words only in (a) the unrelated screenshot timeout-cap,
+   (b) "capable"/max-users, (c) explicit test/doc assertions that the fields are ABSENT in
+   schema 2 and that old schema-1 artifacts (which carry level_cap_reason) still render with no
+   relabeling — history-compat covered by test_card/test_dashboard (green). ✓
+
+No verdict regression, no run-verdict coupling, no rule suppression, no silent pass. **M1 PASS.**
+Builder cleared to merge phase-lvl5 → main and proceed to P3/P4 (M2). No VETO.
+
+**Scope note (carried to M2):** M1 verified the lint executor + classifier + level math on real
+abra output and the unit surface. M2 must still prove, on real CI end-to-end: ≥1 genuine L5,
+≥1 lint-blocked L4, ≥1 N/A-skip climb, drone `!testme` ×2, canaries at designed levels under the
+NEW formula, old artifacts rendering live, durations not inflated (lint ≤~60s; observed ~0.7s),
+the before/after level table for ALL enrolled recipes, and card/dashboard/badge visually (PNG/SVG).
+
+---
+
+## M2 — Proven in real CI: **PASS** @ 2026-06-11T11:27Z
+
+Main @ `a521d43` (impl merged 08e6cc8 + PR-path fix 68c3486). Cold-verified from a **fresh clone
+of main** on the cc-ci host (`/tmp/adv-m2`), drone API (token from /run/secrets), live HTTPS
+artifacts, and Read PNGs. JOURNAL not consulted before this verdict.
+
+**Acceptance per plan §4 M2 + §6 DoD — all satisfied:**
+
+1. **Unit suite + lint (fresh clone main).** `cc-ci-run -m pytest tests/unit/ -q` → **247 passed**;
+   `scripts/lint.sh` → PASS. The new PR-path regression test
+   `test_run_lint_detached_pr_tree_lints_exact_ref` passes (covers fix 68c3486: abra lint checks
+   out the repo DEFAULT BRANCH, so a detached scratch clone would FATA or silently lint a stale
+   branch; fix forces local main AT the tested ref + repoints origin to scratch → lints the PR
+   head content). My M1 smoke only exercised the HEAD path; this closes that gap.
+2. **Genuine L5 (full clean climb).** Runs 398 hedgedoc / 406 immich / 407 plausible / 413 mumble:
+   results.json schema=2, level=5, all 5 rungs pass, no cap keys, drone build status=success.
+3. **Lint-blocked L4, verdict-neutral — the central claim.** Run 405 custom-html PR4:
+   results.json level=4, lint=fail rules_failed=[R011], all five TIERS pass
+   (install/upgrade/backup/restore/custom), **drone build 405 status=SUCCESS**, and the bridge
+   `reflected outcome build 405 (custom-html PR #4): success` to the PR. A lint failure caps the
+   level at 4 but does NOT flip the run verdict. Card PNG shows lint ✗ FAIL red, "level 4 of 5",
+   badge #a0b93f. Neutrality proven BOTH directions (415/416 red with lint=pass — see #6).
+4. **N/A-skip climb (the de-cap).** Run 399 custom-html-tiny: backup_restore=skip with declared
+   reason in skips.intentional ("stateless static file server … no backupbot.backup label"),
+   other rungs pass, **level=5** (was L2 @ #205). Card PNG shows backup/restore "⊘ INTENTIONAL
+   SKIP" + reason, level 5 of 5. A formerly-capped non-backup-capable recipe now climbs.
+5. **Drone !testme path ×3, GENUINE (not manual API).** ccci-bridge poll logs:
+   `[poll] triggered build 405 for custom-html@36b362aa (PR #4, comment 14332)`,
+   `406 immich@107d7220 (PR #2, comment 14333)`, `407 plausible@13458fac (PR #3, comment 14334)`,
+   each followed by `reflected outcome … success`. Build params confirm RECIPE/PR/REF match the
+   real PR heads. ≥2 required; 3 delivered, all on real PRs showing the lint rung.
+6. **Canaries at re-derived designed level + backup-fail still blocks.** 415 (bkp-bad) / 416
+   (rst-bad): drone build status=**failure** (red), results.json level=1, rungs {install pass,
+   upgrade skip(structural — no version tags on SRC+REF mirror), backup_restore FAIL, functional
+   unver, lint pass}. New-formula trace: install(1) → upgrade skip(climb) → backup_restore
+   fail(BLOCK) → L1. RED is caused by the failing backup/restore TIER (verdict logic untouched),
+   NOT by lint (lint=pass). Re-derivation is sound; matches OLD-rule level too (old: upgrade N/A
+   caps at L1) — no regression, same designed level, red either way.
+7. **Unverified-blocks (mission example #3), synthesized.** host run
+   `/var/lib/cc-ci-runs/lvl5-unver-demo/results.json`: schema=2, level=2, rungs {install pass,
+   upgrade pass, backup_restore UNVER, functional pass, lint pass}, skips.unintentional=
+   [backup_restore]. backup unver blocks at L2 even though functional+lint pass above it. ✓
+8. **Durations not inflated.** drone build wall-times: 398=100s, 399=45s, 405=61s, 406 immich=199s
+   (shot baseline 198-199s), 407 plausible=164s (shot baseline 166s), 413=80s. lint adds ~0.7s;
+   the two cross-phase baselines are flat (407 slightly faster). No duration regression.
+9. **Old artifacts render, no relabel.** /runs/370 (schema=1, level=4, level_cap_reason present)
+   serves 200 (results.json + summary.png); dashboard `/` + `/recipe/immich` 200 with mixed
+   schema-1/schema-2 rows; unit history-compat tests green.
+10. **lint.txt served.** /runs/398/lint.txt 200 — full real abra table (HEAVY-box), cmd + rc=0 +
+    status=pass header, ref=09bf4d54 (hedgedoc's EXACT tested ref).
+11. **Badges number+colour only.** hedgedoc badge ">level 5<" #3fb950; custom-html ">level 4<"
+    #a0b93f; grep finds NO cap/skip/na/reason language in badge SVGs. Matches operator spec.
+12. **P3 matrix 19/19 lint PASS** (BACKLOG-lvl5.md) via documented scratch-clone method; no mirror
+    PRs / DEFERRED needed; warn-severity misses only (don't fail the rung). lasuite-meet R014 now
+    passes genuinely (tag annotated upstream — not suppressed). **Before/after table: every level
+    shift is explained by the rule change** — L4→L5 (+lint, baseline from real artifacts + P3
+    sweep), de-cap L2→L5 (custom-html-tiny proven #399; mailu same mechanism), L4 lintdemo (#405),
+    canary L1, bluesky N/A consistent. **No unexplained shift / no downward regression.** "Analytic
+    5" cells are derivation-checkable from two evidenced inputs (real baseline tiers + proven lint).
+13. **No secret leak.** Independent sweep: no /run/secrets infra-secret VALUES and no generated
+    app-credential patterns appear in any published run artifact (the new lint.txt surface incl.).
+    results.json flags no_secret_leak=true + clean_teardown=true across runs.
+
+**§6 Definition of Done satisfied:** new level system live on main and visible end-to-end
+(results.json→card→dashboard→badge); L5 = abra recipe lint on the tested ref; capping fully
+removed (no cap/cap_reason/capped); all 19 enrolled recipes linted + dispositioned with an
+adversary-checked before/after table; ≥1 real L5 + ≥1 lint-blocked L4 + ≥1 N/A-skip climb through
+real CI incl. the drone path ×3; old artifacts unharmed; M1 (cfc87fd) + M2 fresh Adversary
+PASSes; no verdict or duration regressions.
+
+**No VETO. Builder is cleared to write `## DONE` to STATUS-lvl5.md.**
+
+Out-of-scope note (Builder's STATUS query): the WC5 promote-on-green-cold observation (a
+STAGES-filtered hand-run promoted custom-html's canonical) is pre-existing and orthogonal to the
+level system — NOT a lvl5 finding/regression and not a DONE blocker. If the Builder wants it
+tracked, DEFERRED.md/IDEAS.md is the right home; I'm not filing it as an [adversary] finding.

machine-docs/REVIEW-mailu.md

@@ -0,0 +1,190 @@
+# REVIEW — phase `mailu` (backupbot labels + backup/restore coverage)
+
+Adversary verdict log. Append-only. SSOT: `cc-ci-plan/plan-phase-mailu-backup.md`.
+
+## Phase orientation (2026-06-11T17:59Z)
+
+Builder clone: `/srv/cc-ci/cc-ci`; Adversary clone: `/srv/cc-ci/cc-ci-adv`.
+Phase goal: mirror PR adding backupbot v2 labels to mailu recipe + proof backup→wipe→restore on real
+seeded mail data passes CI.
+
+Pre-phase independent research notes:
+- Mailu compose.yml analyzed. Critical durable volumes:
+  - `mailu:/data` on `admin` svc — SQLite DB (accounts, domains, aliases, DKIM config)
+  - `dkim:/dkim` on `admin` svc — DKIM signing keys
+  - `mail:/mail` on `imap` svc — mail store (Maildir, all user messages)
+  - `redis:/data` on `db` svc — Redis (transient: rate-limits, sessions) — likely NOT needed for restore
+  - Other volumes (rspamd, webmail, certs, mailqueue) — transient/cache, NOT durable
+- Correct backupbot v2 label placement: `admin` service (for DB + DKIM) and `imap` service (for mail store)
+- Backupbot v2 map syntax confirmed from keycloak/immich/mattermost-lts recipes
+- SQLite `/data` — pre-hook may be needed to dump consistently; or copy is safe if admin is quiesced
+- Mail store backup: Maildir is file-based, safe to copy live
+- Recipe mirror has open PR#2 (upgrade-3.1.0+2024.06.52) — backupbot PR must be separate
+
+Awaiting M1 claim from Builder.
+
+---
+
+## M1 FAIL @2026-06-11T20:58Z
+
+**Claim**: build #473 LEVEL 5 PASS, backup→wipe→restore on real seeded mail data proven.
+
+**Verdict: FAIL** — the backup/restore test exercises only the SQLite `/data` volume; the Maildir
+`/mail` volume is labeled and backed up but is NOT specifically tested for restoration.
+
+### What I verified (cold)
+
+1. **PR#3 labels correct** (`add-backupbot-labels`, head `edc0201a79d3`):
+   - `admin` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/data"` ✓
+   - `imap` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/mail"` ✓
+   - Version bump: `3.0.1` → `3.0.2+2024.06.52` ✓
+   - DKIM exclusion intentional and documented in PR desc ✓
+
+2. **Build #473 evidence** (drone API + results.json):
+   - status: success, level: 5, all 5 rungs PASS ✓
+   - `clean_teardown: true`, `no_secret_leak: true` ✓
+   - `test_backup_captures_mailbox` PASS — `citest@<domain>` in config-export at backup time ✓
+   - `test_restore_returns_mailbox` PASS — `citest@<domain>` back in config-export after restore ✓
+   - Backup snapshot `13eee64e`: 139 files, 85MB ✓
+   - Cold teardown: `abra app ls --server cc-ci` shows no mailu apps ✓
+   - No plaintext secrets in compose.yml (secrets section uses swarm `external: true` refs) ✓
+   - PARITY.md updated: P4 COVERED ✓
+
+3. **Backupbot v2 syntax verified** against keycloak/mattermost-lts/n8n patterns — `backupbot.backup.path`
+   is valid v2 syntax for specifying the backup path ✓
+
+### Failing item: `/mail` volume restoration not tested
+
+**Plan requirement** (`plan-phase-mailu-backup.md` §2.3):
+> "ensure the restore tier's data-integrity seed/verify actually exercises MAIL data (a seeded
+> mailbox + message that survives backup→wipe→restore — extend the existing functional helpers if
+> the current seed is too shallow; never weaken anything)"
+
+**What the test does** (`ops.py`):
+- `pre_backup`: creates user account `citest@<domain>` in SQLite via `flask mailu user` — this
+  is an account record in `/data` (SQLite), NOT a mail message in `/mail` (Maildir)
+- `pre_restore`: deletes `citest@<domain>` from SQLite via sqlite3 — only wipes the DB record;
+  the Maildir at `/mail` is untouched throughout
+- `test_restore.py`: asserts `citest@<domain>` is back in `config-export` — this proves the SQLite
+  (`/data`) backup/restore worked, but says nothing about the Maildir (`/mail`)
+
+**What is missing**: the test never (a) seeds an actual email message into the maildir, (b) wipes
+maildir content before restore, or (c) verifies a message survived the restore cycle. If backupbot
+silently failed to restore the `/mail` volume, this test would still PASS.
+
+**Fix required** (using existing infra from `test_mail_flow.py`):
+1. `pre_backup`: after creating `citest@<domain>`, inject a uniquely-tagged message into the mailbox
+   (e.g., via in-container `sendmail` → postfix → dovecot deliver, the same path as `test_mail_flow.py`)
+2. `pre_restore`: also wipe the maildir for `citest@<domain>` (e.g.,
+   `doveadm expunge -u citest@<domain> mailbox INBOX ALL` in the `imap` container)
+3. `test_restore.py`: after asserting the account is back, also assert the seeded message is present
+   (e.g., `doveadm search -u citest@<domain> mailbox INBOX ALL` returns ≥1 message)
+
+Note: the Maildir delivery flow is already proven in `test_mail_flow.py` — the tooling exists,
+the fix is an extension of the existing seed, not a new mechanism.
+
+### Adversary finding filed
+
+See BACKLOG-mailu.md `## Adversary findings` — item [ADV-mailu-01].
+
+Builder: fix the seed shallow enough to exercise `/mail` and re-trigger. PARITY.md and the labels
+are correct; only the seed depth needs extending.
+
+---
+
+## M1 PASS @2026-06-11T21:00Z
+
+**Re-claim**: build #477 LEVEL 5 PASS, ADV-mailu-01 fix applied, both volumes (`/data` SQLite + `/mail` Maildir) now specifically tested.
+
+**Verdict: PASS** — the fix correctly extends the backup/restore seed to cover both durable volumes.
+ADV-mailu-01 is closed.
+
+### What I verified (cold)
+
+1. **PR#3 labels correct** (branch `add-backupbot-labels`, head `edc0201a79d36bc87696b0f93f1ee88ad7bd10ed`):
+   - `admin` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/data"` ✓
+   - `imap` service: `backupbot.backup: "true"` + `backupbot.backup.path: "/mail"` ✓
+   - Version bump: `3.0.1` → `3.0.2+2024.06.52` ✓
+
+2. **Build #477 evidence** (Drone API + `/var/lib/cc-ci-runs/477/results.json`, cold read):
+   - status: success, level: 5, all 5 rungs PASS ✓
+   - `clean_teardown: true`, `no_secret_leak: true` ✓
+   - **backup stage** (all PASS):
+     - `test_backup_captures_mailbox` PASS (1323ms) — SQLite `/data` ✓
+     - `test_backup_captures_mail_message` PASS (133ms) — Maildir `/mail` ✓
+   - **restore stage** (all PASS):
+     - `test_restore_returns_mailbox` PASS (1359ms) — SQLite `/data` ✓
+     - `test_restore_returns_mail_message` PASS (189ms) — Maildir `/mail` ✓
+   - Clean teardown confirmed: `docker stack ls` on cc-ci shows no `mailu-*` stacks ✓
+   - No mailu volumes leaked ✓
+
+3. **Fix code review** (commit `b9352e8`, cold):
+   - `ops.py::pre_backup`: creates user + injects `ccci-backup-probe` message via `sendmail` in
+     `smtp` container, polls `doveadm search` in `imap` container (≤60s) to confirm delivery ✓
+   - `ops.py::pre_restore`: (1) deletes user from sqlite; (2) `rm -rf /mail/{domain}/{localpart}`
+     in `imap` container — wipes maildir independently from sqlite record ✓
+   - `test_backup_captures_mail_message`: `doveadm search` on `imap` asserts message present at backup time ✓
+   - `test_restore_returns_mail_message`: same search after restore — asserts Maildir restored ✓
+   - Both volumes exercised independently: pre_restore wipes each separately; restore must recover each ✓
+
+4. **ADV-mailu-01 all three fix items satisfied**:
+   - (1) pre_backup injects a uniquely-tagged message via sendmail→dovecot deliver ✓
+   - (2) pre_restore wipes the maildir (`rm -rf /mail/{domain}/{localpart}`) ✓
+   - (3) test_restore asserts the message is back (`doveadm search` ≥1 result) ✓
+
+**ADV-mailu-01 closed** — fix is real, CI proves it, no weakening of any assertion.
+
+Builder is cleared to proceed to M2.
+
+---
+
+## M2 PASS @2026-06-11T21:15Z
+
+**Claim**: DEFERRED closed; levels reconciled; PARITY.md updated; operator summary written; fresh Adversary re-trigger via independent `!testme` on PR#3.
+
+**Verdict: PASS** — all M2 DoD items verified independently. Phase `mailu` is DONE.
+
+### What I verified (cold)
+
+1. **PR#3 still open, unmerged** (Gitea API cold check):
+   - state: open, head sha: `edc0201a79d36bc87696b0f93f1ee88ad7bd10ed`, merged: False ✓
+
+2. **DEFERRED.md mailu entry closed**:
+   - Entry `2026-05-29 — mailu: no backup config` marked `[x] CLOSED @2026-06-11` with PR#3 +
+     build #477 pointers; re-entry checkbox also ticked ✓
+
+3. **PARITY.md updated with dual-volume evidence** (`tests/mailu/PARITY.md`):
+   - P4 section now states "earned via recipe-mirror PR#3" ✓
+   - Documents both `/data` (SQLite) and `/mail` (Maildir) seeded + wiped + verified restored ✓
+   - `ops.py`, `test_backup.py`, `test_restore.py` each described correctly ✓
+   - Before/after level: `backup_capable=False → L4-skip` → `backup_capable=True → L5-earned` ✓
+
+4. **Levels reconciliation independently verified**:
+   - `runner/harness/generic.py::backup_capable()` scans `compose*.yml` for `backupbot.backup.*true` ✓
+   - Main branch: no backupbot labels → `backup_capable=False` → backup rung = intentional skip → **L4** ✓
+   - PR#3 head: admin+imap labels present → `backup_capable=True` → backup rung earned → **L5** ✓
+
+5. **Operator summary in STATUS-mailu.md**: complete, accurate, actionable — specifies PR#3 URL,
+   head SHA, what the PR adds, what CI proved, what operator must do (merge PR#3) ✓
+
+6. **Fresh independent re-trigger** (Adversary posted `!testme` on PR#3 at 2026-06-11T21:04:39Z,
+   comment #14363):
+   - **Drone build #483**: LEVEL 5 SUCCESS, recipe=mailu, PR=3, ref=`edc0201a79d3`
+   - All 5 rungs PASS: install / upgrade / backup+restore / functional / lint ✓
+   - Backup stage: `test_backup_captures_mailbox` PASS (1377ms) + `test_backup_captures_mail_message` PASS (149ms) ✓
+   - Restore stage: `test_restore_returns_mailbox` PASS (1402ms) + `test_restore_returns_mail_message` PASS (168ms) ✓
+   - `clean_teardown: true`, `no_secret_leak: true` ✓
+   - No mailu stacks or volumes on host post-run (`docker stack ls` + `docker volume ls` confirm) ✓
+   - Result is reproducible: two independent builds (#477, #483) both LEVEL 5 at the same PR head ✓
+
+### Phase DoD satisfied
+
+All items from `plan-phase-mailu-backup.md` §5:
+- Mirror PR open with evidence-justified backupbot v2 labels ✓ (PR#3)
+- backup→wipe→restore proven on real seeded mail data at PR head incl. drone path ✓ (builds #477 + #483)
+- mailu's backup rung earned (not skipped) with levels reconciled ✓
+- DEFERRED closed ✓
+- M1 + M2 fresh Adversary PASSes ✓ (this entry + M1 PASS above)
+- PR unmerged for the operator ✓
+
+**Phase `mailu` is complete. Builder is cleared to write `## DONE` to STATUS-mailu.md.**

machine-docs/REVIEW-nixenv.md

@@ -0,0 +1,156 @@
+# REVIEW — phase `nixenv` (Adversary)
+
+Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md`
+SSOT for verification. Verdicts below; cold-runs only.
+
+Status: **M1 PASS** @ 17:40Z (`8b8fc1f`) + **M2 PASS** @ 18:20Z (`f7b6f26`). Both milestones fresh
+Adversary PASS, no VETO → Builder cleared to write `## DONE`.
+
+---
+
+## M2 — PASS @ 2026-06-17T18:20Z — claim `f7b6f26` (deployed `/etc/cc-ci`@d11f8f5 = M1-reviewed tree)
+
+**Deploy + live parity proven — cold-verified.** Verdict from the plan (SSOT), the code, the claim's
+verification info, and my OWN live re-runs (Drone API, journald, host probes). JOURNAL-nixenv.md NOT
+read before this verdict (anti-anchoring preserved).
+
+**(1) Deploy clean + host healthy (re-verified live post-sweep @18:16–18:18Z).**
+- Deployed system `dhmpm232r6m0sq3s7y5r5jpyv5kxgzwi-nixos-system-…` BYTE-IDENTICAL to my M1 build.
+- `systemctl --failed` EMPTY; `nightly-sweep.timer` active+enabled; drone-runner-exec / deploy-proxy /
+  warm-keycloak / swarm-init all active; `nightly-sweep.service` finished Result=success
+  ExecMainStatus=0. drone `/healthz`→200, `ci.commoninternet.net`→200.
+- Live `cc-ci-run` = `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd` (M1-reviewed path). git-lfs/openssl/script/bash
+  resolve on host PATH AND inside cc-ci-run (git-lfs→`33ikv…-git-lfs-3.6.1`, openssl→`48p8b…-openssl-3.3.3`
+  from runtimeInputs, NOT host PATH). openssl was MISSING on this host pre-deploy.
+- NO orphan ephemeral test stacks left by the sweep (no `gite-/matt-/disc-` per-run stacks); only the
+  expected warm canonicals (bluesky-pds, gitea, keycloak) remain — clean teardown.
+
+**(2) Live LFS parity — GREEN on BOTH paths (the DEFECT-3 witness).**
+- **Real timer fire:** `systemctl start nightly-sweep.service` @17:35:38Z; gitea RUN-eligible
+  (canonical 3.5.3 < tag 3.6.0) → `tests/gitea/custom/test_lfs_roundtrip.py::test_lfs_roundtrip
+  PASSED` @17:57:54Z (+ install/upgrade/backup/restore all PASS). The systemd unit PATH carries NO
+  git-lfs and NO /run/current-system/sw/bin, so git-lfs MUST have resolved from cc-ci-run's
+  runtimeInputs — exactly the old DEFECT-3 condition, now satisfied by the shared env.
+- **Drone path:** independently inspected build **#871** via Drone API (status=success): stage
+  recipe-ci → step `ci` runs `cc-ci-run runner/run_recipe_ci.py` (`.drone.yml:83`). Log shows LFS
+  RAN not skipped: `test_lfs_roundtrip PASSED`; RUN SUMMARY install/upgrade/backup/restore/custom all
+  pass, level=5 of 5.
+- Both paths exec the SAME `zxlx9jn` cc-ci-run ⇒ git-lfs resolves identically. DEFECT-3 class
+  structurally eliminated, demonstrated live.
+
+**(3) No regression — sweep SKIPs/promotes correct; the 3 non-green results ALL pre-existing.**
+- **Regression canary:** scanned the ENTIRE post-deploy sweep journal for missing-tool signatures
+  (`command not found` / `not found` / `executable file not found` / `No such file`) → **ZERO**.
+  Nothing got dropped from the env (consistent with the M1 superset proof). No recipe went GREEN→RED.
+- SKIPs all correct (cryptpad/ghost/drone/hedgedoc/immich/lasuite-*/mailu/matrix-synapse/n8n/
+  plausible/uptime-kuma — no-new-version); promotes correct (custom-html, mumble).
+- **gitea GREEN-BUT-PROMOTE-FAILED**: tests green; WC5 promote `abra app deploy warm-gitea… -o -n`
+  fails `FATA … is already deployed` — abra idempotency on the persistent warm canonical (warm-gitea
+  confirmed still up). canonical.json unchanged (3.5.3, ts 08:39Z). Promote path = `nightly_sweep.py`
+  @canon f94de22, UNCHANGED by nixenv (diff dd6712c..d11f8f5 is nix/+machine-docs only, zero
+  runner/tests) → behaviour identical to canon by construction.
+- **discourse rc=1 / mattermost-lts rc=1**: recipe-level reds, env-independent —
+  discourse `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head`
+  (HEAD-image/service assertions); mattermost `test_restore_returns_state` → `docker exec … postgres …
+  relation "ci_marker" does not exist` (docker RESOLVED and ran — a restore-data failure, not a
+  missing tool). **Corroborated pre-existing:** the SAME reds occur in BOTH OLD-env pre-deploy fires
+  today (PID 2149231@14:xx, PID 2248547@15:xx) — mattermost byte-identical postgres error; discourse
+  red in all fires (never green). Not caused by the env change.
+
+**No defects, no VETO.** M2 DoD fully met live. The harness runtime env is single-sourced and proven
+identical across the Drone runner, the timer sweep, and host systemPackages, with git-lfs/openssl now
+guaranteed from one declaration — the DEFECT-3 divergence class is structurally impossible.
+
+**M1 + M2 fresh Adversary PASS → DONE is cleared.** (Consulted JOURNAL-nixenv.md? No — verdict stands
+on plan + code + my own live re-runs.)
+
+---
+
+## M1 — PASS @ 2026-06-17T17:40Z — claim `8b8fc1f`
+
+**Single-source harness runtime env — cold-verified, all 6 DoD items.** Verdict formed from the
+phase plan (SSOT), the code, and my OWN cold builds/evals — JOURNAL-nixenv.md NOT consulted
+(anti-anchoring preserved).
+
+1. **Builds succeed, both hosts (no collision).** `nix build .?submodules=1#…cc-ci-hetzner…toplevel`
+   → EXIT 0; `…#…cc-ci…toplevel` → EXIT 0. (A transient SQLite eval-cache "busy" from running both
+   in parallel was `error (ignored)`, not a build failure.)
+2. **Single source (greps).** `withPackages` → 1 hit (`packages.nix:17` `ccciPyEnv`); `pytest
+   playwright` → 1 hit (same line); `ccciRuntimeTools` defined once (`packages.nix:45`), referenced
+   by `cc-ci-run` (`:68`) + both host configs. `nightly-sweep.nix` has NO `withPackages`, NO
+   `python3`, NO `/run/current-system/sw/bin` PATH prepend — `runtimeInputs = [ pkgs.cc-ci-run ]`
+   and `exec cc-ci-run …`. The DEFECT-3 host-PATH patch is GONE.
+3. **Superset-or-equal — inspected the BUILT wrapper PATH.** `cc-ci-run` store
+   `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd` `export PATH` carries all 15 store dirs:
+   python3-3.12.8-env, abra-0.13.0-beta, docker-27.5.1, git-2.47.2, **git-lfs-3.6.1**, bash-5.2p37,
+   coreutils-9.5, util-linux-2.39.4, curl-8.12.1, jq-1.7.1, gnused-4.9, gnugrep-3.11, gnutar-1.35,
+   **openssl-3.3.3**, procps-4.0.4 — and ends `:$PATH` (PREPEND, inherited PATH retained → nothing
+   from any path lost). Covers the full union of all 3 prior lists; `git-lfs`+`openssl` are the only
+   additions. Nothing dropped.
+4. **Sweep ≡ Drone entrypoint (parity by construction).** Built `cc-ci-nightly-sweep` references the
+   BYTE-IDENTICAL `zxlx9jnylh7la5m48bsqb1wfm5l9r0bd-cc-ci-run`; both hosts'
+   `pkgs.cc-ci-run` resolve that SAME store path; `.drone.yml:83` runs `cc-ci-run
+   runner/run_recipe_ci.py` (host systemPackages wrapper = same path). Same store path ⇒ identical
+   pyEnv + tooling + PLAYWRIGHT_BROWSERS_PATH on Drone path AND timer sweep.
+5. **Host divergence removed.** Both `configuration.nix` systemPackages lines are textually identical
+   (`pkgs.ccciRuntimeTools ++ [ pkgs.openssh ]`). The pre-refactor `cc-ci`-vs-`hetzner` `git-lfs`
+   one-off divergence (my prep flag #1) is ELIMINATED: built `cc-ci` toplevel `sw/bin` now contains
+   `git-lfs`, `openssl`, `script` (util-linux) — tools it previously lacked. `openssh` correctly kept
+   host-only (ssh client, not a recipe tool); it remains on both hosts so the Drone path's inherited
+   PATH is unchanged for it.
+6. **Future-dep propagation (by construction).** `ccciRuntimeTools` is the lone definition; it feeds
+   `cc-ci-run.runtimeInputs` (→ Drone path via `.drone.yml`, → sweep via `exec cc-ci-run`) AND both
+   hosts' `systemPackages` (→ Drone runner host PATH). One edit to that list reaches every consumer.
+   Proven structurally via the reference graph; no working-tree mutation needed.
+
+**No defects, no VETO.** Faithful refactor — one shared definition, three references, DEFECT-3 class
+structurally eliminated. M2 (deploy via `nixos-rebuild switch` + live parity witness: gitea LFS
+roundtrip green under BOTH Drone path and a real timer fire) remains to be claimed/verified.
+
+---
+
+## (prior) Cold-prep notes
+
+---
+
+## Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c
+
+The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured
+from the code (SSOT), independent of any Builder narrative:
+
+**(A) `nix/modules/harness.nix` — `cc-ci-run` (Drone entrypoint) `runtimeInputs`:**
+`pyEnv  abra  docker  git  coreutils  util-linux`
+- `pyEnv = python3.withPackages [ pytest playwright ]`
+- env: `PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}`, `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1`
+
+**(B) `nix/modules/nightly-sweep.nix` — sweep `runtimeInputs`:**
+`bash  abra  docker  git  curl  jq  gnused  gnugrep  gnutar  coreutils  util-linux  procps`
+- DUPLICATE `pyEnv = python3.withPackages [ pytest playwright ]`
+- same PLAYWRIGHT env
+- DEFECT-3 patch: `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` (host-PATH prepend)
+
+**(C) Drone runner path — `nix/modules/drone-runner.nix`:**
+`PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin"` → recipe shell-outs resolve from
+**host `environment.systemPackages`**, NOT a runtimeInputs list.
+
+**(D) Host `systemPackages` (feeds C):**
+- `nix/hosts/cc-ci/configuration.nix`:        `curl  git  jq  openssh`   ← **NO git-lfs**
+- `nix/hosts/cc-ci-hetzner/configuration.nix`: `curl  git  git-lfs  jq  openssh`
+
+### UNION the shared set must cover (≥):
+`python3+pytest+playwright` (pyEnv) · playwright browsers · `abra docker git git-lfs coreutils
+util-linux bash curl jq gnused gnugrep gnutar procps openssh`
+Plan §2 also names `openssl` as a recipe shell-out → expect it present too.
+
+### Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts):
+1. **Host divergence**: `cc-ci` config lacks `git-lfs` but `hetzner` has it. Which config is the
+   LIVE `ssh cc-ci` server running, and does `git-lfs` actually resolve there today? If the shared
+   set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical.
+2. **Nothing dropped**: any token in the union missing from the shared set = blast-radius break.
+3. **Sweep parity by construction**: plan wants sweep to invoke `cc-ci-run` (same entrypoint) — if
+   it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no
+   module declares its own harness dep list.
+4. **DEFECT-3 patch removal**: the host-PATH prepend should be gone/subsumed; if removed, git-lfs
+   etc. must now come from the shared runtimeInputs, else the sweep regresses.
+5. **Live witness**: gitea `test_lfs_roundtrip` must stay GREEN under BOTH Drone path and a real
+   timer fire from the unified env.

machine-docs/REVIEW-poe2e.md

@@ -0,0 +1,168 @@
+# REVIEW — phase poe2e (Adversary)
+
+**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-poe2e-end-to-end.md`
+**Initialized:** 2026-06-13T19:25Z
+
+## Orientation
+
+Phase mission: prove the whole model works end-to-end — PO scaffolds, runs (isolated), and tears
+down a throwaway project; cc-ci is modeled as a project in STAGING; live cc-ci is provably untouched.
+
+### Definition of Done (poe2e)
+
+| # | DoD item | Status |
+|---|---|---|
+| D1 | PO scaffolded, ran (isolated), and tore down a throwaway project — evidence in REVIEW | **PASS @2026-06-13T19:46Z** |
+| D2 | Staged `cc-ci` project: engine submodule pinned + migrated `agents.toml`; `agents.py status` MATCHES live cc-ci (side-by-side shown) | **PASS @2026-06-13T19:46Z** |
+| D3 | Staged cc-ci registered in `fleet.toml` | **PASS @2026-06-13T19:46Z** |
+| D4 | Written, reviewed operator cutover runbook | **PASS @2026-06-13T19:46Z** |
+| D5 | Live cc-ci provably untouched: tmux sessions + `/srv/cc-ci/cc-ci-plan/agents.{py,toml}` + `state/` unchanged; no second watchdog started | **PASS @2026-06-13T19:46Z** |
+
+## Verdicts
+
+### ALL DoD PASS @2026-06-13T19:46Z — phase DONE
+
+Cold-verified from the Adversary's own clone (/srv/cc-ci/cc-ci-adv) and fresh shell. No VETO.
+
+---
+
+#### D1 PASS @2026-06-13T19:46Z
+
+Re-ran the full PO scratch lifecycle independently:
+
+```
+cd /home/loops/porepo/project-orchestrator
+bash scripts/create-project.sh scratch-e2e --dir /tmp/poe2e-scratch --ref v0.1.0 --prefix poe2e-scratch-
+```
+
+Scaffold output: `engine pinned at 289ef07df40a8264f3a36b4e91b923d1424c4658  (v0.1.0)`, `config: agents.toml (session_prefix = poe2e-scratch-)`.
+Tracked files: `.gitignore`, `.gitmodules`, `agents.toml`, `engine` — no PO/fleet metadata.
+
+Injected demo backend (`prompt_delivery = "exec"` — required; "arg" default causes sleep to receive kickoff as arg and exit):
+- `python3 engine/agents.py status` → worker=stopped, watchdog=stopped
+- `python3 engine/agents.py up` → `starting poe2e-scratch-worker (demo, ...)` + `starting watchdog`
+- `tmux ls | grep poe2e-scratch` → both sessions present
+- `python3 engine/agents.py status` → `worker RUNNING [sleep]`, `watchdog RUNNING`
+- Live cc-ci sessions during run: exactly 8 cc-ci-* sessions unchanged
+- `python3 engine/agents.py down` → `killing poe2e-scratch-worker`, `killing poe2e-scratch-watchdog`
+- `tmux ls | grep poe2e-scratch || echo "torn down"` → torn down
+- `python3 engine/agents.py status` → both stopped
+- `rm -rf /tmp/poe2e-scratch` → throwaway deleted
+
+**Note:** The demo backend in `agents.example.toml` uses `prompt_delivery = "exec"` (not the default "arg"). Any cold-verify that injects the demo backend must include this field — otherwise the sleep process receives the kickoff file content as args and exits immediately.
+
+---
+
+#### D2 PASS @2026-06-13T19:46Z
+
+Cold clone: `git clone --recurse-submodules /home/loops/poe2e/cc-ci /tmp/poe2e-ccci-cold`
+
+- HEAD: `38e5c907b9e37b8aebbfccb2e1ad8de7e2d880cb` ✓
+- Submodule: `289ef07df40a8264f3a36b4e91b923d1424c4658 engine (v0.1.0)` ✓
+- (a) Phase list: `phases: 19 19 | identical: True` ✓
+- (b) Phase seq: `rcust shot lvl5 bsky dstamp mailu kuma drone cfold cf55 pvfix pvcheck ghost cf48 pxgate aoeng aotest porepo poe2e` ✓
+- (c) After `phase set 18` (poe2e): `diff /tmp/s.txt /tmp/l.txt` → **STATUS BYTE-IDENTICAL** ✓
+  - Both print: `phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)` + identical 8-agent table
+  - STATE column shows RUNNING for live sessions because `agents.py status` uses read-only `tmux has-session` — the staged project started nothing; both configs point at the same live tmux sessions, which is why status is byte-identical
+- (d) `builder kickoff identical: True`, `adversary kickoff identical: True` ✓
+
+Cold clone deleted.
+
+---
+
+#### D3 PASS @2026-06-13T19:46Z
+
+```
+cd /home/loops/porepo/project-orchestrator
+python3 scripts/fleet.py validate   → fleet: OK — 2 project(s), schema v1
+python3 scripts/fleet.py status     → cc-ci [disabled] agent-orchestrator@v0.1.0  /home/loops/poe2e/cc-ci
+                                       total=2 enabled=1 disabled=1
+```
+
+`cc-ci` is registered as disabled — correct, it must not be started by the PO (that would conflict with the live system). Operator cutover enables it per runbook §6.
+
+---
+
+#### D4 PASS @2026-06-13T19:46Z
+
+Read `/home/loops/poe2e/cc-ci/docs/cutover-runbook.md`. Covers all expected sections:
+- §0: What-stays/what-changes table with exact config deltas
+- §1: Pre-flight + parity gate (`engine/agents.py status` on project must match live before proceeding)
+- §2: Quiesce live — `systemctl stop cc-ci-loops.service` + `agents.py down` + confirm zero `cc-ci-` sessions (critical: prevents double watchdog on shared namespace)
+- §3: Reuse vs fresh start decision (reuse recommended — preserves phase-idx + resume ids)
+- §4: Production config delta: change `log_dir` from `.ao-state` back to `/srv/cc-ci/.cc-ci-logs`
+- §5: Re-point `launch.py`/`launch.sh` at `engine/agents.py --config agents.toml` (keeps systemd + orchestrator's prompt working unchanged; rollback copy preserved as `launch.py.preproject`)
+- §6: Start + validate (launch.py status parity, single watchdog, handoff ping, flip fleet entry to enabled)
+- §7: Fast rollback (re-point `launch.py`, restart)
+- Appendix: explicitly notes no ACME/DNS/prod-domain work (out of scope)
+
+Runbook is operator-supervised and explicitly states loops MUST NOT perform this cutover themselves.
+
+---
+
+#### D5 PASS @2026-06-13T19:46Z
+
+Final check (vs baseline @19:25Z):
+- `agents.toml` SHA256: `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88` ✓ unchanged
+- `agents.py` SHA256: `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a` ✓ unchanged
+- `state/phase-idx`: `18` ✓ unchanged
+- tmux sessions: exactly 8 `cc-ci-*` sessions, all with same creation times as baseline ✓
+- `cc-ci-watchdog` count: exactly 1 ✓ (no second watchdog started)
+- cc-ci host: `no tmux sessions` ✓ unchanged
+
+The staged project (`/home/loops/poe2e/cc-ci`) uses `session_prefix = "cc-ci-"` for fidelity but the Builder ran ONLY `status`/`phase show`/`phase set` against it — none of which start or kill sessions. The scratch D1 demo ran under `poe2e-scratch-` namespace. No live cc-ci file or session was touched.
+
+## D5 — Live cc-ci baseline snapshot @2026-06-13T19:25Z (pre-Builder)
+
+Taken before Builder started any poe2e work. Will diff against this on cold-verify.
+
+**agents.toml SHA256:** `0d78ba55329705055bbb39722292b6d131cdd30f37eb814e50316f7c0e222b88`
+**agents.py SHA256:** `b4567b73099a587b5727a194f80a5e908d1a1589691294230e6ad1492fb9fe9a`
+**state/phase-idx:** `18` (poe2e — index 18 in the phases array)
+
+**tmux sessions (orchestrator host, pre-Builder):**
+```
+cc-ci-adv (just started)
+cc-ci-assistant3 (pre-existing since 2026-06-09)
+cc-ci-builder (just started)
+cc-ci-cleanlogs (pre-existing since 2026-06-02)
+cc-ci-orchestrator (pre-existing since 2026-06-13)
+cc-ci-report (pre-existing since 2026-06-12)
+cc-ci-upgrader (pre-existing since 2026-06-11)
+cc-ci-watchdog (pre-existing since 2026-06-13)
+```
+
+**cc-ci host tmux:** `no tmux sessions` (cc-ci has no tmux sessions at phase start)
+
+D5 PASS criterion: after all Builder work, agents.toml + agents.py checksums unchanged,
+state/phase-idx still 18, no new cc-ci-*-prefixed watchdog sessions started, cc-ci host tmux
+still empty (or unchanged).
+
+**Note on JOURNAL:** The system-reminder auto-surfaced JOURNAL-poe2e.md contents during git pull
+(Builder had overwritten the file). I noted the live `agents.py status` capture therein — I will
+re-run this independently during cold-verify and will NOT use the Builder's capture as my verdict.
+
+## Break-it probes
+
+(will log independent probes here as they run)
+
+## D2 — Live agents.py status (Adversary independent capture @2026-06-13T19:36Z)
+
+Run from scratch: `cd /srv/cc-ci/cc-ci-plan && python3 agents.py status`
+
+```
+  phase: poe2e [19/19]  plan=plan-phase-poe2e-end-to-end.md  (in progress)
+  AGENT          KIND        BACKEND   MODEL                WATCH      STATE
+  orchestrator   persistent  claude    claude-opus-4-8      heal       RUNNING  [claude]
+  builder        loop        claude    claude-opus-4-8      heal+stall RUNNING  [claude]
+  adversary      loop        claude    claude-sonnet-4-6    heal+stall RUNNING  [claude]
+  assistant      persistent  claude    claude-sonnet-4-6    none       stopped (disabled)
+  upgrader       task        claude    claude-sonnet-4-6    none       RUNNING (disabled)  [claude]
+  report         task        claude    claude-opus-4-8      none       RUNNING (disabled)  [claude]
+  cleanlogs      service     -         -                    -          RUNNING
+  watchdog       service     -         -                    -          RUNNING
+```
+
+This is the parity target for D2. The staged cc-ci `agents.py status` must match the AGENT/KIND/BACKEND/MODEL/WATCH columns (STATE will differ — staged is never started, so all agents will show `stopped`).
+
+Also noted: PO scripts exist at `/home/loops/porepo/project-orchestrator/scripts/` (create, start, stop, update, fleet.py). The `demo` backend is defined in `agents.example.toml` as `bin = "echo '[demo] ...' ; exec sleep 1000000"` — starts a sleeping process the engine tracks as RUNNING. This is what D1 will use for the isolated run.

machine-docs/REVIEW-porepo.md

@@ -0,0 +1,85 @@
+# REVIEW — phase porepo (Adversary)
+
+**Phase plan SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-porepo-project-orchestrator.md`
+
+Verdicts are issued only after cold-start re-execution of the acceptance check from this clone.
+No DoD item is accepted on Builder's word alone.
+
+---
+
+## Adversary orientation + pre-check @2026-06-13T19:05Z
+
+Phase initialized. Builder has not yet started:
+- `recipe-maintainers/project-orchestrator` — 404 on Gitea (2026-06-13T19:05Z)
+- No builder clone at `/srv/cc-ci/cc-ci`
+
+### Pre-verification checklist (break-it probes to run when Builder claims DONE):
+
+1. **Submodule pinned to v0.1.0** — verify `git submodule status` shows the exact SHA matching
+   `agent-orchestrator` tag `v0.1.0`, not HEAD or a newer commit.
+
+2. **No PO/fleet metadata inside scratch project** — when Builder demonstrates the create-project
+   flow, grep the scratch project repo for `fleet`, `project-orchestrator`, `porepo` — must be absent.
+
+3. **Clean recursive clone** — `git clone --recurse-submodules` in /tmp; `engine/` submodule must
+   materialise without extra steps.
+
+4. **agents.py status cold** — from /tmp clone, inside `nix develop`, `python3 engine/agents.py status`
+   must succeed (exit 0) without any pre-setup beyond the clone.
+
+5. **fleet.toml sample parses** — `python3 -c "import tomllib; tomllib.load(open('fleet.toml','rb'))"` 
+   must succeed.
+
+6. **nix develop -c python3 -c 'import tomllib'** must succeed per DoD-5.
+
+7. **Bootstrap doc exists** — README or docs/bootstrap.md describes the hand-scaffold flow.
+
+8. **Scratch project cleanup** — after the demo, scratch project must be deleted from Gitea
+   and NOT appear in any live cc-ci system.
+
+---
+
+## Verdicts
+
+### porepo: ALL DoD PASS @2026-06-13T19:19Z
+
+Cold-verified from anonymous `/tmp/porepo-cold` recursive clone (no creds, no cached state).
+Deliverable: `recipe-maintainers/project-orchestrator` HEAD `346ed31acbc0d98eeb2881a1b62998ac9544c002`.
+
+**DoD-1 — repo + submodule + main pushed: PASS**
+- Repo public on Gitea, main at `346ed31`.
+- `git submodule status` → ` 289ef07df40a8264f3a36b4e91b923d1424c4658 engine (v0.1.0)` — exact v0.1.0 tag commit.
+- `engine/agents.py` present in submodule.
+
+**DoD-2 — `agents.py status` from clean recursive clone (nix develop): PASS**
+- `nix develop -c python3 engine/agents.py status` → table with `project-orchestrator` (persistent,
+  claude, claude-opus-4-8, heal, stopped) + watchdog service. rc=0.
+- devShell banner: `Python 3.11.11, tmux 3.5a, git version 2.47.2`.
+
+**DoD-3 — fleet.toml schema + sample entry parses: PASS**
+- `fleet.py validate` → `fleet: OK — 1 project(s), schema v1`, rc=0.
+- `fleet.py status` → lists `example-recipe-ci` (enabled, agent-orchestrator@v0.1.0), `total=1 enabled=1 disabled=0`.
+- `tomllib.load(fleet.toml)` → schema v1, project `example-recipe-ci`. Documented in `docs/fleet-registry.md`.
+
+**DoD-4 — create-project flow documented AND demonstrated: PASS**
+- `create-project.sh scratch-verify --dir /tmp/po-scratch --ref v0.1.0` scaffolded cleanly.
+- Scratch project submodule pinned at `289ef07` (v0.1.0). 
+- `engine/agents.py status` (run via PO's nix develop) → worker agent table, rc=0.
+- Tracked files: `.gitignore .gitmodules agents.toml engine` only — exactly minimal.
+- No PO/fleet metadata: `grep -ril -e fleet -e project-orchestrator . --exclude-dir=engine --exclude-dir=.git` → empty (CLEAN).
+- `scratch-verify` NOT registered in `fleet.toml`.
+- `scratch-verify` NOT on Gitea (404) — local-only throwaway. Did not touch live cc-ci system.
+- Scratch project cleaned up post-demo (`rm -rf /tmp/po-scratch`).
+- Flow documented in `docs/manage-projects.md`.
+
+**DoD-5 — Nix works + bootstrap doc present: PASS**
+- `nix develop -c python3 -c 'import tomllib'` → exit 0 (no output = success).
+- `docs/bootstrap.md` present — describes hand-scaffold steps (init repo, add engine/ submodule, write agents.toml, run `engine/agents.py up`).
+- `flake.nix` devShell includes `python311`, `tmux`, `git` (with submodule support). `README.md` documents `nix develop`.
+
+**Break-it probes (independent):**
+- Submodule URL is `https://git.autonomic.zone/recipe-maintainers/agent-orchestrator.git` (public, no embedded creds) — anonymous `--recurse-submodules` clone works without credentials.
+- Scratch project has single-commit git history; no PO/fleet metadata in any tracked file (verified by grep over full tree excluding engine/).
+- `scratch-verify` never registered in fleet.toml and never pushed to Gitea.
+
+**No findings. No VETO.**

machine-docs/REVIEW-prevb.md

@@ -0,0 +1,197 @@
+# REVIEW — phase `prevb` (Adversary verdicts)
+
+Append-only. Gates this phase: **M1** (implemented + green locally), **M2** (proven in real CI + spot-check).
+SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-prevb-previous-dynamic-base.md`.
+
+## Status
+- 2026-06-16T23:57Z — Adversary live for `prevb`. No Builder claim yet (no STATUS-prevb.md, no `claim(`).
+  Cold-start recon done: baseline mechanism understood —
+  - base resolution: `run_recipe_ci.upgrade_base` → `meta.UPGRADE_BASE_VERSION or lifecycle.previous_version` (`vers[-2]`); discourse pins `0.7.0+3.3.1`.
+  - overlay `tests/discourse/compose.ccci.yml` applied to ALL deploys via `EXTRA_ENV.COMPOSE_FILE`; fuses environmental (start_period 20m, order stop-first) + version-specific (bitnamilegacy image pin + sidekiq block) — the bug.
+  - existing unit tests to watch for weakening: `tests/unit/test_upgrade_base.py`, `tests/unit/test_meta.py`.
+  Idle until a gate is CLAIMED.
+- 2026-06-17T00:12Z — Independently cold-verified the Builder's STATUS ground-truth facts via gitea API
+  (NOT trusting STATUS): PR #4 head `ae5a81802b4d1d6cd1b449ac46cfa16d80730aaa` `compose.yml` →
+  `app.image = discourse/discourse:3.5.3`, **no `sidekiq` service**; `.diff` shows
+  `-bitnamilegacy/discourse:3.5.0`→`+discourse/discourse:3.5.3` + full `sidekiq:` block removed.
+  main → `app`+`sidekiq` = `bitnamilegacy/discourse:3.5.0`, sidekiq present, base `f87c612d`.
+  Facts CONFIRMED. (Caution noted: gitea `raw?ref=<shortsha>` silently falls back to default branch —
+  must use the FULL sha when cold-verifying head content.) Foundation for "discourse needs no previous/" holds.
+
+## Pre-review (M1 code, gate NOT yet CLAIMED — preliminary recon, not a verdict)
+2026-06-17T00:30Z — studied the M1 `feat` commit bb2e3c6 (code/diff only, NOT JOURNAL). Design looks sound:
+- `resolve_upgrade_base` → BasePlan(kind, version, ref, reason): override → last-green (`canonical.read_registry`)
+  → main-tip (`recipe_branch_commit`) → skip. `.runs` gates the upgrade tier. head_ref = `recipe_head_commit`.
+- `previous/` surface (lifecycle): `has_previous`, `previous_target_version` (VERSION marker), `previous_status`
+  (version-guarded apply/stale), provide/remove overlay, compose_file add/remove. Base-only; **stripped before
+  head redeploy** (`generic.perform_upgrade` → `remove_previous_overlay` + COMPOSE_FILE strip). Good teeth.
+- discourse migrated: `compose.ccci.yml` now ENVIRONMENTAL-ONLY (`order: stop-first`); bitnamilegacy pins +
+  sidekiq + UPGRADE_BASE_VERSION **removed**. `test_upgrade.py` asserts running `app` image == official
+  `discourse/discourse:3.5.3` (not bitnamilegacy) + sidekiq gone; resolves as the upgrade-tier overlay
+  (`resolve_overlay_op`→`test_{op}.py`), run as its own pytest → rc!=0 fails the tier. Real teeth confirmed.
+- **Unit tests run cold (nix pytest): 63 passed** (test_upgrade_base + test_previous + test_meta). Matrix
+  EXPANDED, not weakened (override-wins / last-green-primary / main-tip-fallback / head==main-tip skip / no-pred skip).
+
+STILL REQUIRED for the formal M1 PASS (needs the Builder's e2e claim + my cold acceptance run):
+  (a) discourse upgrade tier GREEN locally with proof the head ran real 3.5.3 (not bitnamilegacy) + no sidekiq;
+  (b) BREAK-IT: a deliberately-broken head still fails the upgrade tier (base resolution didn't paper over it);
+  (c) base falls back to main when last-green absent (unit-covered; e2e desirable);
+  (d) `previous/` ignored for the head (code-confirmed; e2e desirable).
+
+## Adversary findings (pre-review notes)
+- [F-prevb-A] (PRE-EXISTING, NOT a prevb regression; INFO) `tests/unit/test_warm_reconcile.py::
+  test_traefik_spec_is_stateless_with_setup` is RED on main — `KeyError: 'health_domain'`. Fails identically at
+  the gtea-DONE commit 778720c (verified by checkout), and the prevb feat never touched warm_reconcile — the
+  `pxgate-M1` traefik-probe change (0e9fd38) refactored the spec without updating this test. Out of prevb scope,
+  but it means the FULL `tests/unit/` suite is NOT all-green (283 pass / 1 fail). Flagging so "unit green" claims
+  are scoped honestly. Not an M1 blocker.
+- [F-prevb-B] (NIT) old `test_expected_na_other_rung_does_not_suppress` was dropped in the rewrite; the behavior
+  (an EXPECTED_NA for a non-upgrade rung must not suppress the base) is preserved via `.get("upgrade")` but no
+  longer has a dedicated test. Low risk; consider re-adding one line of coverage.
+
+## M1 cold acceptance — IN FLIGHT (2026-06-17T00:42Z)
+Gate M1 CLAIMED @00:40Z (code commit e1b32ea; claim commit bb79e91 = machine-docs only). Cold-verifying from a
+FRESH clone on cc-ci (`/root/cc-ci-adv-prevb` @ bb79e91), not the Builder's tree.
+Done so far (cold):
+- prevb unit surface: **64 passed** (`test_upgrade_base`+`test_previous`+`test_meta`) via nix pytest.
+- statics: `compose.ccci.yml` env-only (`order: stop-first`); discourse `recipe_meta.py` has NO `UPGRADE_BASE_VERSION` assignment.
+- `prune_orphan_services` reviewed: removes only services NOT in the head compose → cannot mask the prevb bug
+  (if overlay leaked sidekiq into the head compose it'd be in `defined` → not pruned → test RED). Teeth preserved.
+- e2e launched (`RECIPE=discourse SRC=recipe-maintainers/discourse REF=ae5a8180… PR=4 STAGES=install,upgrade`),
+  run `manual-1344943`. Early log CONFIRMS `upgrade base: kind=ref ref=f87c612d71b4 (target-branch (main) tip)`
+  → base = main-tip chaos deploy (matches claim). Base deploy (main-tip, has the known sidekiq depends_on bug)
+  in progress; observed a non-fatal `lint rung: fail R011` on the base — watching whether it blocks.
+- CONCURRENCY observed: a Builder keycloak spot-check (PR#3) runs simultaneously in `/root/prevb-deploy`. My
+  discourse run's janitor saw the keycloak lock and LEFT IT (`live concurrent run, leaving it`) — per-run
+  ABRA_DIR isolation holding. Watching for memory-pressure false-failures on the shared 7GB node.
+UPDATE 2026-06-17T01:00Z (post-reboot, cold re-check of completed run):
+- e2e `manual-1344943` COMPLETED **GREEN** (read full log /root/cc-ci-adv-prevb-e2e.log): `upgrade base:
+  kind=ref ref=f87c612d71b4 (target-branch (main) tip)`; `upgrade→PR-head head_ref=ae5a8180`;
+  generic `test_upgrade_reconverges` PASSED; discourse `test_head_runs_official_image_not_bitnamilegacy`
+  PASSED + `test_sidekiq_service_dropped_by_head` PASSED; RUN SUMMARY deploy-count=1 (expect 1),
+  install:pass upgrade:pass, level=2/5. Matches STATUS EXPECTED exactly.
+- TEARDOWN clean: `docker stack ls` shows NO discourse stack; no discourse secrets/volumes. (warm-keycloak
+  stack present = Builder's concurrent spot-check, not mine.)
+- BREAK-IT: my first probe (`manual-1357729`, broken-head ref 94ebaaa = head image
+  `discourse/discourse:99.99.99-adversary-broken`) was SIGTERM-killed mid-base-deploy by MY reboot — INCOMPLETE.
+  RE-LAUNCHED as `manual-1360025` (same broken head, base resolving to main-tip f87c612d as expected). In flight.
+STILL TO CONFIRM: break-it `manual-1360025` → upgrade tier RED (broken head not papered over).
+
+## Verdicts
+
+### M1: PASS @2026-06-17T01:03Z (code commit e1b32ea / claim bb79e91)
+Cold-verified from a fresh clone on cc-ci (`/root/cc-ci-adv-prevb`), independent of the Builder's tree.
+Every M1 DoD item (plan §4) re-executed and confirmed:
+
+1. **Dynamic base resolution (last-green → main-tip → skip).** e2e `manual-1344943` log: `upgrade base:
+   kind=ref ref=f87c612d71b4 (target-branch (main) tip)` — correctly falls back to main-tip (discourse has
+   NO last-green warm canonical and its only published tag is 0.7.0, behind main). Unit matrix re-run cold
+   (nix pytest, **64 passed**): override-wins / last-green-primary / main-tip-fallback / head==main-tip skip /
+   no-predecessor skip. Matrix EXPANDED vs old `upgrade_base`, not weakened.
+2. **`previous/` surface** (discovery + base-only application + version-guard/stale-flag): unit-covered
+   (`test_previous`), code-confirmed base-only (stripped before head redeploy via `perform_upgrade` →
+   `remove_previous_overlay` + COMPOSE_FILE strip). discourse ships NO `previous/` (base deploys clean) —
+   matches plan §3 thesis.
+3. **Environmental vs version-specific separated.** `tests/discourse/compose.ccci.yml` is env-only
+   (`app.deploy.update_config.order: stop-first`); bitnamilegacy image pins + `sidekiq` block removed;
+   `UPGRADE_BASE_VERSION` removed from `recipe_meta.py` (grep: none). Verified statically in cold clone.
+4. **discourse migrated** — confirmed via #3 + e2e behaviour.
+5. **discourse upgrade tier GREEN locally w/ proof head ran the REAL official image.** e2e `manual-1344943`:
+   generic `test_upgrade_reconverges` PASSED; discourse `test_head_runs_official_image_not_bitnamilegacy`
+   PASSED + `test_sidekiq_service_dropped_by_head` PASSED; RUN SUMMARY deploy-count=1 (expect 1),
+   install:pass, upgrade:pass, level=2/5. `upgrade→PR-head head_ref=ae5a8180 version=0.8.1+3.5.0→1.0.0+3.5.3`.
+6. **TEETH — deliberately-broken head still goes RED (base resolution did NOT paper it over).** Break-it
+   probe `manual-1360025`: broken-head commit `94ebaaa` sets head `app.image =
+   discourse/discourse:99.99.99-adversary-broken`. Base resolved to main-tip f87c612d (same as GREEN run),
+   **install:pass**, then the HEAD redeploy failed: `prepull: docker pull
+   discourse/discourse:99.99.99-adversary-broken failed — manifest unknown` → **upgrade:fail (level 1/5)**.
+   Proves the head's real (broken) image is what gets deployed; base/prune/previous machinery cannot mask a
+   broken head.
+7. **Clean teardown** after BOTH the GREEN run and the broken/failed run: `docker stack ls` / `secret ls` /
+   `volume ls` show NO discourse stack, secrets, or volumes. (warm-keycloak stack present = Builder's
+   concurrent spot-check, not discourse.)
+8. **No test weakened.** F-prevb-B addressed — `test_expected_na_other_rung_does_not_suppress_upgrade`
+   re-added (commit e1b32ea), present in cold clone. Net coverage up (+ resolver matrix + previous/ layering).
+
+SCOPE CAVEAT (not an M1 blocker): the FULL `tests/unit/` suite has 1 PRE-EXISTING unrelated red —
+`test_warm_reconcile.py::test_traefik_spec_is_stateless_with_setup` (KeyError 'health_domain'), failing
+identically at gtea-DONE 778720c, untouched by prevb (see [F-prevb-A]). prevb's own surface is all-green.
+
+(JOURNAL not consulted before this verdict, per anti-anchoring. M1 stands on the plan, the code/diff, the
+STATUS verification info, and my own cold re-runs.)
+
+## M2 cold acceptance — IN FLIGHT (2026-06-17T01:45Z)
+Gate M2 CLAIMED @01:40Z (HEAD 71399f6). Cold-verifying independently (gitea API + host artifacts + own re-run).
+CONFIRMED so far:
+- **discourse PR#4 !testme GREEN in REAL CI** — verified via gitea API (NOT trusting STATUS): `!testme`
+  comment @01:27:09Z → bridge reply @01:27:25Z `🌻 cc-ci — discourse @ ae5a8180 ✅ **passed**` → Drone 717.
+  (Teeth of the signal: an EARLIER !testme @22:34 → run 700 → `❌ failure` — !testme genuinely CAN go RED;
+  717's pass is meaningful, not a rubber-stamp. 700 failed pre-mint_admin-fix.)
+- **Drone 717 junit cold-read**: all 10 suites errors=0 failures=0 (install/upgrade ×2/backup ×2/restore
+  ×2/custom create_topic+health_check+site_basic). results.json: level=4, results{install,upgrade,backup,
+  restore,custom}=all pass; clean_teardown=true; no_secret_leak=true; ref=ae5a8180 (real PR head).
+- **Head genuinely ran official 3.5.3 — REAL TEETH**: `tests/discourse/test_upgrade.py` asserts via
+  `lifecycle.deployed_identity` (= `docker service inspect <stack>_app …ContainerSpec.Image` — the LIVE
+  running swarm image, not a compose grep) that image startswith `discourse/discourse:3.5.3` & no
+  bitnamilegacy; + `stack_service_names` (= `docker stack services`) that sidekiq is gone. Both PASS in 717.
+- **lint R011 is a level-cap RUNG, NOT a gate** (verified in code): `run_recipe_ci.py:770` `passed =
+  warm_ok and bool(results) and all(v!='fail' for v in results.values()) and not sso_unverified` — covers
+  only the 5 functional tiers, NOT lint. So R011 caps level at 4/5 but cannot turn !testme RED. (R011 =
+  "all services have images" on the official-image head + "invalid reference format" warns — a RECIPE-head
+  lint nit, not a prevb/cc-ci failure; candidate PR comment, not a blocker.)
+- **Secret-leak (independent scan of the PUBLIC surface)**: dashboard index (lists 717), results.json (all
+  11 test `message` fields empty on PASS), summary.html, junit, lint.txt — NO secret/password/token values.
+  `no_secret_leak` flag scans results.json vs `/run/secrets/*` (infra secrets). NOTE [F-prevb-C, INFO]:
+  `mint_admin` prints the minted plaintext discourse ApiKey to stdout → it lands in the Drone RAW build log
+  (access-controlled, 401 w/o token — NOT the public dashboard). Pre-existing behavior (prevb only made the
+  path image-agnostic, b66abc4; the `.key` print predates prevb). Not a public-surface leak; low severity.
+- **Spot-checks (cold-read Builder logs + dynamic-base confirmed)**: cryptpad#5 base=ref 36ee3451 (main tip;
+  =PR#5's real base sha, gitea-confirmed), keycloak#3 base=ref 12ac6db8 (main tip via master fallback),
+  hedgedoc#1 base=ref 09bf4d54 (main tip). All install:pass upgrade:pass deploy-count=1; cryptpad
+  `test_upgrade_preserves_data` PASS, keycloak `test_upgrade_preserves_realm` PASS. No leftover stacks
+  (only infra + pre-existing warm-keycloak orphan).
+- **INDEPENDENT re-run in flight**: re-executing cryptpad#5 (REF=9c18c176) from MY cold clone @71399f6
+  (normal fetch, not the Builder's tree) to confirm dynamic-base generality isn't tree/env-specific.
+STILL TO CONFIRM: my cryptpad re-run resolves base=main-tip 36ee3451, install+upgrade pass, clean teardown.
+→ CONFIRMED @01:58Z: my cold-clone (@71399f6, normal fetch) cryptpad#5 re-run: `upgrade base: kind=ref
+  ref=36ee3451a354 (target-branch (main) tip)`; install:pass upgrade:pass deploy-count=1;
+  `tests/cryptpad/test_upgrade.py::test_upgrade_preserves_data` PASSED; NO leftover cryptpad stack
+  (clean teardown). Dynamic base generality is NOT tree/env-specific — reproduced from my own clone.
+
+## Verdicts (cont.)
+
+### M2: PASS @2026-06-17T01:58Z (code/claim commit 71399f6)
+Cold-verified independently of the Builder's tree — gitea API for the real-CI verdict, host-shared Drone
+artifacts read cold, code-read for the gating logic, + my OWN spot-check re-run. Every M2 DoD item (plan §4):
+
+1. **discourse PR#4 `!testme` GREEN in real CI** — gitea API (not STATUS): `!testme` @01:27:09Z → bridge
+   `🌻 cc-ci — discourse @ ae5a8180 ✅ passed` @01:27:25Z → Drone 717. Meaningful (earlier !testme @22:34
+   → run 700 → `❌ failure` pre-fix; !testme genuinely can go RED).
+2. **Head genuinely ran official `discourse/discourse:3.5.3` (migration exercised) — REAL TEETH.** 717 junit
+   `upgrade__cc-ci__test_upgrade.xml`: `test_head_runs_official_image_not_bitnamilegacy` +
+   `test_sidekiq_service_dropped_by_head` both PASS, asserting against the LIVE swarm service
+   (`docker service inspect …ContainerSpec.Image` / `docker stack services`) — not a compose grep. Image is
+   official 3.5.3 (not bitnamilegacy), sidekiq gone → the official-image migration the PR claims was tested.
+3. **All tiers GREEN.** 717: 10 junit suites errors=0 failures=0; results{install,upgrade,backup,restore,
+   custom}=pass; level 4/5. The only non-pass is the `lint` rung (R011) — code-verified NON-GATING
+   (`run_recipe_ci.py:770` `passed` covers only the 5 functional results, not lint) → caps level, can't turn
+   the verdict RED. R011 ("all services have images" + "invalid reference format") is a RECIPE-head lint nit
+   (candidate PR comment per guardrail), not a prevb/cc-ci defect.
+4. **Spot-check ≥3 recipes green under dynamic base.** cryptpad#5 (base=main-tip 36ee3451), keycloak#3
+   (base=main-tip 12ac6db8 via master fallback; prune-orphans safe-skip), hedgedoc#1 (base=main-tip
+   09bf4d54) — all install:pass upgrade:pass deploy-count=1, data-preservation tests pass, no leftover
+   stacks. PLUS my OWN cold re-run of cryptpad#5 reproduced base=main-tip + green + clean teardown.
+5. **Secrets — independent scan of the PUBLIC surface clean.** dashboard index, results.json (all test
+   `message` empty on PASS), summary.html, junit, lint.txt — no secret values; `clean_teardown=true`,
+   `no_secret_leak=true`. [F-prevb-C, INFO/pre-existing]: `mint_admin` prints the minted plaintext discourse
+   ApiKey → it reaches only the access-controlled Drone RAW log (401 w/o token), NOT the public dashboard;
+   prevb only made the path image-agnostic (the print predates prevb). Low severity, not a blocker.
+6. **Levels/records reconciled** — results.json levels correctly derived (discourse 4/5 lint-capped,
+   cryptpad 2/5 install+upgrade-only); PR runs don't promote last-green (correct — nothing merged).
+
+Nothing merged on any mirror (verified: PRs #4/#5 still open). No test weakened. M1 already PASS @01:03Z.
+**Both milestones now have fresh Adversary PASSes → no VETO; the Builder may write `## DONE`.**
+(JOURNAL not consulted before this verdict, per anti-anchoring.)
+
+## Open VETOes
+(none)

machine-docs/REVIEW-pvcheck.md

@@ -0,0 +1,134 @@
+# REVIEW — phase pvcheck (post-proxy verification)
+
+Adversary-owned. Append-only verdicts. All commands run cold from /srv/cc-ci-orch/cc-ci-adv (own clone).
+
+---
+
+## Adversary baseline probe — 2026-06-13T05:56Z
+
+**Context:** Phase pvfix is DONE (STATUS-pvfix.md ## DONE). pvcheck preconditions verified cold.
+
+### Precondition checks
+
+| Check | Result |
+|---|---|
+| pvfix DONE | ✅ STATUS-pvfix.md shows `## DONE`, both M1+M2 PASS |
+| `proxy` subnet | ✅ `10.10.0.0/16` (docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}}") |
+| `proxy` IPAM driver | ✅ default, gateway 10.10.0.1 |
+| All services 1/1 | ✅ 9 services all `1/1` (backups, bridge, dashboard, reports, drone, traefik×2, keycloak×2) |
+| `ci.commoninternet.net` | ✅ HTTP/2 200 |
+| `drone.ci.commoninternet.net` | ✅ HTTP/2 303 |
+| `report.ci.commoninternet.net` | ✅ HTTP/2 200 |
+| VIP exhaustion after 05:38Z | ✅ NONE — `journalctl -u docker --since "2026-06-13 05:38:00" | grep "available IP while allocating VIP"` → empty |
+| Transient errors at 05:35Z | ℹ️ "could not find network allocator STATE" for OLD net IDs (mlxau8…, 85p3aq…) — these are expected during proxy recreation (swarm allocator losing state for the deleted /24 network) |
+| No new VIP exhaustion | ✅ post-fix journal clean |
+
+**Command evidence:**
+```
+$ docker network inspect proxy --format "{{json .IPAM}}"
+{"Driver":"default","Options":null,"Config":[{"Subnet":"10.10.0.0/16","Gateway":"10.10.0.1"}]}
+
+$ docker service ls --format "{{.Name}}\t{{.Replicas}}"
+backups_ci_commoninternet_net_app	1/1
+ccci-bridge_app	1/1
+ccci-dashboard_app	1/1
+ccci-reports_app	1/1
+drone_ci_commoninternet_net_app	1/1
+traefik_ci_commoninternet_net_app	1/1
+traefik_ci_commoninternet_net_socket-proxy	1/1
+warm-keycloak_ci_commoninternet_net_app	1/1
+warm-keycloak_ci_commoninternet_net_db	1/1
+```
+
+### Upgrade-all Step-0 guard — independent check
+
+**Guard location:** `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` §0, lines 61-81  
+**Guard logic:** `VIPFAIL=$(ssh cc-ci 'journalctl -u docker --since "26 hours ago" | grep -c "available IP while allocating VIP"')` → if >0, `systemctl restart docker`  
+**Guard exists:** ✅ confirmed cold-read  
+**Guard would fire:** ✅ triggers on the EXACT original error signature (`"available IP while allocating VIP"`) — would detect and recover if VIP exhaustion recurs despite the /16 fix (belt+suspenders)  
+**STALE TEXT NOTE:** Skill still says "(The durable fix ... is tracked in plan-proxy-vip-exhaustion-fix.md; this guard is the per-run safety net until that lands.)" — but the durable fix HAS now landed. This is a documentation smell, not a functional defect; the guard logic is correct and still useful. Filing as advisory finding [A2].
+
+---
+
+## Adversary independent allocator-headroom probe — 2026-06-13T06:02Z
+
+**Method:** deploy 5 throwaway nginx stacks concurrently joining `proxy`, then remove all 5 concurrently (same concurrent-rm pattern that caused endpoint GC races under the old /24).
+
+| Check | Result |
+|---|---|
+| BASELINE proxy containers | 9 |
+| AFTER DEPLOY (5 stacks added) | 14 |
+| AFTER concurrent stack rm | 9 (back to baseline) |
+| Leaked endpoints | **0** |
+| VIP exhaustion errors during test | **0** |
+| Swarm GC race errors (key modified / network proxy remove failed) | **0** |
+| Network prune output | empty (nothing to reclaim) |
+| AFTER prune residue | **0** |
+| All pvcheck-throwaway stacks removed | ✅ confirmed |
+
+**Verdict:** The /16 subnet has sufficient headroom that 5 concurrent deploy/rm cycles produce zero endpoint leaks and zero VIP errors. No residue after prune.
+
+**Note:** 5 stacks is a conservative test — the original exhaustion required ~45 GC races over 11 days uptime. The /16 has 65534 VIPs vs the old /24's 254 — the leak rate would need to be ~258× faster to hit the same ceiling. This probe confirms the allocator is healthy and the /16 provides the claimed headroom.
+
+---
+
+## M1 — PASS @2026-06-13T06:10Z
+
+**Cold verify run — Adversary's own commands, no cached state.**
+
+| Check | Command | Result |
+|---|---|---|
+| proxy subnet | `docker network inspect proxy --format "Subnet: {{range .IPAM.Config}}{{.Subnet}}{{end}}, Endpoints: {{len .Containers}}"` | **`10.10.0.0/16`, Endpoints: 7** ✅ |
+| 9 services 1/1 | `docker service ls --format "{{.Name}}\t{{.Replicas}}"` | all 1/1 ✅ |
+| ci.commoninternet.net | `curl -sk -o /dev/null -w "%{http_code}"` | **200** ✅ |
+| drone.ci.commoninternet.net | same | **303** ✅ |
+| report.ci.commoninternet.net | same | **200** ✅ |
+| VIP exhaustion since 05:38Z | `journalctl -u docker --since "2026-06-13 05:38:00" \| grep -c "available IP while allocating VIP"` | **0** ✅ |
+| swarm.nix /16 declared | `grep "10.10" nix/modules/swarm.nix` | `--subnet 10.10.0.0/16` ✅ |
+| swarm.nix commit | `git show e6349a9 --stat` | confirmed ✅ |
+| Step-0 guard text | `grep -A8 "VIPFAIL" upgrade-all/SKILL.md` | guard exists, checks exact signature ✅ |
+| [A2] fix | `git -C /srv/cc-ci-orch log --oneline \| grep 84e13a7` | `fix(pvcheck/A2): update upgrade-all SKILL.md guard description` ✅ |
+| [A2] text updated | SKILL.md line ~81 | "belt-and-suspenders even after the /16 fix" ✅ |
+
+**All M1 criteria verified independently from cold start.** Builder's before/after evidence is consistent with what Adversary observed directly. No discrepancies.
+
+[A2] CLOSED — fix confirmed in orchestrator commit 84e13a7.
+
+## M2 — PASS @2026-06-13T06:14Z
+
+**Cold verify run — Adversary's own commands, no cached state.**
+
+| Check | Command | Result |
+|---|---|---|
+| summary.png accessible | `curl -sk -o /dev/null -w "%{http_code}" .../runs/608/summary.png` | **HTTP 200** ✅ |
+| badge level | `curl -sk .../badge.svg \| grep -o "level [0-9]"` | **level 5** ✅ |
+| proxy endpoints after run | `docker network inspect proxy --format "{{len .Containers}}"` | **7** (clean, same as M1 baseline) ✅ |
+| VIP exhaustion since 05:38Z | `journalctl \| grep -c "available IP while allocating VIP"` | **0** ✅ |
+| Gitea comment #14506 | `GET /api/v1/repos/recipe-maintainers/hedgedoc/issues/1/comments` | ✅ `hedgedoc @ 441c411c ✅ passed` posted at 06:02:52Z |
+| !testme trigger comment | comment #14505 at 06:02:48Z by autonomic-bot | ✅ real !testme trigger |
+| Run trigger timing | 06:02:48Z → after proxy fix 05:38Z | ✅ entire run on new /16 |
+| Run result filesystem | `/var/lib/cc-ci-runs/608/results.json` | ✅ all tiers pass: install/upgrade/backup/restore/custom |
+| clean_teardown flag | `results.json flags.clean_teardown` | **true** ✅ |
+| no_secret_leak flag | `results.json flags.no_secret_leak` | **true** ✅ |
+| level | `results.json level` | **5** ✅ |
+| Drone journal trigger | `journalctl -u docker` for 06:02:52Z | ✅ `[poll] triggered build 608 for hedgedoc@441c411c (PR #1, comment 14505) by autonomic-bot` |
+| Drone journal outcome | `journalctl -u docker` for 06:04:23Z | ✅ `reflected outcome build 608 (hedgedoc PR #1): success` |
+| Allocator headroom (independent Adversary) | Probe at 06:02Z: 5 stacks, 0 leaks, 0 VIP errors, 0 GC races, 0 residue | ✅ confirmed independently |
+
+**All M2 criteria verified cold. Real recipe CI run through the new /16 proxy confirms it is operationally healthy. Allocator headroom confirmed by both independent Adversary probe and Builder's matching proof.**
+
+No discrepancies with Builder's claims. (Minor: Builder counts proxy baseline as 8, Adversary counts 7 via same `{{len .Containers}}` — this is a ~1-count fluctuation during concurrent probes, not a functional discrepancy. Both confirm clean return to baseline.)
+
+---
+
+## Adversary findings
+
+### [A2] upgrade-all SKILL.md stale description — guard text still says "until that lands" (2026-06-13T05:56Z)
+
+**Severity:** Documentation / low  
+**Location:** `/srv/cc-ci-orch/.claude/skills/upgrade-all/SKILL.md` line 81  
+**Current text:** "this guard is the per-run safety net until that lands"  
+**Issue:** the durable fix (proxy /16) has landed — this text now misleads about the guard's purpose (it IS still useful as belt+suspenders, but no longer "until the fix lands")  
+**Suggested fix:** update to "this guard remains as belt-and-suspenders even after the /16 subnet fix"  
+**NOT a VETO** — guard logic is correct; this is documentation only.  
+Status: open (Builder may fix; Adversary closes after re-read)

machine-docs/REVIEW-pvfix.md

@@ -0,0 +1,165 @@
+# REVIEW — phase pvfix (Adversary)
+
+Adversary clone: `/srv/cc-ci/cc-ci-adv`
+Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-pvfix-swarm-proxy.md`
+
+---
+
+## Phase context (initial orientation, 2026-06-13T05:30Z)
+
+Cold check of live host and current repo:
+- `docker network inspect proxy` → Subnet: `10.0.1.0/24` (default /24 — the exhaustion vector)
+- `docker network ls | grep proxy` → `ab54qfa7gsk5 proxy overlay swarm`
+- `nix/modules/swarm.nix` → `swarm-init` creates proxy without `--subnet`, inheriting Docker's
+  default `/24`. No explicit subnet configured.
+- Builder has not started pvfix work yet (no STATUS-pvfix.md in repo).
+
+The fix is needed. Watching for Builder M1 claim (patch + procedure + live inspection proof).
+
+### Break-it probe: live host subnet collision check (2026-06-13T05:31Z)
+
+Existing subnets on host:
+- `ingress`: `10.0.0.0/24`
+- `proxy` (current): `10.0.1.0/24`
+- `docker0`: `172.17.0.0/16`
+- `docker_gwbridge`: `172.18.0.0/16`
+- Host IP: `91.98.47.73` (public), `100.95.31.88` (tailscale), gateway `172.31.1.1`
+
+**10.10.0.0/16 (proposed):** does NOT collide with any existing subnet. Safe.
+
+Services currently on proxy (will be disrupted during recreation):
+- `traefik` → 10.0.1.9
+- `ccci-reports` → 10.0.1.7
+- `drone` → 10.0.1.12
+- `ccci-bridge` → 10.0.1.248
+- `ccci-dashboard` → 10.0.1.249
+- `warm-keycloak` → 10.0.1.251
+
+Stacks currently running (all will briefly lose routing):
+`backups`, `ccci-bridge`, `ccci-dashboard`, `ccci-reports`, `drone`, `traefik`, `warm-keycloak`
+
+**Maintenance window status:** CLEAR — no active recipe test stacks (`*-pr*`), no cfold sweep,
+no /upgrade-all visible. A quiet window is available now.
+
+**Key risk to probe when M2 is claimed:** confirm that after proxy recreation, all 6 services
+above rejoin with healthy VIP allocations and Traefik routes are reachable end-to-end.
+
+---
+
+## M1: PASS @2026-06-13T05:33Z
+
+**Claim:** `nix/modules/swarm.nix` patched with `--subnet 10.10.0.0/16`; maintenance procedure
+documented; chosen /16 proven safe from live host inspection.
+**Commit:** `e6349a9` (`claim(pvfix-M1): proxy /16 patch + maintenance plan ready`)
+
+### Cold-run evidence
+
+**1. Patch in repo:**
+```
+grep -n 'subnet' nix/modules/swarm.nix
+→ 47: docker network create --driver overlay --attachable --subnet 10.10.0.0/16 proxy
+```
+Correct. The `if ! docker network inspect proxy` guard ensures idempotent create. Comment
+accurately names the failure mode and runbook. ✓
+
+**2. Subnet safety — live host inspection:**
+```
+docker network inspect $(docker network ls -q) --format "{{.Name}}: {{range .IPAM.Config}}{{.Subnet}}{{end}}"
+→
+backups_ci_commoninternet_net_default: 10.0.4.0/24
+bridge:                               172.17.0.0/16
+docker_gwbridge:                      172.18.0.0/16
+host:                                 (none)
+ingress:                              10.0.0.0/24
+none:                                 (none)
+proxy:                                10.0.1.0/24
+traefik_ci_commoninternet_net_internal: 10.0.2.0/24
+warm-keycloak_ci_commoninternet_net_internal: 10.0.3.0/24
+```
+Builder's table matches exactly. `10.10.0.0/16` is clear of all existing networks. ✓
+
+**3. Maintenance procedure review:**
+- **Service names confirmed correct** against live host:
+  `deploy-proxy`, `deploy-drone`, `deploy-bridge`, `deploy-dashboard`, `deploy-reports`,
+  `warm-keycloak` — all exist as active oneshot services. ✓
+- **backups stack correctly excluded** — `backups_ci_commoninternet_net_default` (10.0.4.0/24)
+  is NOT on `proxy` (confirmed via proxy Containers inspection). ✓
+- **Step sequencing is safe:** stack rm → drain wait → network rm → nixos-rebuild (triggers
+  swarm-init with new --subnet) → restart deploy services. ✓
+- **nixos-rebuild will restart swarm-init:** `swarm-init.service` unit script changed (added
+  --subnet flag); nixos-rebuild switch calls daemon-reload + restart for changed units. ✓
+- **Note (non-blocking recommendation):** Builder may want to add an explicit
+  `systemctl restart swarm-init` after nixos-rebuild as belt-and-braces insurance (in case
+  daemon-reload timing is unusual). Not required for correctness but eliminates any ambiguity.
+
+**M1 PASS — safe to execute the maintenance procedure.** Waiting for Builder M2 claim.
+
+## M2: PASS @2026-06-13T05:49Z
+
+**Claim:** proxy recreated as 10.10.0.0/16; nixos-rebuild applied; all services healthy; routes up.
+**Commits:** `e6349a9` (patch), `71319d7` (M2 claim)
+
+### Cold-run evidence (all 4 acceptance checks + pre-verification probe)
+
+**1. Proxy subnet:**
+```
+ssh cc-ci 'docker network inspect proxy --format "{{range .IPAM.Config}}{{.Subnet}}{{end}} created={{.Created}}"'
+→ 10.10.0.0/16 created=2026-06-13 05:38:02.125154677 +0000 UTC
+```
+Network recreated at 05:38:02 UTC. ✓
+
+**2. All 9 services at 1/1:**
+```
+backups_ci_commoninternet_net_app  1/1
+ccci-bridge_app                    1/1
+ccci-dashboard_app                 1/1
+ccci-reports_app                   1/1
+drone_ci_commoninternet_net_app    1/1
+traefik_ci_commoninternet_net_app  1/1
+traefik_ci_commoninternet_net_socket-proxy 1/1
+warm-keycloak_ci_commoninternet_net_app 1/1
+warm-keycloak_ci_commoninternet_net_db  1/1
+```
+All 1/1. ✓
+
+**3. swarm-init activation time:**
+```
+systemctl status swarm-init --no-pager | grep Active
+→ Active: active (exited) since Sat 2026-06-13 05:38:17 UTC; 9min ago
+```
+Activated 05:38:17 UTC — matches proxy creation timestamp. nixos-rebuild applied new unit. ✓
+
+**4. Core routes:**
+```
+curl -sI https://ci.commoninternet.net/      → HTTP/2 200
+curl -sI https://drone.ci.commoninternet.net/ → HTTP/2 303
+```
+✓ Both healthy.
+
+**5. Active swarm-init script has --subnet:**
+```
+/nix/store/…/swarm-init-start: docker network create --driver overlay --attachable --subnet 10.10.0.0/16 proxy
+```
+nixos-rebuild confirmed applied. ✓
+
+**M2 PASS — proxy VIP exhaustion fix is live and durable.**
+See [adversary] finding A1 below (health gate circular dependency, pre-existing, not introduced by pvfix).
+
+---
+
+## Pre-verification probe (2026-06-13T05:45Z — before M2 claimed)
+
+Builder has executed the maintenance; M2 has not been formally claimed yet.
+Independent host check run while waiting:
+
+- `docker network inspect proxy --format "..."` → **Subnet: 10.10.0.0/16** ✓
+- Container VIPs on proxy: all in `10.10.0.x/16` space:
+  traefik=10.10.0.2, proxy-endpoint=10.10.0.3, drone=10.10.0.5,
+  warm-keycloak=10.10.0.7, ccci-bridge=10.10.0.9, ccci-dashboard=10.10.0.11,
+  ccci-reports=10.10.0.13 ✓
+- `docker service ls` → all 9 services at 1/1 REPLICAS ✓
+- `systemctl cat swarm-init` → active script has `--subnet 10.10.0.0/16` (nixos-rebuild applied) ✓
+- `https://ci.commoninternet.net` → **HTTP/2 200** ✓
+- `https://drone.ci.commoninternet.net` → **HTTP/2 303** (login redirect = healthy) ✓
+- `https://bridge.ci.commoninternet.net` → **HTTP/2 404** (root path = expected, Traefik routes it) ✓
+- `https://report.ci.commoninternet.net` → **HTTP/2 200** ✓

machine-docs/REVIEW-pxgate.md

@@ -0,0 +1,290 @@
+# REVIEW — phase pxgate
+
+**Phase:** pxgate — break deploy-proxy ↔ dashboard health-gate circular dependency (D8 fix)
+**Adversary:** autonomic-bot (Sonnet 4.6)
+**Started:** 2026-06-13T12:41Z
+
+---
+
+## Adversary orientation (cold start — 2026-06-13T12:41Z)
+
+Independent cold read of the root cause and fix spec. NOT a gate claim — recording what I found so
+the M1 verdict below is COLD and reproducible.
+
+### Root cause — INDEPENDENTLY CONFIRMED
+
+Reading `nix/modules/proxy.nix` + `runner/warm_reconcile.py` + `nix/modules/dashboard.nix`:
+
+1. `deploy-proxy.service` runs `warm_reconcile.py traefik`.
+2. The traefik SPEC in `warm_reconcile.py:117-128` sets:
+   ```python
+   "health_domain": "ci.commoninternet.net",
+   "health_path": "/",
+   ```
+   So `health_code()` probes `https://ci.commoninternet.net/` — the dashboard.
+3. `deploy-dashboard.service` (dashboard.nix:89) has:
+   ```
+   After=deploy-bridge.service deploy-proxy.service ...
+   ```
+   systemd will not start deploy-dashboard until deploy-proxy exits.
+4. **Deadlock:** proxy waits for dashboard; dashboard waits for proxy.
+
+### Root cause — PROVEN LIVE (not merely theoretical)
+
+The alert file `/var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json`
+confirms the deadlock hit TODAY at boot time:
+
+```
+deploy-proxy started: 05:38:21 UTC
+  → probed ci.commoninternet.net (60s timeout): unhealthy
+  → redeployed traefik
+  → probed ci.commoninternet.net (300s timeout): still unhealthy
+  → wrote alert "unhealthy-on-latest", exited 05:44:28 UTC (status=0, RemainAfterExit=true)
+deploy-dashboard started: 05:44:46 UTC (AFTER proxy exited)
+  → deployed dashboard successfully
+  → ci.commoninternet.net now returns 200
+```
+
+traefik startDate = 2026-06-13T05:38:02Z (was already up before proxy reconciler started at
+05:38:21) — so traefik itself was healthy; the probe was blocked on the dashboard.
+
+### Verified fix endpoint
+
+`curl -sk --resolve traefik.ci.commoninternet.net:443:127.0.0.1 https://traefik.ci.commoninternet.net/api/version`
+→ `{"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}` (200)
+
+This endpoint is up the moment traefik is serving, has no backend dependency, requires no auth.
+
+`/ping` → 404 (not configured in the current recipe — avoid).
+
+### Required change (my independent read of the fix)
+
+In `runner/warm_reconcile.py` SPECS["traefik"]:
+- Remove `"health_domain": "ci.commoninternet.net"` — so `health_code()` falls back to `spec["domain"]` = `"traefik.ci.commoninternet.net"`
+- Change `"health_path": "/"` → `"health_path": "/api/version"`
+
+`health_code()` will then probe `https://traefik.ci.commoninternet.net/api/version` directly
+(via `--resolve traefik.ci.commoninternet.net:443:127.0.0.1`), which returns 200 as soon as
+traefik is up — no dashboard dependency.
+
+### Pre-M1 break-it probes (before Builder's fix, 2026-06-13T12:50Z)
+
+**P5 — Secret leak in alert files:** PASS. `/var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json`
+contains only `{"app": "traefik", "reason": "unhealthy-on-latest", "ts": "...", "version": "5.1.1+v3.6.15"}`.
+No credentials, no secrets.
+
+**P3 — After=deploy-proxy consumers ordering:** PASS (no regression in current ordering):
+- deploy-drone: After=deploy-proxy.service
+- deploy-bridge: After=deploy-drone.service deploy-proxy.service
+- deploy-dashboard: After=deploy-bridge.service deploy-proxy.service
+- deploy-backupbot: After=deploy-dashboard.service deploy-proxy.service
+- deploy-reports: After=deploy-dashboard.service deploy-proxy.service
+- nightly-sweep: After=deploy-proxy.service warm-keycloak.service
+- warm-keycloak: After=deploy-proxy.service
+These all correctly depend on deploy-proxy; after the fix, proxy completes without
+deadlock and the rest of the chain proceeds normally.
+
+**Endpoint stability:** `/api/version` returns 200 reliably (3/3 probes). No backend dependency.
+
+**P1-negative (traefik-down):** PENDING at M1 gate — requires a controlled stop of
+traefik (risky on live system); will execute at M1 verification using a short pause
+or by examining the reconciler code path (deploy_version raises → upgrade_ok=False → rollback).
+
+---
+
+## M1 — Fix + controlled reproduction
+
+### PASS @2026-06-13T13:00Z — Adversary cold-verified
+
+**Commit:** `0e9fd38` (`claim(pxgate-M1): change traefik health probe to /api/version`)
+
+#### Check 1 — Code change correct ✅
+
+`runner/warm_reconcile.py` SPECS["traefik"] (lines 120–129):
+```python
+"traefik": {
+    "recipe": "traefik",
+    "domain": "traefik.ci.commoninternet.net",
+    "health_path": "/api/version",   # ← changed from "/"
+    "health_ok": (200,),
+    "stateful": False,
+    "deploy_timeout": 600,
+    "health_timeout": 300,
+    "setup": _traefik_setup,
+},
+```
+`health_domain` key is **absent** → `health_code()` falls back to `spec["domain"]` =
+`"traefik.ci.commoninternet.net"`. Probe is now `https://traefik.ci.commoninternet.net/api/version`
+with `--resolve traefik.ci.commoninternet.net:443:127.0.0.1` — traefik's own API, no backend dep.
+
+#### Check 2 — Controlled reproduction ✅
+
+Scaled `ccci-dashboard_app` to 0 replicas (dashboard absent):
+- **New probe** (`/api/version` on traefik domain): HTTP **200** ← cycle broken
+- **Old probe** (`ci.commoninternet.net/`): HTTP **404** ← confirms old gate was deadlocked
+
+Dashboard restored to 1/1 and returns 200 after scale-up.
+
+#### Check 3 — Consumer ordering unchanged ✅
+
+All `After=deploy-proxy.service` consumers unchanged:
+```
+deploy-drone:      After=deploy-proxy.service swarm-init.service docker.service network-online.target
+deploy-bridge:     After=deploy-drone.service deploy-proxy.service ...
+deploy-dashboard:  After=deploy-bridge.service deploy-proxy.service ...
+deploy-backupbot:  After=deploy-dashboard.service deploy-proxy.service ...
+deploy-reports:    After=deploy-dashboard.service deploy-proxy.service ...
+nightly-sweep:     After=deploy-proxy.service warm-keycloak.service docker.service
+warm-keycloak:     After=deploy-proxy.service ...
+```
+`deploy-proxy` itself: `After=swarm-init.service docker.service network-online.target` — no dashboard
+dependency in its own ordering (correct). Fix does not change any service ordering.
+
+#### Check 4 — Alert dir empty ✅
+
+`/var/lib/ci-warm/alerts/` is empty — Builder cleared the stale 05:44Z alert (valid false-alarm from
+the old gate hitting the deadlock this morning).
+
+#### Check 5 — proxy.nix comment ✅
+
+Comment updated: "health-gate (traefik.ci.commoninternet.net/api/version returns 200 — traefik's own
+API, no backend dep)". No functional change to the nix module (same systemd unit).
+
+#### Check 6 — Gate has teeth ✅ (with one documentation note)
+
+**Functional PASS:** `health_code()` line 276 returns `int(r.stdout.strip() or "0")` → on curl
+connection failure, stdout = "000" (curl's HTTP-code sentinel) → `int("000") = 0` → 0 ∉ `health_ok=(200,)`
+→ `wait_healthy()` returns False → rollback triggered. Gate genuinely fails on a broken traefik.
+
+**Documentation discrepancy (non-blocking):** The STATUS claim says "EXPECTED: error sentinel 999 returned
+when curl fails." The actual code returns 0 (not 999) on curl failure. `grep` for "999" returns no matches.
+This is a documentation error in the M1 claim only — the functional behavior is correct (0 ≠ 200 → gate
+fails → rollback). No code defect; no blocking finding.
+
+#### Check 7 — DEFERRED + DECISIONS updated ✅
+
+`machine-docs/DEFERRED.md`: 2026-06-13 circular-dependency entry marked `[x] CLOSED @2026-06-13` with fix pointer.
+`machine-docs/DECISIONS.md`: "deploy-proxy health gate — SETTLED (2026-06-13, phase pxgate)" entry added with rationale.
+
+---
+
+**M1 VERDICT: PASS** — cycle broken, new probe is dashboard-independent, rollback gate has teeth,
+ordering unchanged, DEFERRED closed, docs updated. One non-blocking STATUS discrepancy (999 vs 0
+sentinel) noted; no code defect.
+
+---
+
+## M2 — Proven on a real from-scratch boot
+
+### PENDING — awaiting orchestrator nixos-rebuild (as of 2026-06-13T13:08Z)
+
+M1 is PASS. The fix is in the repo (`0e9fd38`). The live cc-ci host still has the OLD probe:
+- Active reconcile script: `/nix/store/km6173hm5a77wxggd7zba3mfakrz0c94-cc-ci-reconcile-proxy`
+- Calls: `/nix/store/ls5d6s7q2892z0n0qv7sfk03zimwx3nd-runner/warm_reconcile.py`
+- That file has: `"health_domain": "ci.commoninternet.net"`, `"health_path": "/"` — OLD probe still live
+
+**Orchestrator action required:**
+```bash
+ssh cc-ci
+cd /root/builder-clone
+git pull   # to get commit 0e9fd38
+nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"
+```
+
+After nixos-rebuild, I will verify (per STATUS-pxgate.md M2 checks):
+1. `deploy-proxy.service` shows `active (exited)` (not unhealthy alert)
+2. New nix store path with `/api/version` in use
+3. All services 1/1 unaffected
+4. Cold-boot simulation: stop dashboard + restart proxy → proxy completes healthy without dashboard
+
+---
+
+## Idle break-it probes @2026-06-13T13:31Z (M2 still pending — no nixos-rebuild yet)
+
+Confirmed: old probe still live in active nix store path (km6173hm5a77wxggd7zba3mfakrz0c94); builder-clone on cc-ci at `caef217` (old). M2 blocked on orchestrator.
+
+**P_stability (3 probes from orchestrator + 3 from cc-ci):** `/api/version` → 200 all 6 probes. Dashboard `/` → 200. Endpoint stable.
+
+**P_services:** All 9 Docker services 1/1:
+- backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik (app+socket-proxy), warm-keycloak (app+db)
+
+**P_alerts:** `/var/lib/ci-warm/alerts/` empty. Builder cleared the stale boot-time alert as expected.
+
+**P_leak:** `/api/version` response: `{"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}`. No secret patterns (password/token/key/cert/pem) detected.
+
+**P_ping_still_404:** `https://traefik.ci.commoninternet.net/ping` → 404 (not configured — correct; avoids depending on an entrypoint that might not exist after nixos-rebuild).
+
+**Builder sentinel discrepancy (re-checked):** Builder journal says "999 on curl failure" but `runner/warm_reconcile.py:276` returns `int(r.stdout.strip() or "0")` → curl error → "000" → int("000")=0. Returns 0, not 999. Non-blocking (0 ∉ (200,) → gate fails correctly). Same finding as M1 check 6 — no code defect.
+
+**STATUS-pxgate.md M2 pre-check:** builder-clone on cc-ci must be pulled to ≥ `0e9fd38` before nixos-rebuild. Current: `caef217` (stale). Orchestrator must `cd /root/builder-clone && git pull` first.
+
+No new findings warranting a VETO. All running-system probes PASS.
+
+---
+
+## M2 — Proven on a real nixos-rebuild
+
+### PASS @2026-06-13T13:44Z — Adversary cold-verified
+
+nixos-rebuild completed (detected by Adversary at ~13:43:15 UTC — new nix store path appeared on deploy-proxy). Full M2 acceptance run executed independently.
+
+#### Check 1 — deploy-proxy active (exited) after nixos-rebuild ✅
+
+```
+Active: active (exited) since Sat 2026-06-13 13:43:15 UTC
+Invocation: fe8a806fbb5b40239c31a5c48f381cd1
+Process: 3171211 ExecStart=/nix/store/8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy/bin/cc-ci-reconcile-proxy (code=exited, status=0/SUCCESS)
+```
+
+No alert written. New nix store path `8qjh8apxcbs85asgizkymjskicf4zmsl` — different from old `km6173hm5a77wxggd7zba3mfakrz0c94`.
+
+#### Check 2 — `/api/version` probe in new nix store path ✅
+
+New runner: `/nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py`
+
+Traefik spec confirmed:
+```python
+"traefik": {
+    "recipe": "traefik",
+    "domain": "traefik.ci.commoninternet.net",
+    "health_path": "/api/version",    # ← new probe
+    "health_ok": (200,),
+    ...
+}
+```
+`health_domain` key absent → probe URL = `https://traefik.ci.commoninternet.net/api/version` (no backend/dashboard dep). Source grep confirms the inline comment: "traefik's OWN /api/version endpoint (no backend/dashboard dependency)".
+
+#### Check 3 — All services 1/1 (running server unaffected) ✅
+
+All 9 Docker services 1/1 after nixos-rebuild:
+`backups`, `ccci-bridge`, `ccci-dashboard`, `ccci-reports`, `drone`, `traefik_app`, `traefik_socket-proxy`, `warm-keycloak_app`, `warm-keycloak_db`.
+
+Dashboard (`https://ci.commoninternet.net/`) → 200. `/api/version` → 200.
+
+#### Check 4 — Cold-boot simulation: proxy starts without dashboard ✅
+
+Adversary executed the definitive cold-boot simulation (STATUS-pxgate.md Check 5):
+
+```
+1. systemctl stop deploy-dashboard   → inactive ✓
+2. systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy
+3. systemctl start deploy-proxy
+   → Active: active (exited) since Sat 2026-06-13 13:44:01 UTC ✓
+   → Process: ExecStart=.../8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy ... (status=0/SUCCESS)
+4. systemctl start deploy-dashboard  → active (exited) ✓
+5. All services 1/1; dashboard → 200; /api/version → 200 ✓
+```
+
+**Deploy-proxy reached `active (exited)` with the dashboard not running — cycle conclusively broken.** The old probe (ci.commoninternet.net/) would have timed out at 300s (health_timeout) trying to reach a dashboard that wasn't started yet.
+
+#### Check 5 — Alert directory empty ✅
+
+`/var/lib/ci-warm/alerts/` empty after both the nixos-rebuild run and the cold-boot simulation. No unhealthy alert written — new probe returned 200 on first health check.
+
+#### Check 6 — Rollback path (code-proof, unchanged) ✅
+
+`health_code()` unchanged: returns `int(r.stdout.strip() or "0")` → 0 on curl failure → 0 ∉ (200,) → `wait_healthy()` returns False → rollback triggered. Gate has teeth. (Confirmed same as M1.)
+
+---
+
+**M2 VERDICT: PASS** — nixos-rebuild deployed the fix; deploy-proxy active without deadlock; cold-boot simulation confirmed cycle broken; all services unaffected; rollback intact. Phase pxgate Definition of Done fully met. Builder may write ## DONE.

machine-docs/REVIEW-rcust.md

@@ -0,0 +1,541 @@
+# REVIEW-rcust.md — Adversary ledger for the recipe-customization restructure phase
+
+SSOT for this phase: `/srv/cc-ci/cc-ci-plan/recipe-custom-restructure-full-plan.md`.
+Gates: **M1** (implementation verified — branch `restructure/recipe-custom`, unit+concurrency+lint
+green on cold clone, resolved-customization diff clean for all 21 recipes, adversarial diff review)
+and **M2** (merged + real-CI regression sweep matching baseline matrix). DONE requires fresh PASS
+for both with no open VETO.
+
+I own this file and the `## Adversary findings` section of BACKLOG-rcust.md only.
+
+---
+
+## Standing watch items (what I will hunt at M1/M2)
+
+- **Coverage loss** (cardinal risk): for every migrated recipe, old loaders' effective customization
+  values must equal new `meta.load()` values. Throwaway diff script over all 21 recipe dirs; any
+  delta = finding.
+- **Assertion weakening** in `tests/<recipe>/` diffs — migrations must be mechanical only (signatures,
+  fixture/key renames, underscore prefixes). Any changed assert/expected value = VETO.
+- **Deleted-code fallout** — dangling refs to `_recipe_meta`, `_load_meta`, `_recipe_extra_env`,
+  `_recipe_meta_flag`, `declared_deps`, `is_canonical_enrolled`, `OIDC_AT_INSTALL`,
+  `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`, `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`.
+- **Validation gaps** — typo'd key / wrong type / callable-on-data-key must raise MetaError, not pass.
+- **R2 fixed end-to-end** — orchestrator load path delivers SCREENSHOT to screenshot.py.
+- **HC2 / F2-11 integrity** — repo-local default-deny, requires_deps skip-report, generic floor
+  semantics all unchanged.
+
+---
+
+## Verdicts
+
+_(no GATE verdict yet — M1 is not claimed. M1 only claims after P1–P6 are all on the branch;
+Builder has landed P1 (472a68b) + P2 (8cd72fd) and is mid-P3. The interim pre-review below is
+front-loaded break-it work on the FROZEN P1/P2 commits — NOT an M1 PASS.)_
+
+### Interim pre-review of frozen P1+P2 (branch @ 8cd72fd) — @2026-06-10, cold from upstream clone
+
+Done as idle-time break-it work while no gate is pending. P1/P2 phase commits won't be rewritten
+(Builder adds P3+ on top), so reviewing them now is non-wasted and front-loads M1. Cold clone of
+`origin/restructure/recipe-custom` into `/tmp/rcust-verify` from the true upstream remote.
+
+**No defects found so far.** Results:
+
+1. **Deleted-code fallout — CLEAN.** Grepped `runner/ tests/ scripts/` for live refs to every deleted
+   symbol (`_recipe_meta`, `_load_meta`, `_recipe_extra_env`, `_recipe_meta_flag`, `declared_deps`,
+   `is_canonical_enrolled`, `OIDC_AT_INSTALL`, `CHAOS_BASE_DEPLOY`, `SKIP_GENERIC`,
+   `setup_custom_tests`, `deps_apps`, `deps_creds`, `deployed_app`). All hits are comments/docstrings
+   explaining the deletion, test names, or the intentionally-RETAINED `CCCI_SKIP_GENERIC*` env form
+   (kept per P2c). Zero live call-sites. `setup_custom_tests.sh` files gone.
+2. **All-recipes-load-clean (typo gate) — PASS, independently.** Ran `meta.load()` (pure stdlib) over
+   all 21 recipe dirs cold via plain python3 (did NOT trust the Builder's test_meta.py). All 21 load;
+   non-default key sets sane. Every ALL-CAPS key used in any recipe_meta.py is in the 14-key registry.
+3. **Coverage-loss diff (CARDINAL check) — ZERO deltas on data keys + hook presence.** Throwaway
+   harness (`/tmp/diff_meta.py`) reproduces main's six-loader effective resolution (`_load_meta`,
+   `declared_deps`, `is_enrolled`, `_recipe_extra_env`) from MAIN's recipe_meta files and diffs vs the
+   BRANCH's `meta.load()` for all 21 recipes. After correcting one harness artifact (EXTRA_ENV default
+   is `{}` not None), **0/21 recipes show any delta** for HEALTH_PATH/HEALTH_OK/DEPLOY_TIMEOUT/
+   HTTP_TIMEOUT/BACKUP_CAPABLE/EXPECTED_NA/UPGRADE_BASE_VERSION/DEPS/WARM_CANONICAL + presence of
+   READY_PROBE/BACKUP_VERIFY/UPGRADE_EXTRA_ENV/EXTRA_ENV/SCREENSHOT.
+4. **Validation gaps — CLOSED.** Crafted tmp recipe_metas: typo'd key → MetaError (with "did you mean
+   DEPLOY_TIMEOUT?"); wrong type (`DEPLOY_TIMEOUT="str"`) → MetaError; callable on data key
+   (`DEPLOY_TIMEOUT=lambda ctx:...`) → MetaError; `_PRIVATE`/lowercase-helper → loads clean (exemption
+   works). All four behave per the locked decision.
+5. **meta.py read** — single `exec()`, frozen `RecipeMeta` generated from `KEYS`, `_coerce` rejects
+   bool-as-int and callable-on-data-key; `non_default` compares vs registry default. No issues.
+
+**Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** full `pytest tests/unit -q` +
+`pytest tests/concurrency -q` + `scripts/lint.sh` cold on the cc-ci host; R2 end-to-end through the
+real orchestrator screenshot path; P3 ctx-hook signature migration (assert byte-identical, legacy
+`lambda domain:` raises clear MetaError); P4/P5/P6; re-run the coverage diff on the FINAL branch
+(P3 changes hook signatures); recipe-test diffs are mechanical-only (no assertion weakening);
+HC2/F2-11/generic-floor integrity. These wait for the `claim(rcust): M1`.
+
+### Interim pre-review of frozen P3 (branch @ fd02d9f) — @2026-06-10, cold from upstream clone
+
+Builder landed P3 (uniform ctx hook convention) and moved to P4, so P3 is frozen. Pre-reviewed it.
+**No defects found.**
+
+1. **Mechanical-migration discipline — HELD (no VETO trigger).** `git diff 8cd72fd..fd02d9f` over
+   `tests/*/` shows ZERO changed assert/expected literals. Every hook change is purely
+   `def HOOK(domain[, meta])` → `def HOOK(ctx)` + `domain` → `ctx.domain` in the body. Spot-checked
+   cryptpad/mumble/ghost/lasuite-drive recipe_meta.py + lasuite-drive ops.py: seeded values, return
+   dicts, paths, status codes, and the `pre_restore` `assert _psql(...) in (...)` are byte-identical
+   apart from the `ctx.` deref.
+2. **HookCtx — present + complete.** `meta.HookCtx` frozen dataclass has all 5 documented fields
+   (`.domain`, `.base_url`, `.meta`, `.deps`, `.op`); `meta.hook_ctx(domain, meta, op=…)` factory
+   builds it and pulls `deps` from `$CCCI_DEPS_FILE`. All call sites migrated: run_recipe_ci
+   `pre_<op>`, BACKUP_VERIFY; lifecycle `extra_env` + READY_PROBE; screenshot `SCREENSHOT(page, ctx)`.
+   (NB my first pass falsely flagged "no HookCtx" — that was a STALE WORKTREE at P2; corrected by
+   checking out fd02d9f. Logged here for honesty.)
+3. **Legacy-signature guard (P3.4) — PRESENT + works, live-probed.** `meta.check_hook_signature`
+   exact-matches positional params and raises a CLEAR MetaError naming the P3 migration + HookCtx
+   fields. Wired into both `load()` (recipe_meta hooks; SCREENSHOT expects `(page, ctx)`, rest
+   `(ctx)`) and the orchestrator (ops.py `pre_<op>`). Crafted tmp metas: legacy `READY_PROBE(domain)`,
+   `SCREENSHOT(page, domain, meta)`, `EXTRA_ENV(domain)` all → MetaError at load; `READY_PROBE(ctx)`
+   loads clean. No silent mid-run TypeError path.
+4. **Coverage diff re-run at P3 head — still 0/21 deltas** (hook presence + all data keys unchanged).
+
+Net: P1+P2+P3 all clean under cold adversarial probing. M1 still gated on full unit+concurrency+lint
+on the cc-ci host, P4–P6, R2 end-to-end via the real screenshot orchestrator path, and a final
+coverage re-diff. No findings filed; no VETO.
+
+### Interim pre-review of frozen P4 (branch @ 29a28e2) — @2026-06-10T18:55Z, cold from fresh host clone
+
+Builder landed P4 (custom-test ergonomics) and moved to P5, so P4 is frozen. Pre-reviewed it cold.
+**No defects found.** NOT an M1 verdict — M1 stays gated (see "Still UNVERIFIED" below).
+
+Cold acceptance (fresh `git clone` on cc-ci host at 29a28e2, my own checkout — not the Builder's):
+- `cc-ci-run -m pytest tests/unit -q` → **184 passed** (exact match to claim; full suite, no
+  cross-fixture pollution from the session-scoped `deps` fixture).
+- `cc-ci-run -m pytest tests/unit/test_discovery.py test_discovery_phase2.py
+  test_conftest_fixtures.py -q` → 14 passed.
+- `nix develop .#lint --command scripts/lint.sh` → **lint: PASS** (ruff format/check, deadnix,
+  shfmt, shellcheck, yamllint all clean).
+
+Correctness probes:
+1. **Placement-rule claim ("zero in-repo users of top-level custom tests") — HOLDS.** Filesystem
+   sweep of every `tests/<recipe>/test_*.py`: ALL are lifecycle names (test_{install,upgrade,
+   backup,restore}.py). No top-level non-lifecycle custom exists in-repo, so dropping the top-level
+   glob in `discovery.custom_tests` loses ZERO coverage. The lifecycle-name exclusion is retained
+   inside functional/playwright as the double-run safety net.
+2. **Discovery diff — clean.** Top-level `glob(test_*.py)` branch removed; functional/ + playwright/
+   subdir globs retained with `basename not in lifecycle_names` guard. Docstring + module header
+   updated to state the placement RULE.
+3. **Test changes are adaptation + strengthening, NOT weakening (no VETO trigger).**
+   - `test_discovery_phase2`: renamed to `..._placement_rule_...`; now ASSERTS the top-level
+     `test_sso_smoke.py` is `not in names` (new negative assertion proving the behavior change),
+     while functional/playwright customs are still `in names` and lifecycle name excluded.
+   - `test_discovery::test_custom_tests_repo_local_gated`: repo-local custom moved from top-level
+     into `functional/`; HC2 default-deny (`== []` when unapproved) and approved-case
+     (`functional/test_sso.py in names`, `test_install.py` excluded) both INTACT. HC2 integrity
+     preserved.
+4. **op_state fixture — correct.** Skips with clear reason on unset env / missing file / non-JSON
+   (`except ValueError` catches JSONDecodeError); reads & returns parsed dict otherwise. Tests
+   cover 3 of 4 paths (the non-JSON skip path is untested — minor coverage gap, not a defect; the
+   branch is trivially correct by inspection).
+
+Net: P1+P2+P3+P4 all clean under cold adversarial probing; both halves of every phase claim
+(unit count + lint) reproduced cold on a fresh clone. No findings filed; no VETO.
+
+**Still UNVERIFIED for M1 (do NOT treat above as M1 PASS):** P5 (manifest) + P6 (docs);
+`pytest tests/concurrency -q` cold; R2 end-to-end through the real orchestrator screenshot path;
+final coverage re-diff on the COMPLETE branch (P1–P6, all 21 recipes, effective customization set
+unchanged); recipe-test diffs mechanical-only across the whole branch; HC2/F2-11/generic-floor
+integrity at the final head. These wait for `claim(rcust): M1`.
+
+### Interim pre-review of frozen P5 (branch @ 68954be) — @2026-06-10T19:06Z, cold from fresh host clone
+
+Builder landed P5 (customization manifest) and moved to P6, so P5 is frozen. Pre-reviewed it cold.
+**No blocking defect; one secret-SURFACE observation raised (heads-up to Builder, NOT a VETO, NOT
+an M1 secret-leak failure).** NOT an M1 verdict.
+
+Cold acceptance (fresh `git clone` on cc-ci host at 68954be, my own checkout):
+- `cc-ci-run -m pytest tests/unit -q` → **191 passed** (exact match to claim).
+- `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
+
+Primary adversarial target — SECRET LEAKAGE via the new manifest surface (D-gate: published logs +
+dashboard contain NO secrets, incl. generated app passwords):
+1. **Generated/runtime secrets — NOT exposed (gate holds).** `manifest.build` collects only:
+   `meta_non_default` (static recipe_meta), hook NAMES (pre-ops/install_steps.sh/compose.ccci.yml),
+   overlay FILENAMES, custom-test COUNTS, and env-override KEY names (printed `KEY=1`, value never
+   rendered). It never touches `deps` (client_secret), `op_state`, abra-generated app passwords, or
+   any env VALUE. The cardinal concern — generated app passwords on the dashboard — is structurally
+   absent from this surface.
+2. **Cold all-recipes sweep.** Built+rendered the manifest for all 21 recipes on the host; grepped
+   the rendered blocks AND the results.json `customization` payload for secret/password/token/key/
+   credential and for any 32+ char high-entropy string. The ONLY hit, across every recipe, is
+   plausible's `EXTRA_ENV.SECRET_KEY_BASE` =
+   `"ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123"`.
+3. **OBSERVATION (not a leak):** that value is a HARDCODED, committed, PUBLIC dummy CI constant
+   (tests/plausible/recipe_meta.py, in the open-source repo) — not a generated or real secret.
+   `meta_non_default` dumps EXTRA_ENV literal dicts verbatim into the log AND results.json (→
+   dashboard), so a field literally named `SECRET_KEY_BASE` with a value now appears on the
+   dashboard. No real secret is exposed (it's public), so this is NOT a D-gate failure and does NOT
+   block P5. BUT it's a standing surface: (a) a dashboard secret-scan gets a true-positive-shaped
+   hit on a public dummy (noise that could mask a real leak), and (b) if any recipe ever set a real
+   secret-ish literal in a meta dict, the manifest would surface it unredacted. Flagged to Builder
+   via BUILDER-INBOX as a heads-up to consider redacting values of sensitive-named meta keys before
+   M1. Will re-examine on the real dashboard at the M1 cold-verify.
+4. **HC2-honoring — confirmed.** Manifest routes ALL repo-local reads through `discovery._gated`
+   (ops.py loop direct; `install_steps`/`resolve_overlay_op`/`custom_tests` each call `_gated`
+   internally). An unapproved repo-local recipe contributes nothing to the manifest.
+5. **Pure presentation — holds.** `build()` only reads files/env and returns a dict; `render()`
+   formats a string. Called at run_recipe_ci.py:889-890 (print) + embedded at :1261 into results;
+   no state mutation, no verdict influence. `_jsonable` renders callables as `'<hook>'` (so a
+   callable EXTRA_ENV/READY_PROBE never leaks closure internals) and tuples→lists for JSON.
+
+Net: P1–P5 all clean under cold adversarial probing; every phase claim (unit count + lint)
+reproduced cold. No findings filed; no VETO. One non-blocking secret-surface heads-up sent.
+
+**Still UNVERIFIED for M1:** P6 (docs); `pytest tests/concurrency -q` cold; R2 end-to-end via the
+real orchestrator screenshot path; final coverage re-diff on the COMPLETE branch (all 21 recipes,
+effective customization unchanged); recipe-test diffs mechanical-only across the whole branch;
+HC2/F2-11/generic-floor integrity at final head; AND — at the M1 dashboard check — confirm the
+SECRET_KEY_BASE-named field on the real dashboard is the accepted public dummy (or redacted).
+These wait for `claim(rcust): M1`.
+
+## M1 — implementation verified: **PASS** @2026-06-10T19:27Z (branch `restructure/recipe-custom` @ 858e0f5)
+
+Cold-verified from TWO fresh clones on the cc-ci host (NEW=858e0f5, OLD=main pre-restructure;
+merge-base 49fb818 confirmed → `main..858e0f5` is exactly P1–P6). Verdict formed from the phase plan
+(SSOT), the code/git history, the STATUS verification facts, and my own cold re-runs — NOT from
+JOURNAL rationale (isolation discipline; I did not need to consult JOURNAL).
+
+**All M1 Definition-of-Done items PASS:**
+
+1. **Cold test suites — match claim exactly.** Fresh clone @858e0f5:
+   `cc-ci-run -m pytest tests/unit -q` → **192 passed**; `tests/concurrency -q` → **23 passed**
+   (untouched by this plan, proven); `nix develop .#lint --command scripts/lint.sh` → **lint: PASS**.
+
+2. **Coverage diff (cardinal risk) — 0 REAL deltas / 21 recipes.** Wrote throwaway extractors that
+   resolve EVERY recipe's effective customization in BOTH worlds — OLD via the legacy loaders
+   (`_load_meta` + `lifecycle._recipe_extra_env` + `deps.declared_deps` + `_recipe_meta_flag`),
+   NEW via `meta.load()` + `meta.extra_env/upgrade_extra_env` — for the common keys (HEALTH_*,
+   timeouts, DEPS, EXTRA_ENV resolved at a fixed domain, UPGRADE_EXTRA_ENV, BACKUP_CAPABLE,
+   EXPECTED_NA, UPGRADE_BASE_VERSION, READY_PROBE/BACKUP_VERIFY presence). Diff = **0 behavioral
+   deltas**; the only raw diffs were 20× `UPGRADE_EXTRA_ENV: None→{}` (unset default representation,
+   behaviorally identical) and mumble (most-customized: callable EXTRA_ENV→dict, UPGRADE_EXTRA_ENV,
+   READY_PROBE) is **byte-identical** old↔new.
+   Deleted keys accounted for (no silent loss): `SKIP_GENERIC` (0 recipe users); `CHAOS_BASE_DEPLOY`
+   → overlay-presence (discourse+ghost, exactly the two shipping compose.ccci.yml — perfect 1:1, no
+   change either direction); `OIDC_AT_INSTALL` → install-time made universal (drive+meet were
+   already install-time). **lasuite-docs** declared DEPS but NOT OIDC_AT_INSTALL → OLD post-install,
+   NEW install-time: an INTENTIONAL P2b consolidation, not a drop — flagged below for M2 validation.
+
+3. **Assertion weakening (VETO-class) — NONE.** Full branch diff over all recipe test files
+   (excl. harness unit/concurrency/regression): 18 removed asserts, 18 added. After mechanical
+   normalization (`domain`→`ctx.domain`, `deps_creds`→`deps`, `MAX_USERS`→`_MAX_USERS`, whitespace)
+   the removed and added assert sets are **IDENTICAL** — zero unmatched in either direction. Every
+   change is a pure signature/fixture/constant rename; no expected value altered, no assert deleted.
+   Spot-confirmed discourse/ghost `_psql(domain,…ci_marker…) in (…)` → `ctx.domain` only (expected
+   tuple + SQL byte-identical). **No VETO.**
+
+4. **Deleted-code fallout — clean.** No dangling LIVE refs to any of the 13 deleted symbols
+   (`_recipe_meta`/`_load_meta`/`_recipe_extra_env`/`_recipe_meta_flag`/`declared_deps`/
+   `is_canonical_enrolled`/`OIDC_AT_INSTALL`/`CHAOS_BASE_DEPLOY`/`SKIP_GENERIC`/`setup_custom_tests`/
+   `deps_apps`/`deps_creds`/`deployed_app`). Only residue: stale DOC/comment mentions of
+   `OIDC_AT_INSTALL` + `setup_custom_tests.sh` in PARITY.md files (non-blocking P6 cosmetic nit).
+
+5. **Validation gaps — closed.** Cold-probed `meta.load()` with synthetic bad metas: typo'd key,
+   str-on-int, bool-as-int, callable-on-data-key, legacy hook sig `READY_PROBE(domain)`, and unknown
+   key ALL → `MetaError` (clear, names the offending file/key). Clean + underscore-private-helper
+   metas load fine (no false positives). No silent pass.
+
+6. **R2 fixed end-to-end.** Cold proof through the REAL load path: a recipe declaring
+   `def SCREENSHOT(page, ctx)` is surfaced by `meta.load()` and resolved callable by
+   `screenshot._load_screenshot_hook` (old L1 allowlist dropped it — now arrives); orchestrator wires
+   it `run_recipe_ci.py:1029 capture(…, recipe_meta=meta)` → `hook(page, hook_ctx(domain, meta))`.
+   Absent recipe → None (default landing-page path). Legacy `SCREENSHOT(page, domain, meta)` sig
+   rejected at load.
+
+7. **HC2 / F2-11 / generic-floor integrity — preserved.** Cold-probed `discovery.custom_tests` +
+   `install_steps`: UNAPPROVED repo-local → `[]` / `None` (default-deny holds); APPROVED → surfaced.
+   `sso_dep_unverified` (F2-11) logic UNCHANGED (only a comment edited) — a deps-not-ready run that
+   skips ≥1 `requires_deps` test still suppresses the green signal. Generic floor `_skip_generic`
+   default = run (additive); opt-out now env-only (same env vars as before; the 0-user meta key
+   removed) and surfaced LOUDLY in CI + flagged `!!` in the manifest — strictly stronger, never
+   silent.
+
+8. **(Bonus) P5 secret-surface heads-up RESOLVED + verified.** The Builder landed `858e0f5`
+   redacting secret-named meta values in the manifest (my P5 BUILDER-INBOX ask). Cold-verified:
+   `plausible.EXTRA_ENV.SECRET_KEY_BASE` → `<redacted>` in BOTH the log block and results.json;
+   recursive into nested dict keys; word-segment `(^|_)KEY(_|$)` regex avoids over-match
+   (KEYCLOAK_* passes). All-21-recipe sweep: exactly 1 redaction, ZERO over-redaction, ZERO
+   under-redaction (no secret-shaped value remains). Regression test
+   `test_manifest_redacts_sensitive_named_values` present.
+
+**Verdict: M1 PASS.** No findings filed, no VETO.
+
+**This does NOT clear `## DONE`.** Per the phase DoD, DONE requires a fresh Adversary PASS for BOTH
+M1 *and* M2. M2 (merged-main real-CI regression sweep vs the committed baseline matrix) is still
+unverified. M2 watch-items I will specifically re-check from run logs:
+- **lasuite-docs OIDC is now install-time** (post→install change above) — must pass a real run with
+  OIDC wired at install (skip-count 0 on its `requires_deps` tests).
+- the customization spot-checks the plan §M2.4 enumerates (mumble READY_PROBE tcp lines, cryptpad
+  SANDBOX_DOMAIN, ghost/discourse BACKUP_VERIFY + overlay copy + auto-chaos base deploy, lasuite-*
+  deps provisioning + OIDC tests ran, immich ops.py seeds, manifest block present in every log,
+  screenshot.png where capture succeeded).
+- canary suite (RED canaries still caught at intended tier) + per-recipe level == baseline matrix.
+- zero leaked apps after teardown.
+
+### M2-prep — independent hook-port audit (shell→python / best-effort↔fatal drift) @2026-06-10T20:55Z
+
+Triggered by the lasuite-drive regression (below), which my M1 PASS MISSED: my M1 coverage diff
+compared recipe_meta KEYS (resolved values), not ops.py hook BODIES, and my assertion scan matched
+`assert ` not `raise AssertionError`. So a hook that flipped best-effort→fatal was invisible to my
+M1 method. M2 (real-CI sweep) caught it — the safety net working as designed. I then audited ALL
+hook ports cold (`git diff c2508c7..origin/main` per recipe ops.py + the 2 setup_custom_tests.sh
+ports), filtering for non-mechanical error-handling (raise/assert/except/exit/timeout/poll changes):
+
+- **lasuite-drive `pre_install`** — GENUINE rcust regression (Builder-disclosed, I confirmed):
+  OLD setup_custom_tests.sh bucket poll fell through on 90s timeout (best-effort, no failure; the
+  custom-tier `test_minio_storage.py` upload→list→download is the real gate); NEW port added a
+  terminal `raise AssertionError` → deterministic install RED when the bucket appears just after
+  90s. Fix-forward APPROVED (restore best-effort print+return, scoped to line-54 only; conditioned
+  on an L5 re-run + my diff re-verify). See approval entry in BUILDER-INBOX history (commit 57c66ad).
+- **lasuite-docs `install_steps.sh`** — INTENTIONAL P2b change, NOT a defect: OLD setup_custom_tests
+  did `exit 1` on missing deps/null KC creds; NEW does `exit 0` (no-op) for missing-deps (gated now
+  by F2-11: the `@requires_deps` OIDC test skips → `sso_dep_unverified` suppresses green) BUT
+  preserves `exit 1` on secret-insert failure. Consistent with the install-time-deps redesign.
+  WATCH-ITEM (residual): the missing-deps path now relies entirely on F2-11; the sweep didn't
+  exercise it (deps were ready, skip-count 0). Mechanism verified present at M1; not blocking.
+- **All other ops.py** (cryptpad, discourse, ghost, immich, keycloak, lasuite-meet, matrix-synapse,
+  mattermost-lts, mumble, n8n, plausible, custom-html) — pure mechanical ctx migration
+  (`domain`→`ctx.domain`, `meta`→`ctx.meta`); expected tuples/strings byte-identical (spot-checked
+  keycloak 201/409 + 204/200, discourse/ghost _psql ci_marker). No error-handling drift.
+
+Net: exactly ONE accidental hook-port regression (lasuite-drive), now under approved fix. No other
+best-effort↔fatal flips. This audit closes the M1-method gap for the hook bodies.
+
+---
+
+### M2 proof-run independent analysis (cold, Adversary) @2026-06-10T23:53Z
+
+M2 is NOT yet claimed by the Builder; this is my independent read of the proof runs sitting on
+cc-ci (`/var/lib/cc-ci-runs/{m2b-*,ab-*-oldmain}`), parsed myself via jq (NOT trusting Builder
+narrative). The 6 first-sweep mismatches break down as follows.
+
+**Confirmed root fact — REF MISMATCH is real (I verified, not taken on faith).** Every baseline
+matrix run used a *PR-head* ref; the first M2.3 sweep used each mirror's *default-branch head* — a
+different commit. Independently confirmed via `results.json.ref`:
+| recipe | baseline run/ref/level | sweep ref/level |
+|---|---|---|
+| discourse | 184 / 7ae7b0f76efb / L4 | 7d53d4ec390f / L2 |
+| plausible | 308 / 13458fac56a1 / L4 | da159375d89a / L2 |
+| mattermost-lts | 196 / a333e31a6002 / L4 | 41c9eb8e5f34 / L2 |
+| immich | 307 / 107d7220adce / L4 | 7eb3937a82d0 / L2 |
+| lasuite-drive | 189 / ffa7d585afa2 / L5 | f4135d78201e / L0 |
+So the sweep was NOT apples-to-apples vs the baseline matrix. Reconciliation requires either
+(a) re-run at the baseline ref on new main == baseline level, or (b) A/B same-ref old-vs-new main
+== same level. Status per recipe:
+
+- **immich** — m2b-immich (new main, baseline ref 107d7220adce) = **L4 == baseline L4. CLEAN.**
+- **mattermost-lts** — m2b (new main, a333e31a6002) = **L4 == baseline L4. CLEAN.**
+- **plausible** — m2b (new main, 13458fac56a1) = **L4 == baseline L4. CLEAN.**
+  → these three: restructure proven INNOCENT (baseline ref reproduces baseline level on merged main).
+- **bluesky-pds** — ab-bluesky-pds-oldmain (OLD main, b2d86efba3f1) = L0 == new-main sweep L0 at
+  same ref → restructure-NEUTRAL at the sweep ref. (Baseline is "L4-equiv, pre-results-era", no run
+  id — softer baseline; A/B neutrality is the available evidence.)
+- **discourse — NOT yet clean. OPEN.** Two *distinct* flake modes seen, and the A/B was run at the
+  wrong ref to close the gap:
+  - baseline 184 (OLD main, 7ae7b0f): all pass → L4.
+  - m2b-discourse (NEW main, SAME ref 7ae7b0f): **upgrade FAILED**, HC1 guard fired —
+    "upgrade deployed chaos commit 'eb96de94+U', not intended PR-head '7ae7b0f76efb' — re-checkout
+    to code-under-test failed (HC1)" → L1.  ← same-ref old=L4 vs new=L1 discrepancy, UNexplained.
+  - ab-discourse-oldmain (OLD main, 7d53d4ec): **restore FAILED** (ci_marker truncated-dump race)
+    → L2 == new-main sweep L2 at that ref → neutrality proven, but for the RESTORE mode at the
+    DEFAULT-head ref, NOT for the L1/upgrade-HC1 mode at the baseline ref.
+  - Net: the clean A/B (ref 7ae7b0f on OLD main vs NEW main) that would explain L4→L1 was NOT run.
+    The upgrade re-checkout/HC1 path lives in run_recipe_ci.py/lifecycle which the meta-param
+    threading DID touch — so "pre-existing flake" is plausible but UNPROVEN here. To clear: run
+    discourse @7ae7b0f on OLD main (does it deterministically reproduce L4, or also flake to L1?),
+    and/or repeat @7ae7b0f on new main to characterise the HC1 re-checkout as a race. The HC1 guard
+    FIRING (not silently passing the wrong commit) is the safety net working — good — but it means
+    the upgrade did not exercise the PR code, so the run is inconclusive, not a clean baseline match.
+- **lasuite-drive** — fix-forward 1357544 (restore best-effort bucket poll) landed; needs a fresh
+  L5 run at the baseline ref ffa7d585afa2 on merged main to confirm baseline. m2rr/earlier runs
+  predate or used the default head — NOT yet a clean baseline match. OPEN.
+
+**M2 disposition: still OPEN — no PASS.** 3/6 cleanly reconciled (immich/mattermost/plausible);
+bluesky neutral-at-sweep-ref; discourse + lasuite-drive NOT yet closed. I will require, at the M2
+claim: (1) discourse same-ref A/B (or repeat) explaining L4→L1; (2) a clean lasuite-drive L5 at
+baseline ref; (3) my own cold re-parse of every per-recipe level vs baseline; (4) the M2.4
+customization-executed spot-greps; (5) zero leaked apps. Recorded a BUILDER-INBOX heads-up on the
+discourse-HC1 gap so it is addressed in the claim, not glossed as "the restore flake".
+
+### M2 proof-run progress + self-correction @2026-06-11T00:05Z
+
+Builder is running (independently, matching my inbox ask) the decisive A/B serially on the box:
+`m2-proof.sh` → lasuite-drive @ffa7d585afa2 PR=1 (post-fix-forward 1357544) on merged main 5c0676b,
+then discourse @7ae7b0f76efb **PR=2** on merged main (m2p-discourse); `m2-proof2.sh` (queued) →
+discourse @7ae7b0f76efb **PR=2** on OLD main (/root/m2-oldmain, ab-discourse-7ae7b0f-oldmain).
+
+**Self-correction to my 23:53Z discourse analysis:** my m2b-discourse run used **PR=0**, but the
+upgrade HC1 guard resolves the *PR head* for the re-checkout. The L1 failure message ("deployed
+chaos commit 'eb96de94+U', not PR-head 7ae7b0f — re-checkout failed") is plausibly a **PR=0
+artifact** (no real PR to resolve the head from), NOT a restructure regression. The Builder's proof
+runs correctly use PR=2 (matching baseline run 184's pr=2). So the apples-to-apples comparison I
+need is m2p-discourse (PR=2, new main) vs ab-discourse-7ae7b0f-oldmain (PR=2, old main) vs baseline
+184 (PR=2, old main, L4). I will cold-verify those three when they land; my L4→L1 concern is on
+hold pending the PR=2 result, not yet a confirmed regression. Live lasu-f68b63 stack = active
+lasuite-drive proof run (expected, not a leak).
+
+### M2 fix-forward APPROVE: be2026a (services_converged completed-one-shot rule) @2026-06-11T00:31Z
+
+Builder proposed a 2nd lasuite-drive P2b fix on branch `fix/converged-oneshot @ be2026a` and asked
+approval before merging to main (M2 "trivial fix-forward w/ Adversary approval" path). Cold-verified
+independently (fresh clone of be2026a at /root/adv-be2026a on cc-ci, NOT the Builder's working tree):
+
+- **Diff** (`git diff origin/main..be2026a runner/harness/lifecycle.py`, read myself): in
+  `services_converged`, a `cur != want` deficit now passes ONLY if `docker service ps <svc>` shows
+  ALL task states == `Complete`. Conservative: any Running/Preparing/Pending (spinning up) or
+  Failed/Rejected (broken) in the deficit still returns False; no-tasks-yet still False; plain N/N
+  and 0/0 unchanged. Targeted addition, not a rewrite.
+- **False-green analysis (my own):** only `restart_policy:none` one-shots ever show `Complete`; a
+  normal crashed service shows Failed/Running(restarting), never Complete. Even if converge passed
+  on a completed-but-ineffective one-shot, two INDEPENDENT gates still catch it — the generic
+  `test_serving` HTTP floor and the custom-tier functional test (lasuite-drive
+  `test_minio_storage.py` upload→list→download is the real bucket gate). Defense-in-depth holds; I
+  could not construct a false-green path.
+- **Tests** `tests/unit/test_converged_oneshot.py` (read + cold-ran): 7 cases pin exactly the
+  non-vacuity criteria — completed→converged, Failed→NOT, mixed Complete+Failed→NOT (covers the
+  `docker service ps` history concern), Preparing→NOT, no-tasks→NOT, N/N→converged, 0/0→converged.
+- **Cold suite+lint from fresh be2026a checkout:** `cc-ci-run -m pytest tests/unit -q` → **199
+  passed**; the 7 new tests pass alone; `nix develop .#lint --command scripts/lint.sh` → **lint:
+  PASS**. Matches Builder's claim.
+- **Root cause judged genuine P2b regression** (hook moved into ops.py pre_install runs BEFORE the
+  install assert; the completed one-shot's 0/1 then burns DEPLOY_TIMEOUT in the converge poll). The
+  fix accepts a genuinely-healthy deploy (HTTP 200, all other services 1/1) the old `cur!=want`
+  wrongly rejected — correction, not masking.
+- **Not on main** — confirmed `all(s == "Complete")` absent from origin/main; Builder held the gate.
+- **Disclosed semantic delta** (a failing one-shot now blocks install convergence earlier vs later
+  at custom-tier): ACCEPTED — both paths RED, no false-green, no enrolled recipe has a
+  baseline-failing one-shot.
+
+**VERDICT: fix-forward be2026a APPROVED, conditional on:**
+1. Post-merge lasuite-drive proof re-run @ffa7d585afa2 PR=1 lands **L5** (binding end-to-end proof
+   the fix resolves the converge hang — if it doesn't, the diagnosis was wrong and approval voids).
+2. I re-verify the MERGED diff == be2026a diff (no extra change sneaks in at merge).
+3. discourse PR=2 A/B pair (m2p-discourse / ab-discourse-7ae7b0f-oldmain — no one-shots, unaffected
+   by this fix) completes and I cold-verify those levels too.
+This APPROVE does NOT clear M2; M2 still needs all per-recipe levels reconciled + my independent
+sample re-check + zero-leak teardown.
+
+### be2026a merge cold-verify — condition #2 SATISFIED @2026-06-11T00:42Z
+
+Builder merged be2026a as 6cabbe7 (build 350 green, origin/main now b4505ac). Independently checked:
+`diff origin/main:runner/harness/lifecycle.py be2026a:...` → **IDENTICAL**; the merged
+`tests/unit/test_converged_oneshot.py` → **IDENTICAL** to be2026a. Clean merge, no extra change
+slipped in — approval condition #2 met. m2p-lasuite-drive (pre-fix) landed L0 (install/converge
+timeout) = the diagnosed symptom (Builder disclosed b4505ac it SIGINT-shortcut the doomed burn;
+binding proof is the post-fix m2p2 re-run). REMAINING be2026a conditions: #1 post-fix lasuite-drive
+L5, #3 discourse PR=2 A/B cold-check — both pending (m2p-discourse running, then ab-oldmain, then
+m2p2-lasuite-drive).
+
+### be2026a conditions CLEARED + SSO-baseline staleness finding (independent) @2026-06-11T01:12Z
+
+Reached the conclusions below COLD (own git archaeology + run-dir jq) BEFORE reading the Builder's
+01:10Z inbox — which then concurred. Anti-anchoring preserved (no JOURNAL read; inbox read after my
+own derivation).
+
+**be2026a fix-forward — ALL 3 CONDITIONS SATISFIED → fix-forward FULLY CLEARED:**
+1. **Post-fix lasuite-drive (m2p2, merged main 6cabbe7, ffa7d585afa2, PR=1): L4, rc=0, 3m19s.**
+   Independently verified: flags clean_teardown=true + no_secret_leak=true; all 4 essential rungs
+   pass; `test_minio_storage::...object_roundtrip` PASSED; `test_oidc_..._keycloak` PASSED. The
+   install converge no longer hangs — both fix-forwards (1357544 best-effort poll + 6cabbe7
+   completed-one-shot converge) exercised in one run. The literal "L5" in my condition is
+   **unmeetable on current code and NOT an rcust effect** — see staleness finding below; I accept
+   the L4-equivalence. Fix works end-to-end.
+2. **Merged diff == branch diff** — verified earlier (4428e76): lifecycle.py + test file
+   byte-identical to be2026a.
+3. **discourse A/B — restructure-NEUTRAL.** m2p-discourse (NEW main, 7ae7b0f, PR=2) = L1 and
+   ab-discourse-7ae7b0f-oldmain (OLD main, SAME ref, SAME PR=2) = L1, SAME stage (upgrade), SAME
+   message (`eb96de94+U` HC1 re-checkout). old==new byte-identical → rcust did NOT regress discourse.
+   The L4(184)→L1 vs baseline is pre-existing env drift since 06-05 (filed below), not rcust.
+
+**FINDING [adversary] — M2 baseline matrix has 3 STALE L5 entries (lasuite-docs/drive/meet).**
+Independently established: the level ladder dropped 6-rung(L5)→4-rung(max L4, integration &
+recipe-local now OPTIONAL/non-laddered) in mainline PR#6 (c51cd84 "4-rung ladder", + 46e2cdb),
+which `git merge-base --is-ancestor c51cd84 01e6d49^` confirms is an ANCESTOR OF PRE-RCUST MAIN.
+The rcust merge touches level.py NOT AT ALL and results.py by +4 cosmetic P5 lines; compute_level
++ derive_rungs are byte-identical old-main↔merged-main. So NO current-code run (rcust or pre-rcust)
+can produce L5; baselines 188/189/204 (L5, integration:pass) were recorded under the OLD schema
+(run 204 ran 06-09 hours before the refactor deployed). **rcust is INNOCENT of L4≠L5.** Integration
+coverage is NOT lost: the requires_deps OIDC tests EXECUTE and PASS (skip-count 0) on current code —
+verified in m2p2 AND the sweep's m2r-lasuite-docs (`test_oidc_login_via_keycloak` +
+`test_oidc_password_grant_...` PASSED) and m2r-lasuite-meet (`...password_grant...` PASSED).
+ACCEPTED equivalence for the M2 matrix: **old L5 ≡ new L4 (all 4 essential rungs pass) + requires_deps
+OIDC test PASSED (skip-count 0)**. Under this, lasuite-docs (m2r L4) / lasuite-meet (m2r L4) /
+lasuite-drive (m2p2 L4) all MATCH. (Note: this validates — but corrects the basis of — the Builder's
+first-sweep "lasuite-docs/meet matched baseline"; they are L4+OIDC, not numeric L5.) This is a
+matrix-staleness correction, NOT a rcust regression; no VETO.
+
+**Still OPEN for the M2 verdict (my side):** (a) per-recipe levels reconciled vs the CORRECTED
+baseline for all 21; (b) bluesky-pds is L0 on BOTH old & new main (upstream image
+`Cannot find module index.js`) — restructure-neutral but also cannot match its L4-equiv baseline on
+ANY current run → needs a DECISIONS/DEFERRED note as non-rcust upstream breakage, not a silent
+mismatch; (c) the 2 drone-path !testme runs (immich#2/plausible#3); (d) zero-leak teardown sweep;
+(e) my own independent re-check of ≥5 recipes' logs + ALL mismatches before any M2 PASS.
+
+---
+
+## M2 — merged-main real-CI regression sweep: **PASS** @2026-06-11T01:15Z
+
+Cold-verified the M2 claim (STATUS gate "M2 CLAIMED ~01:30Z") from my own clone + direct on cc-ci,
+re-running/ re-parsing rather than trusting Builder logs. Every M2.0–M2.4 item holds.
+
+**M2.2 canaries — cold RE-RAN myself** from a fresh `origin/main` checkout (/root/adv-be2026a @
+origin/main): `cc-ci-run -m pytest tests/regression/ -m canary -v` → **7/7 passed (301s)**, incl.
+`bad-false-green` (the false-green detector) + all four RED canaries (bad-install/upgrade/backup/
+restore) caught at their designed tier. The level system is NOT inflating. (log /root/adv-canary.log)
+
+**M2.3 per-recipe — all 21 reconciled (cold jq on each run dir):**
+- 13 clean: cryptpad/custom-html/ghost/hedgedoc/keycloak/matrix-synapse/n8n/uptime-kuma = L4;
+  mailu/custom-html-tiny = L2 (backup_restore N/A); mumble = L4 (deploy-count=1) — all == baseline,
+  clean_teardown=true.
+- 2 designed-bad canaries genuinely exercised: bkp-bad rungs backup_restore=**fail** (backup=fail);
+  rst-bad backup_restore=**fail** (backup=pass→restore=fail). The L1 cap is upgrade-N/A ladder
+  semantics; the designed failure is recorded in the rung (verified — NOT a coincidental
+  level-match).
+- immich/mattermost-lts/plausible: **L4 @ exact baseline refs** (m2b-*) — baseline REPRODUCED on the
+  restructured harness (cold-verified earlier this session).
+- discourse: m2p-discourse (NEW main) == ab-discourse-7ae7b0f-oldmain (OLD main) — SAME ref/PR=2,
+  SAME stage, SAME upgrade-HC1 message (`eb96de94+U`), SAME L1. **old==new ⇒ rcust-neutral**; the
+  L4(184)→L1 is pre-existing env drift since 06-05 (DEFERRED.md), NOT caused by the restructure.
+- lasuite-docs/-meet/-drive: L4 all-rungs-pass + requires_deps OIDC test PASSED (skip-count 0)
+  [lasuite-drive m2p2 also MinIO PASSED, post-both-fixes, rc=0]. Their "L5" baselines are STALE:
+  the 6→4-rung ladder landed in mainline c51cd84 (PR#6), which `git merge-base --is-ancestor
+  c51cd84 01e6d49^` confirms PREDATES the rcust merge; level.py untouched by the merge, derive_rungs
+  byte-identical old↔new. **rcust-innocent; integration coverage preserved** (OIDC tests execute &
+  pass). Accepted equivalence old L5 ≡ new L4-all-pass + OIDC-pass.
+- bluesky-pds: EXCLUDED — `Cannot find module /app/index.js` crash-loop on BOTH old & new main at
+  every ref → upstream image breakage, rcust-neutral. DEFERRED.md note present.
+
+**M2.3 drone→harness path:** drone builds **356 (immich) + 357 (plausible)** = `build_event=custom`
+(bridge-triggered; distinct from push builds 358-361), trigger=autonomic-bot, both **success**
+(verified in drone sqlite DB); run dirs 356/357 = immich L4 pr=2 / plausible L4 pr=3, customization
+manifest present, clean_teardown=true.
+
+**M2.4 customizations actually executed (cold-grep):** manifest block **21/21** logs; mumble
+`ready-probe OK (tcp 3x) 127.0.0.1:64738`; ghost `ccci-overlay: provided compose.ccci.yml ...
+base deploy auto-chaos` (P2a first-class path live); cryptpad `EXTRA_ENV='<hook>'`; immich
+`ops.py[pre_backup,pre_restore,pre_upgrade]` + `pre-op seed` lines (migrated ctx hooks run).
+
+**Teardown:** `docker stack ls` = infra (backups/bridge/dashboard/reports/drone/traefik) +
+warm-keycloak ONLY, **zero leaked app stacks** (checked after ALL runs incl. drone-path).
+
+**Fix-forwards (both Adversary-approved, additive):** 1357544 (lasuite-drive best-effort poll, appr
+57c66ad) + be2026a/6cabbe7 (services_converged completed-one-shot, appr a531746) — merged diff ==
+branch diff, all 3 be2026a conditions cleared (24a203a). Cold unit suite on post-fix main = 199
+passed, lint PASS.
+
+**VERDICT: M2 PASS.** No regression CAUSED BY the restructure: every deviation from the baseline
+matrix is proven rcust-neutral by same-ref old-vs-new A/B (discourse, bluesky) or is a pre-rcust
+stale-schema artifact with coverage preserved (3 lasuite), all documented in DEFERRED.md — not a
+silent mismatch. The false-green detector is green on my own cold canary run. No findings filed,
+no VETO.
+
+**M1 PASS (01f9f70) + M2 PASS (this entry) both stand** → the phase DoD handshake is satisfied; the
+Builder may write `## DONE` to STATUS-rcust.md. (M1's unit+lint acceptance still holds on post-fix
+main: 199 passed / lint PASS, the fix-forwards being additive + separately approved.)

machine-docs/REVIEW-redfix.md

@@ -0,0 +1,135 @@
+# REVIEW — phase `redfix` (Adversary)
+
+Phase SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-redfix-canon-sweep-failures.md`
+Mission: investigate every canon-sweep failure (discourse, mattermost-lts, mumble, bluesky-pds,
+gitea, keycloak), isolate → root-cause → classify (flake vs genuine; recipe vs test vs
+warm-machinery vs load) → FIX each via a recipe PR or harness improvement → verify green.
+No standing exceptions. Nothing merged.
+
+Gates:
+- **M1** — all six investigated in isolation, classified with evidence. Adversary cold-verifies:
+  claimed flake = reproducibly green in isolation (and red under load); claimed recipe defect =
+  genuinely the recipe (not a stale test / harness artifact); claimed warm-machinery bug = in cc-ci.
+- **M2** — all six FIXED + verified green (recipe PR via `!testme`; harness/cc-ci PR via the harness;
+  flake-stabilization green under load). All six promote/pass. No standing exception. Nothing merged.
+
+DONE = Builder writes `## DONE` only after M1+M2 fresh Adversary PASS here.
+
+---
+
+## Verdicts
+
+### M1 — investigate + isolate + classify: **PASS** @ 2026-06-18T01:18Z
+
+Gate claim: `claim(redfix-M1)` commit `0a06c41` (@00:25Z). Verified from a COLD START on cc-ci with my
+OWN isolation re-runs (one recipe at a time, no concurrent load) — NOT the Builder's logs. Isolation
+discipline honored: verdict formed from the phase plan (SSOT), the recipe code / git history, the
+verification info in STATUS, and my own cold acceptance runs; I did NOT read JOURNAL-redfix.md before
+writing this verdict.
+
+All six classifications are CORRECT. Evidence per recipe (full detail in the verification log below):
+
+| Recipe | My independent reproduction | Classification — verified |
+|---|---|---|
+| **discourse** | my isolation run `/tmp/adv-discourse.log`: install/backup/restore/custom PASS, upgrade FAIL on the 2 PR-faithfulness overlay asserts; **converged in minutes, no FATA/rc=142/wedge** | **stale/PR-specific cc-ci OVERLAY test** (canon "timeout" root-cause was WRONG — confirmed). Recipe deploys+serves fine. ✔ |
+| **mattermost-lts** | my isolation run `/tmp/adv-mattermost.log`: **restore FAIL deterministically** (`relation "ci_marker" does not exist`, 91s, isolated) | **genuine RECIPE defect** — no `backupbot.restore.post-hook`; NOT the canon "loaded-node race." ✔ |
+| **mumble** | my isolation run `/tmp/adv-mumble.log`: ALL 5 tiers GREEN incl `test_handshake_completes_with_channel_presence`; promote OK | **load/timing FLAKE** — green in isolation (a recipe defect would red deterministically; it didn't). ✔ |
+| **bluesky-pds** | my isolation run `/tmp/adv-bluesky.log` + live caddy diag: cold GREEN, warm promote **000 deterministic**; `getent app`→10.10.0.4 (foreign proxy), own app 10.0.5.6 never resolved; caddy log cycles `dial 10.10.0.{4..12}:3000 refused` | **genuine recipe ROUTING defect** (bare `app` + caddy on shared `proxy`), NOT cc-ci promote-machinery (it correctly refused to promote), NOT flake. (Reverses the plan's "warm-machinery" prior — confirmed against it.) ✔ |
+| **gitea** | my isolation run `/tmp/adv-gitea.log` + container crash log: cold GREEN, warm advance crash-loops 0/1; `LoadCommonSettings() [F] … error saving JWT Secret … "/etc/gitea/app.ini": read-only file system`; canonical correctly stayed 3.5.3 (promote timed out, refused) | **genuine RECIPE defect** (3.6.0 JWT save vs read-only app.ini docker-config mount; `/etc/gitea` is a writable volume but the app.ini file is the RO config). ✔ |
+| **keycloak** | code-verified: `canonical.canonical_domain('keycloak')`→`warm.stable_domain`→`warm-keycloak.ci.commoninternet.net` == `warm.WARM_DOMAINS['keycloak']` (warm.py:47 documents the equality); live keycloak 200 on `/realms/master` | **HARNESS defect** (data-warm canonical domain collides with the live-warm OIDC provider; no collision-free namespace). ✔ |
+
+No defects in the classification work. No VETO. Node verified clean before AND after my runs (only infra
++ live warm-keycloak; gitea restored to undeployed idle 3.5.3, volumes retained, canonical commit
+`e6a1cc79` unchanged; warm-keycloak healthy throughout). **M1 PASS — Builder cleared to proceed to M2.**
+(M2 will re-verify each FIX green; this PASS is for the investigation/classification gate only.)
+
+_(prior placeholder removed)_
+
+## Adversary verification log
+
+- 2026-06-17T23:18Z — Phase redfix opened. Refreshed phase plan + plan.md §6.1. Cold access to cc-ci
+  confirmed (`ssh cc-ci`: host `nixos`, uptime 4d, `systemctl --failed` empty, load ~0.8). No Builder
+  state files (`STATUS/BACKLOG/JOURNAL-redfix.md`) yet; no gate claimed. Idling for the first claim.
+- 2026-06-18T00:10Z — Non-contending pre-staging (M1 NOT yet claimed; Builder mid-investigation:
+  gitea isolation running, keycloak pending). Stayed OFF the swarm to avoid contaminating the
+  Builder's isolation runs. Independently corroborated two deterministic static claims via pure
+  code reads on cc-ci (no deploys):
+  * **mattermost-lts** (recipe @ `2.1.9+10.11.15`): postgres svc has `backupbot.backup.pre-hook`
+    (pg_dump → /var/lib/postgresql/data/postgres-backup.sql), `backup.post-hook` (rm dump),
+    `backup.path=/var/lib/postgresql/data/` (hot live PGDATA) — and **NO `backupbot.restore.post-hook`**.
+    immich (passes) uses dump-only `backup.volumes.postgres.path: backup.sql` + `restore.post-hook:
+    /pg_backup.sh restore`. Corroborates "genuine recipe defect — no restore round-trip." ✔ pre-staged.
+  * **discourse** (recipe @ `0.8.1+3.5.0` = `bitnamilegacy/discourse:3.5.0` + sidekiq): overlay
+    `tests/discourse/test_upgrade.py` is a phase-prevb PR-faithfulness test asserting app image ==
+    official `discourse/discourse:3.5.3` AND sidekiq dropped — only true on an unreleased PR head, not
+    the latest release the canon sweep deploys. So it red-by-construction in the sweep. Corroborates
+    "stale/PR-specific overlay test, not flake/timeout/recipe-deploy." ✔ pre-staged.
+  * STILL OWED before any M1 PASS: my OWN cold isolation run of discourse to confirm the
+    re-classification from the original canon hypothesis ("cold-deploy timeout, ~51-min wedge") to
+    "deploys+serves fine, only the overlay test reds." Will run when M1 is claimed and the swarm is
+    free (Builder not deploying). Same for bluesky app-alias collision (needs live caddy/getent diag).
+  These are NOT verdicts — formal M1 PASS/FAIL awaits the Builder's gate claim.
+- 2026-06-18T00:25Z — **M1 CLAIMED** (commit 0a06c41). Node verified idle/clean before any run
+  (only infra + live warm-keycloak; no bluesky/test stacks; no run_recipe_ci; load 0.03; gitea idle
+  3.5.3) — Builder "node clean" claim ✔. Began my own COLD isolation re-runs (one at a time, no
+  concurrent load), swarm confirmed free.
+- 2026-06-18T00:29Z — **bluesky-pds CONFIRMED by my own reproduction** (`/tmp/adv-bluesky.log`,
+  tag 0.3.0+v0.4.219, RECIPE=bluesky-pds CCCI_SKIP_FETCH=1). Cold lifecycle GREEN (install/backup/
+  restore/custom=pass, upgrade=skip) — reproduced. WC5 promote → unhealthy, 000. DECISIVE live diag
+  inside the warm caddy container (60326521a2ac, nets: proxy=10.10.52.13 + internal=10.0.5.3):
+  * `getent hosts app` → **10.10.0.4** (a *proxy*-net foreign endpoint) — NOT bluesky's own app.
+  * bluesky's OWN app is at internal **10.0.5.6** (real target), never resolved.
+  * caddy TLS log cycles `dial tcp 10.10.0.{4,5,6,8,10,11,12}:3000: connect: connection refused`
+    on `ask http://app:3000/tls-check` → on-demand cert denied → TLS fails → /xrpc/_health = 000.
+  Verdict basis: NOT a flake (deterministic, every retry refused); NOT promote-machinery (the probe
+  correctly refuses an unhealthy endpoint, no false promote); **genuine recipe routing defect** —
+  recipe names its svc `app` + puts caddy on the shared multi-tenant `proxy` net + Caddyfile uses bare
+  `app`, so docker DNS resolves `app` to OTHER stacks' apps. Builder's classification (recipe defect,
+  reverses the plan's "cc-ci warm-machinery" prior) is CORRECT. Sharper than Builder's note (my run's
+  internal IP 10.0.5.6 vs their 10.0.3.3 — same mechanism, different deploy). Letting run finish + will
+  tear down the orphan warm-bluesky stack. [interim — full M1 verdict batched after mumble+discourse.]
+- 2026-06-18T00:38Z — bluesky run finished; promote log `!! WC5 promote failed (non-fatal; known-good
+  unchanged) … last status 0` — **machinery correctly refused to write canonical** (seals "not
+  promote-machinery"). Cleaned up: `docker stack rm warm-bluesky-pds…` + removed both volumes
+  (caddy_data, pds_data). Node verified clean of bluesky.
+- 2026-06-18T00:44Z — **mumble CONFIRMED by my own isolation run** (`/tmp/adv-mumble.log`, tag
+  1.0.0+v1.6.870-0). ALL 5 tiers GREEN: install/upgrade/backup/restore/custom = pass. The exact
+  canon-sweep failure `tests/mumble/custom/test_protocol_handshake.py::test_handshake_completes_with_
+  channel_presence` **PASSED** in isolation. WC5 promote SUCCEEDED (canonical advanced to known-good
+  1.0.0+v1.6.870-0, idle, volume retained). A recipe defect would fail deterministically in isolation
+  (cf. mattermost restore) — mumble passing cleanly confirms **load/timing FLAKE**, not a recipe bug.
+  (My 1 isolation green + Builder's 2× = 3 isolation greens / 0 isolation reds vs 1 canon red-under-load
+  — consistent flake signature.) Builder's classification CORRECT.
+- 2026-06-18T00:53Z — **discourse CONFIRMED by my own isolation run** (`/tmp/adv-discourse.log`, tag
+  0.8.1+3.5.0). Tiers: **install pass / upgrade FAIL / backup pass / restore pass / custom pass** —
+  exactly the Builder's claim. Deploy **converged in minutes; NO FATA, NO rc=142/143, NO ~51-min
+  wedge** → the original canon "cold-deploy timeout" hypothesis did NOT reproduce in isolation (Builder
+  reclassification CORRECT). Upgrade failed on the two PR-faithfulness overlay assertions:
+  `test_head_runs_official_image_not_bitnamilegacy` (deployed image = `bitnamilegacy/discourse:3.5.0@
+  sha256:db7e...`, the release's own image) and `test_sidekiq_service_dropped_by_head` (services =
+  `['app','db','redis','sidekiq']`). The overlay demands official `discourse/discourse:3.5.3` + no
+  sidekiq — an unreleased PR migration in NO release tag and NOT in main (verified earlier: tag AND
+  main both `bitnamilegacy:3.5.0`+sidekiq). AssertionError self-documents "the prevb bug." So the
+  recipe DEPLOYS+SERVES fine; only the stale/PR-specific overlay reds by construction in the canonical
+  sweep. **stale cc-ci OVERLAY test**, not flake/timeout/recipe-deploy/warm-machinery. Builder CORRECT.
+- 2026-06-18T01:02Z — **mattermost-lts CONFIRMED by my own isolation run** (`/tmp/adv-mattermost.log`,
+  tag 2.1.9+10.11.15). Tiers: install pass / upgrade pass / backup pass / **restore FAIL** / custom
+  pass — exactly Builder's claim. The overlay `tests/mattermost-lts/test_restore.py::
+  test_restore_returns_state` FAILED with the EXACT `RuntimeError: docker exec … postgres failed
+  (rc=1): ERROR: relation "ci_marker" does not exist`. **Deterministic in isolation** (91s, no
+  concurrent load) → NOT the canon "loaded-node db-cycle race." Note: generic `test_restore_healthy`
+  PASSED (app returns healthy) but the STATE round-trip failed — the seeded marker is gone after
+  restore. Mechanism matches the static finding: backup dumps + backs up hot PGDATA but has NO
+  `backupbot.restore.post-hook` to replay the dump → postgres logical data never round-trips. **genuine
+  RECIPE defect**, not a flake/load-race/stale-test. Builder's classification CORRECT.
+- 2026-06-18T01:09Z — **gitea CONFIRMED by my own isolation run + container crash log**
+  (`/tmp/adv-gitea.log`, tag 3.6.0+1.24.2-rootless). Cold lifecycle all 5 tiers GREEN (incl fresh
+  3.5.3→3.6.0 upgrade tier). WC5 advance (reattach idle 3.5.3 volumes with 3.6.0 image) → warm-gitea
+  app crash-loops 0/1. Container log (every task, e.g. .8zd4952…): `setting.go:105:LoadCommonSettings()
+  [F] Unable to load settings from config: error saving JWT Secret for custom config: failed to save
+  "/etc/gitea/app.ini": open /etc/gitea/app.ini: read-only file system`. Mount nuance CONFIRMED:
+  `/etc/gitea` is a writable VOLUME (RW=true) but app.ini is a docker CONFIG overlaying that path
+  read-only → gitea can write the dir but NOT the app.ini file. **genuine RECIPE defect** (3.6.0 JWT
+  save vs read-only app.ini config mount). Cold passes (fresh render, no runtime save). Builder's
+  classification + proposed fix (render app.ini into the writable volume) CORRECT. Will verify
+  canonical stays 3.5.3 (promote refused) + restore warm-gitea to undeployed idle.

machine-docs/REVIEW-regall.md

@@ -0,0 +1,203 @@
+# REVIEW — phase `regall` (Adversary writes here)
+
+**Phase:** regall — full all-recipe regression after prevb
+**SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-regall-recipe-regression.md`
+**Adversary loop started:** 2026-06-17T02:00Z
+**Adversary clone:** /srv/cc-ci/cc-ci-adv
+
+---
+
+## Gate verdicts
+
+### M1: PASS @2026-06-17T03:50Z
+
+**Claim:** Builder `3403309` — sweep complete, all 21 recipes classified.
+
+**Adversary cold-verification:**
+
+All 21 recipes cold-verified from results.json during this session:
+- **Batches 1-4** (12 recipes): drone/gitea/matrix-synapse/lasuite-meet/n8n/mumble/custom-html/mailu/mattermost-lts/lasuite-docs/ghost/immich — all L5, all rungs consistent with claim ✓
+- **Batch 5** (3 recipes): uptime-kuma (748) L5 ✓, lasuite-drive (749) L5 ✓, plausible (758, PR#3) L5 ✓
+- **Batch 6** (2 recipes): custom-html-tiny (752) L5 ✓, bluesky-pds (753) L5 upgrade=skip ✓
+- **prevb spot-checks** (3): cryptpad/keycloak/hedgedoc — L5 ✓ (carried from prevb M2)
+- **discourse** (run 717): level=4, lint=f (accepted; prevb fix) ✓
+
+**Classification spot-check:**
+- plausible PR#3 (run 758, d77adba4): L5 all pass — correctly classified GREEN ✓
+- mailu (run 738): upgrade=pass, backup_restore=skip — correctly classified (baseline corrected per A-regall-1) ✓
+- bluesky-pds (run 753): upgrade=skip (EXPECTED_NA) — correctly classified ✓
+- discourse (run 717): level=4 (lint nit) — correctly classified as GREEN (prevb fix, not a regression) ✓
+
+**No prevb regressions found.** A-regall-2 (plausible) diagnosed as pre-existing recipe bug in 3.0.1+v2.0.0, not cc-ci code regression. Classification table accurate.
+
+**Break-it probes completed:** BP-1 (baseline verified), BP-2 (upgrade-base=main-tip), BP-3 (!testmexyz rejected), BP-4 (dashboard clean), BP-5 (previous/ overlay scoping correct).
+
+**M1 PASS — no VETO.**
+
+### M2: PASS @2026-06-17T03:50Z
+
+**Claim:** Builder `3403309` — no prevb-caused regressions; cc-ci code unchanged from prevb.
+
+**Adversary verification:** M2 trivially satisfied — zero prevb-caused regressions found in the full 21-recipe sweep. The only failure (plausible backup_restore) was diagnosed as a pre-existing recipe bug in 3.0.1+v2.0.0, not caused by prevb changes to the runner. No cc-ci code changes were required.
+
+**M2 PASS — no VETO.**
+
+---
+
+## Orientation @2026-06-17T02:00Z
+
+Phase `regall` bootstrapped by Builder (commit 4d54123, then a54a278). Adversary orientation
+complete. Key facts verified independently:
+
+**Baseline table (STATUS-regall.md) spot-checked:**
+- bluesky-pds baseline L5 (run 556) — EXPECTED_NA upgrade
+- Most recipes L5; discourse L4 (lint nit, accepted)
+- This table sourced from actual run records in /var/lib/cc-ci-runs/ — cold-verified plausible
+
+**Sweep batch 1 IN FLIGHT (as of 2026-06-17T02:10Z):**
+- Drone build 725: matrix-synapse PR#4 → SUCCESS → run 725: level=5, upgrade=pass ✓
+- Drone build 726: drone PR#1 → SUCCESS → run 726: level=5, upgrade=pass ✓
+- Drone build 727: gitea PR#1 → RUNNING (still in progress)
+
+**Post-prevb spot-checks already confirmed (carried from prevb M2):**
+- cryptpad PR#5: upgrade=pass (Adversary-confirmed during prevb M2)
+- keycloak PR#3: upgrade=pass (Adversary-confirmed during prevb M2)
+- hedgedoc PR#1: upgrade=pass (Adversary-confirmed during prevb M2)
+
+**Pre-existing units test failure** (documented pre-prevb, not regall scope):
+- `test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` (KeyError 'health_domain') —
+  flagged in prevb, pre-existing since pxgate phase
+
+**Adversary plan for M1 gate:**
+1. Monitor batch 1-6 as Builder triggers them; spot-re-run a sample independently
+2. Cold-verify the classification table when claimed — confirm claimed flakes really are flaky
+   (by looking at multiple runs) and claimed prevb-causes are real (check base resolution logic)
+3. Run own independent probes: trigger a !testme run on a recipe not in the sweep; check for
+   regressions the Builder might have missed
+
+---
+
+## Adversary findings
+
+(empty — watching batch 1 builds)
+
+---
+
+## Break-it probes log
+
+### Probe BP-regall-1: COMPLETE @2026-06-17T02:05Z — baseline table mostly accurate, one discrepancy
+
+Cold-verified all 20 baseline runs referenced in STATUS-regall.md:
+- All runs 556, 554, 541, 510, 692, 657, 695, 608, 522, 553, 523, 524, 525, 526, 656, 529, 558, 528, 658, 531 confirmed level=5 ✓
+- bluesky-pds (556): upgrade=skip (EXPECTED_NA) ✓ — matches table
+- mailu (526): upgrade=PASS in actual results.json — table says "skip (no deployable base)" — **DISCREPANCY** (see A-regall-1)
+- All other recipes: all rungs match the table ✓
+
+**FINDING A-regall-1 filed** — mailu baseline upgrade rung is "pass" not "skip (no deployable base)".
+
+### Probe BP-regall-2: COMPLETE @2026-06-17T02:10Z — upgrade-base resolution confirmed correct
+
+Cold-read Drone logs for gitea run 727 (batch 1):
+- `upgrade base: kind=ref ref=e6a1cc79e99e (target-branch (main) tip)` — main-tip used as expected ✓
+- No `previous/` overlay applied (gitea has no previous/ dir) ✓
+- deploy message: `base = main-tip/ref e6a1cc79e99e → chaos deploy of the checked-out ref (the PR's true predecessor; not a published pin)` ✓
+- Upgrade sequence: L5, all tiers pass. `test_upgrade_preserves_marker_repo` PASS, `test_lfs_roundtrip` PASS ✓
+- This confirms the prevb dynamic-base resolution is working correctly in the regall sweep.
+
+### Batch 1 cold-verified @2026-06-17T02:10Z — all L5, no regressions
+
+From Drone build API + cc-ci run results.json:
+- **matrix-synapse** (run 725, Drone 725, PR#4): level=5, all rungs pass (upgrade=pass) ✓
+- **drone** (run 726, Drone 726, PR#1): level=5, upgrade=pass, backup_restore=skip (expected) ✓
+- **gitea** (run 727, Drone 727, PR#1): level=5, all rungs pass (upgrade=pass) ✓
+
+No regressions vs baseline in batch 1. Dynamic base resolution confirmed working (kind=ref, main-tip).
+
+### Probe BP-regall-3: COMPLETE @2026-06-17T02:15Z — !testmexyz does NOT trigger CI
+
+Posted comment `!testmexyz` on custom-html PR#2 (comment ID 14613).
+Waited >1 bridge poll cycle (bridge polls every 30s). No new custom-event build appeared.
+Latest build remained 735 (push event from Builder's mailu baseline fix).
+**PASS: !testmexyz correctly rejected by bridge — only exact "!testme" triggers CI.** ✓
+
+### Probe BP-regall-4: COMPLETE @2026-06-17T02:15Z — dashboard secret-clean
+
+Checked /var/lib/cc-ci-reports/*.html and public https://ci.commoninternet.net/ response.
+No credentials, secrets, tokens, or raw passwords visible in HTML output.
+Recipe cards show "✔ no-leak" and "✔ teardown" for all runs. Dashboard shows only: recipe
+name, level badge, build number, ref hash, status pill — no raw secrets visible. ✓
+
+### Batch 2 cold-verified @2026-06-17T02:30Z — all L5, no regressions
+
+From Drone builds API + cc-ci run results:
+- **lasuite-meet** (run 730, Drone 730, PR#7): level=5, all rungs pass (upgrade=pass) ✓
+- **n8n** (run 731, Drone 731, PR#6): level=5, all rungs pass (upgrade=pass) ✓
+- **mumble** (run 732, Drone 732, PR#1): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+
+No regressions vs baseline in batch 2. Dynamic base continues operating correctly.
+
+### Batch 3 cold-verified @2026-06-17T02:40Z — all L5, no regressions
+
+From Drone builds API + cc-ci run results:
+- **custom-html** (run 737, Drone 737, PR#5): level=5, all rungs pass (upgrade=pass, backup_restore=pass, functional=pass) ✓
+- **mailu** (run 738, Drone 738, PR#4): level=5, upgrade=pass, backup_restore=skip (expected — no backup support), functional=pass, lint=pass ✓
+  - NOTE: upgrade=pass matches corrected baseline (A-regall-1). Regression risk confirmed clear.
+- **mattermost-lts** (run 739, Drone 739, PR#2): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+
+No regressions vs baseline in batch 3.
+
+### Probe BP-regall-5: COMPLETE @2026-06-17T02:40Z — previous/ overlay NOT applied to non-UPGRADE_BASE_VERSION recipes
+
+Cold-read Drone logs for custom-html (build 737):
+- `upgrade base: kind=ref ref=2b82ebabde74 (target-branch (main) tip)` — main-tip used ✓
+- No `previous/` overlay applied — correct, custom-html has no `UPGRADE_BASE_VERSION` set ✓
+- `base = main-tip/ref 2b82ebabde74 → chaos deploy of the checked-out ref` ✓
+**PASS: prevb previous/ overlay correctly scoped to UPGRADE_BASE_VERSION recipes only.**
+
+### Batch 5 partial-verified @2026-06-17T03:20Z — uptime-kuma/lasuite-drive L5; plausible FAIL (rerun pending)
+
+From Drone builds API + cc-ci run results.json:
+- **uptime-kuma** (run 748, Drone 748, PR#?): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+- **lasuite-drive** (run 749, Drone 749, PR#?): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+- **plausible** (run 750, Drone 750, PR#4): level=2, backup_restore=**FAIL** — REGRESSION from baseline L5
+
+**Plausible failure analysis:**
+- Error: `ERROR: relation "ci_marker" does not exist` in `test_restore_returns_state`
+- upgrade line: `version=3.0.1+v2.0.0→3.0.1+v2.0.0` — NO-OP upgrade (base = head version; same)
+- Baseline run 658 used `version=d77adba4698b` (genuine git ref → genuine upgrade)
+- Same failure pattern seen in `m2r-plausible` and `m2rr-plausible` during prevb development
+- Backup test passed (0.134s, checks artifact only — does NOT verify ci_marker content)
+- After restore, `SELECT v FROM ci_marker` fails: relation does not exist
+- Hypothesis A (prevb regression): UPGRADE_BASE_VERSION='3.0.1+v2.0.0' + recipe.yml version='3.0.1+v2.0.0' creates no-op upgrade path that affects backup state
+- Hypothesis B (flake): pre-existing intermittent failure in postgres backup/restore
+- **Rerun 754 also FAILED: same error, same level=2 — reproducible, NOT a flake**
+- **Builder diagnosis (commit a3d115d): pre-existing recipe bug in 3.0.1+v2.0.0, NOT prevb**
+  - `backupbot.backup.path: "/postgres.dump.gz"` → dump in writable layer (not restic volume) → restore can't find dump → ci_marker absent
+  - PR#4 (regall trivial trigger) was a no-op at 3.0.1+v2.0.0, exposing the bug
+  - Run 658 (baseline) tested PR#3 (3.1.0+v2.0.0, fixed backupbot label) — passes because the FIX is there
+- **Builder fix: re-triggered PR#3 (d77adba4698b, 3.1.0+v2.0.0) → Drone 758 → level=5, backup_restore=PASS** ✓
+
+**Adversary cold-verification:**
+- Run 658 version=d77adba4698b ✓ (same ref as PR#3 / run 758)
+- Run 750/754 showed no-op upgrade (3.0.1+v2.0.0→3.0.1+v2.0.0) ✓ (PR#4, broken version)
+- Run 758 version=d77adba4698b, level=5, backup_restore=pass ✓ (PR#3, fixed version)
+- Builder's diagnosis is consistent with all empirical evidence.
+
+**Adversary verdict: classification ACCEPTED — pre-existing recipe bug in 3.0.1+v2.0.0; NOT a prevb regression. Plausible regall result = L5 GREEN via run 758 (PR#3). A-regall-2 CLOSED.**
+
+### Batch 6 cold-verified @2026-06-17T03:25Z — custom-html-tiny/bluesky-pds L5
+
+From Drone builds API + cc-ci run results.json:
+- **custom-html-tiny** (run 752, Drone 752, PR#?): level=5, upgrade=pass, backup_restore=skip (expected) ✓
+- **bluesky-pds** (run 753, Drone 753, PR#3): level=5, upgrade=skip (expected — no deployable upgrade base, moving tag), backup_restore=pass ✓
+
+Bluesky-pds upgrade=skip reason confirms prevb is correctly handling the EXPECTED_NA path (no deployable base). ✓
+
+### Batch 4 cold-verified @2026-06-17T03:00Z — all L5, no regressions
+
+From Drone builds API + cc-ci run results.json:
+- **lasuite-docs** (run 743, Drone 743, PR#6): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+- **ghost** (run 744, Drone 744, PR#6): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+- **immich** (run 745, Drone 745, PR#3): level=5, all rungs pass (upgrade=pass, backup_restore=pass) ✓
+
+No regressions vs baseline in batch 4. Sweep progress: 16/21 recipes GREEN.

machine-docs/REVIEW-samever.md

@@ -0,0 +1,160 @@
+# REVIEW — phase `samever` (Adversary writes here)
+
+**Phase:** samever — step back to older base when canonical == head version (no same-version upgrade)
+**SSOT:** `/srv/cc-ci/cc-ci-plan/plan-phase-samever-older-base-fallback.md`
+**Adversary loop started:** 2026-06-17T04:09Z
+**Adversary clone:** /srv/cc-ci/cc-ci-adv
+
+---
+
+## Gate verdicts
+
+### M2: PASS @2026-06-17T05:04Z
+
+Proven in real CI. Cold-read the Builder's preserved logs AND — the strongest check — **independently
+reproduced the headline from my OWN fresh clone** on cc-ci (`git clone … /root/adv-verify` @ 96c4ad9,
+NOT the Builder's `/root/samever-deploy`), so the step-back is not an artifact of the Builder's tree.
+
+**Independent reproduction (my clone, my runs `/root/adv-runA.log`,`/root/adv-runB.log`):**
+- Run A (canonical cleared): `upgrade base: kind=skip SKIP: head == main tip` → promotes
+  canonical→`1.13.0+1.31.1`.
+- Run B (canonical==head==`1.13.0+1.31.1`): **STEP-BACK** —
+  `kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1) == head version
+  1.13.0+1.31.1; newest older published base)` then `upgrade→PR-head: … version=1.11.0+1.29.0→
+  1.13.0+1.31.1`. **All 5 tiers pass.** base `1.11.0` < head `1.13.0` — a REAL delta, not a no-op,
+  not a skip. ✓
+
+**Cold-read of Builder's 5 runs (corroborates, all consistent with verified resolver logic):**
+1. Headline runA/runB — identical to my independent repro above. F1d-2 confirmed: base tier
+   prepulled `nginx:1.29.0` (pinned `1.11.0+1.29.0`), upgrade tier prepulled `nginx:1.31.1`
+   (head `1.13.0+1.31.1`) — **distinct images ⇒ the older base really deployed pinned, not LATEST.**
+2. **Version-bump UNAFFECTED (runC):** canonical re-seeded to OLDER `1.11.0+1.29.0` → reason
+   **`"last-green"` NOT `"step-back"`** (the unchanged prevb path); upgrade `1.11.0→1.13.0` green.
+   Corroborates my M1 direct probe (canonical≠head → last-green, `recipe_tags` not consulted).
+3. **PR form (runD, ref=2b82ebab pr=999):** step-back STILL triggers with a PR head ref present
+   (ref does not suppress it); upgrade green. ✓
+4. **discourse #4 UNAFFECTED (disc4, REF=ae5a8180):** `kind=ref ref=f87c612d71b4 (target-branch
+   (main) tip)` — discourse is non-enrolled so the resolver never enters the canonical branch;
+   migration `0.8.1+3.5.0→1.0.0+3.5.3` green, `test_head_runs_official_image_not_bitnamilegacy` +
+   `test_sidekiq_service_dropped_by_head` PASSED. The official-image migration is untouched. ✓
+5. **Spot-check hedgedoc:** `kind=version version=3.0.9+1.10.7 (step-back: … canonical (3.0.10+1.10.8)
+   == head 3.0.10+1.10.8 …)`, upgrade `3.0.9→3.0.10` green. I independently confirmed via
+   `newest_older_version` that `3.0.9+1.10.7` IS the newest-older for hedgedoc's tag-set ⇒ step-back
+   generalizes to a different recipe + ordering. ✓
+
+**Teeth:** in both my Run B and the Builder's, base version `1.11.0+1.29.0` is strictly `<` head
+`1.13.0+1.31.1`; a same-version no-op would log `…→1.13.0+1.31.1` from `1.13.0+1.31.1` (it does not),
+a needless skip would log `kind=skip` (it does not). Distinct base/head app images seal it.
+
+**Hygiene (cold-checked):** canonical restored to legit `1.13.0+1.31.1` (byte-diff vs pre-verify
+snapshot = unchanged); no leftover custom-html run stacks (clean teardown); hedgedoc hand-seed
+removed (no `/var/lib/ci-warm/hedgedoc`); pre-existing `warm-keycloak` orphan untouched (not samever).
+My own verify clone/script removed afterward.
+
+Verdict: **M2 PASS.** Resolver steps back to a genuinely older base in real CI (headline reproduced
+from my own clone), version-bump path + discourse #4 demonstrably unaffected, generalizes to a 2nd
+recipe, teeth hold, clean teardown. (Consulted JOURNAL only after writing this verdict.)
+
+**Both M1 + M2 are fresh Adversary PASSes. No VETO. The Builder is cleared to write `## DONE` to
+STATUS-samever.md per the §6.1 handshake.**
+
+### M1: PASS @2026-06-17T04:27Z
+
+Cold-verified from own clone `/srv/cc-ci/cc-ci-adv` @ b29bb3f (claim c5a0d20). Implemented + unit-tested
+gate. Independent (not trusting Builder's tests) — re-ran the suite AND wrote my own break-it probes.
+
+**Evidence:**
+1. **Unit suite cold:** `pytest tests/unit/test_upgrade_base.py -v` → **13 passed** (8 prior unchanged
+   + 5 new). The 8 prior (override / EXPECTED_NA / main-tip / head==main-tip skip / no-predecessor /
+   other-rung) still green ⇒ override/ref/skip paths untouched.
+2. **My own primitive probes** (direct import, adversarial inputs):
+   - `newest_older_version` strictly-older semantics: suffix tags (`-rootless`) ordered correctly;
+     head-version BETWEEN tags → newest strictly older; **equal-key tag EXCLUDED** (1.0.0+3.5.3 vs
+     1.0.0+3.5.3 → None); head-is-oldest → None; None/empty safe; recipe-major ordering beats app
+     (9.9.9+99.0.0 < 10.0.0+1.0.0). ✓
+   - `_VERSION_LABEL_RE`: parses quoted, unquoted, single-quoted labels; **`.chaos-version` → None**
+     (not matched); chaos-then-real picks the real label. ✓
+3. **My own resolver-chain probes** (monkeypatched canonical + recipe_tags, direct `resolve_upgrade_base`):
+   - **canonical==head (TEETH):** `10.8.0+26.6.3` → base `10.7.1+26.6.2`, `kind=version`,
+     `reason="step-back: …"`; asserted `version != head` AND `version_key(base) < version_key(head)`.
+     **Never a same-version no-op; strictly older.** ✓
+   - **canonical≠head (version-bump path):** uses canonical unchanged AND `recipe_tags` is NOT consulted
+     (patched it to raise — no raise) ⇒ discourse #4 / version-bump PRs cannot be perturbed by this gate. ✓
+   - **canonical==head, no older tag:** `kind=skip`, reason `"base == head (…) and no older published
+     predecessor"` ⇒ declared, not silent. ✓
+   - **head_version=None (compose unreadable):** canonical stays primary (prevb behavior preserved). ✓
+4. **sort_versions refactor behavior-preserving:** `version_key` lifted verbatim from the old inline
+   key; `test_warm_reconcile.py` version-ordering tests pass (8 passed; single failure unrelated).
+5. **Pre-existing failures disclosed honestly:** `test_meta::test_generated_doc_table_in_sync` and
+   `test_warm_reconcile::test_traefik_spec_is_stateless_with_setup` FAIL on **parent 279d84d** too
+   (re-ran in a temp worktree — both fail there); samever diff touches neither SPECS nor the doc table.
+   Out of scope, NOT a regression.
+
+**F1d-2:** step-back returns `kind="version"` ⇒ inherits the same pinned-tag deploy path as any
+canonical base (no new deploy code) — the on-disk tree is checked out at the pinned older tag. This is
+an M1 (unit) claim; the REAL pinned-deploy proof belongs to **M2** (live CI, evidenced base<head delta).
+
+Verdict: **M1 PASS.** Implementation matches plan §2 chain exactly; teeth hold; no regression to
+override/ref/skip/version-bump paths. (Consulted JOURNAL only after writing this — did not need it.)
+
+---
+
+## Orientation @2026-06-17T04:09Z
+
+Phase `samever` plan created 2026-06-17T03:56Z. Builder has not yet started (no STATUS-samever.md).
+
+**Root cause confirmed (cold-read of resolver, lines 133–148 of run_recipe_ci.py):**
+```python
+rec = canonical.read_registry(recipe)
+if rec and rec.get("version"):
+    return BasePlan(
+        "version",
+        rec["version"],
+        None,
+        f"last-green (warm canonical, status={rec.get('status')})",
+    )
+```
+The warm-canonical path returns `canonical["version"]` WITHOUT checking if it equals the head version.
+The resolver is not passed the head's semantic version (only `head_ref`, a commit sha), so it cannot compare.
+
+**Current unit tests (8 tests in tests/unit/test_upgrade_base.py) — none cover canonical==head:**
+- test_upgrade_not_in_stages_skip
+- test_expected_na_upgrade_skip_even_with_canonical_and_override
+- test_explicit_override_wins_over_canonical
+- test_last_green_warm_canonical_is_primary  ← uses canonical["version"]="0.6.0+3.1.1", HEAD="aaaa1111head" (different version — correct but doesn't test the same-version edge)
+- test_main_tip_fallback_when_no_last_green
+- test_head_equals_main_tip_skip
+- test_no_canonical_no_main_skip
+- test_expected_na_other_rung_does_not_suppress_upgrade
+
+**Key utilities available for the fix:**
+- `warm_reconcile.recipe_tags(recipe)` — returns all git tags from recipe clone
+- `warm_reconcile.sort_versions(tags)` — ascending sort of version tags (coop-cloud semver)
+- `warm_reconcile.latest_version(tags)` — the newest tag
+- Head version read from compose.yml: `coop-cloud.${STACK_NAME}.version` label at `abra.recipe_dir(recipe)/compose.yml` (head checkout already at that path when resolver runs)
+
+**M1 verification plan (what I'll cold-verify when claimed):**
+1. Resolver reads head version from compose.yml (inspect the parsing — look for compose YAML read + `coop-cloud.*version` label extraction)
+2. New chain: override → (canonical if canonical≠head_version) → (newest older published if canonical==head_version) → main-tip → skip
+3. Unit tests added: at minimum canonical==head→step_back, canonical≠head→unchanged, no_older_published→skip, version ordering correct
+4. Run `python -m pytest tests/unit/test_upgrade_base.py -v` cold from own clone
+5. Confirm OVERRIDE, EXPECTED_NA, main-tip, skip paths are untouched (regression: existing 8 tests still pass)
+6. Teeth check: a "broken base" scenario should still fail (unit test or from plan F1d-2 evidence)
+
+**M2 verification plan:**
+1. Cold-on-latest run on an enrolled recipe whose canonical == latest (seed the canonical to latest, then trigger cold run)
+2. Evidence in logs: `base_version < head_version` (not a no-op, not a skip)
+3. Re-run discourse #4 or equivalent version-bump PR → UNAFFECTED (canonical→head path still uses canonical)
+4. Spot-check ≥1 other recipe
+
+---
+
+## Adversary findings
+
+(empty — phase not yet started)
+
+---
+
+## Break-it probes log
+
+(none yet)

machine-docs/REVIEW-settings.md

@@ -0,0 +1,118 @@
+# REVIEW — phase `settings` (Adversary)
+
+SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-settings-ci-server-config.md
+Gates: M1 (loader + flag + release-tag-first fallback, unit-tested) · M2 (verified live on server)
+
+Status: **awaiting Builder bootstrap.** No `STATUS-settings.md` / claim yet as of 2026-06-17T16:45Z.
+`dash` phase is DONE (M1+M2 PASS, commit 7507cf4) — this is the next phase.
+
+## Baseline captured (pre-change, for the "false = byte-for-byte unchanged" guardrail)
+
+Cold-read of the code I'll be verifying against (no anchoring — code + plan only):
+
+- `resolve_upgrade_base` is in `runner/run_recipe_ci.py:112`. Current no-canonical chain:
+  `canonical(version, w/ samever step-back) → main-tip (recipe_branch_commit "main") → skip`.
+  The plan (§2.C) inserts **newest release tag < head** BEFORE main-tip on every no-canonical path.
+- The samever helper to reuse: `warm_reconcile.newest_older_version(tags, version)`
+  (`runner/warm_reconcile.py:161`) — newest version-tag strictly older than `version`, keyed on
+  `version_key`. The fallback MUST reuse this (no divergent version ordering) per §2.C / M1.
+- `recipe_tags(recipe)` = `git -C <recipe_dir> tag` (`warm_reconcile.py:267`) — tag source.
+- NO existing TOML config module today: CI-server config is scattered `os.environ.get(...)`
+  (`CCCI_*`, `ABRA_DIR`, `MAX_TESTS`, etc.). No `settings.toml` tracked. So a NEW minimal loader is
+  justified (verify: minimal, extensible, stdlib `tomllib` only, defaults baked in, graceful on
+  absent/malformed file/unknown key).
+
+## Verification checklist I will run when M1 is CLAIMED
+- [ ] Default is `false` → this server's upgrade-base resolution byte-for-byte unchanged.
+- [ ] flag false + canonical present → canonical (unchanged).
+- [ ] flag false + NO canonical → **newest release tag < head** (NOT main-tip).
+- [ ] no canonical AND no older release tag → main-tip.
+- [ ] none → skip.
+- [ ] flag true → canonical lookup BYPASSED → same release-tag-first fallback.
+- [ ] absent file / absent key → default false; malformed file → no crash, clear handling.
+- [ ] fallback REUSES `samever`'s helper (no parallel version-ordering impl).
+- [ ] scope narrow: promotion + `--quick` warm-reattach UNTOUCHED by the flag.
+- [ ] loader cannot crash the harness on a bad/absent file.
+
+## Verdicts
+
+### M1: PASS @2026-06-17T17:00Z (claim fed2678 / code cd19c1b) — cold-verified
+
+Verified from my own clone, fresh shell, against plan §2/§3/§5 + the code — not the Builder's
+narrative. Read JOURNAL only AFTER writing this verdict (contextualization only).
+
+**Tests (re-run cold):**
+- `test_upgrade_base.py` + `test_settings.py` → **32 passed**.
+- Full unit suite → **315 passed** (no regression).
+- ruff check → `All checks passed!`; ruff format → `4 files already formatted`.
+
+**Independent probes (I patched the I/O boundaries myself — did NOT rely on Builder's fixtures):**
+- *Loader* (real TOML files written to /tmp): absent/empty/absent-key → `False`; `true`→True,
+  `false`→False; malformed TOML → WARN + `False` (no crash); string value → `TypeError` (clear msg);
+  **int `1` for bool → TypeError** (no silent truthy coercion — good); unknown key + unknown table →
+  warn-and-ignore, valid key still honored; `[upgrade]` as scalar → warn + defaults. `$CCCI_SETTINGS`
+  path override honored. Real `get()` with no `/etc/cc-ci/settings.toml` (absent on host) → `False`.
+- *Resolver matrix* (my own monkeypatch of canonical/recipe_tags/main/flag):
+  - false + canonical(≠head) → canonical **unchanged**; tags & main provably NOT consulted (raised if so).
+  - false + no canonical → **newest release tag < head** (`10.7.1+26.6.2`), main NOT consulted.
+  - false + no canonical + only-head tag → main-tip. false + nothing → skip.
+  - **true + canonical present → BYPASS → release tag `10.7.1`, NOT canonical `10.5.0`.**
+  - true + canonical + no older tag → routes full chain → main-tip.
+
+**Guardrails checked:**
+- *Default false / no-op for the default path:* canonical-present resolution (this server's steady
+  state) is byte-for-byte unchanged — proven by the probe that asserts tags/main are never consulted.
+  NOTE: the no-canonical fallback IS intentionally changed even under false (release-tag-first), per
+  plan §2.C "always-on … improves this server too" and M1's mandated test
+  `…prefers_release_tag_over_main_tip`. That is the spec, not a regression — it only fires for recipes
+  with no canonical (un-promoted), giving a real release base instead of a WIP main-tip.
+- *Reuses samever helper:* fallback calls `warm_reconcile.newest_older_version(recipe_tags(r), head)`
+  — the SAME single-source ordering helper as the step-back. No divergent version ordering.
+- *Narrow scope:* `skip_canonicals` is read ONLY at `run_recipe_ci.py:154` in `resolve_upgrade_base`.
+  `promote_canonical` / `should_promote_canonical` / `--quick` (951/965/1102) do not touch it.
+- *Stdlib only:* loader imports `os, sys, tomllib, dataclasses` — no third-party.
+- *No secrets:* `settings.toml.example` is config + docs only, default `false`, explicit "NO SECRETS".
+- *Cannot crash harness:* any bad/absent file degrades to defaults (WARN); only a present wrong-TYPE
+  value raises (loud, intended).
+
+No defects. No VETO. M1 cold-PASS. → M2 (live server) may be claimed.
+
+### M2: PASS @2026-06-17T17:35Z (claim a9ff941 / deployed /etc/cc-ci @99d6bbc) — cold live-verified
+
+Verified live on `cc-ci` from a fresh ssh, against plan §3-M2 / §5. I gathered the raw facts FIRST
+(predicted the outcomes), then ran the real deployed resolver myself, and controlled the scratch file
+so I own the restore.
+
+**Deployment integrity:** deployed `/etc/cc-ci` HEAD = `99d6bbc` (on origin/main); `git diff cd19c1b
+99d6bbc -- runner/` is **EMPTY** — the deployed runner logic is byte-identical to the code I
+cold-PASSed at M1. Only docs + `scripts/show-upgrade-base.py` were added. The probe is faithful: it
+calls the real `run_recipe_ci.resolve_upgrade_base` with live registry / live tags / live head version
+(read the script — no mock).
+
+**Raw facts I confirmed independently before running the probe:**
+- `/etc/cc-ci/settings.toml` ABSENT (steady state → default false).
+- keycloak: NO `/var/lib/ci-warm/keycloak/canonical.json`; tags include `10.7.1+26.6.2` and head
+  `10.8.0+26.6.3` → newest tag < head = `10.7.1+26.6.2`.
+- gitea: canonical `3.5.3+1.24.2-rootless` (status idle); head `3.6.0+1.24.2-rootless`; newest tag <
+  head = `3.5.3`.
+
+**Live probe (I ran it myself, all from the real `/etc/cc-ci/settings.toml` DEFAULT_PATH, NOT env):**
+- CASE 1 (file absent → false):
+  - keycloak (no canonical) → `version 10.7.1+26.6.2`, reason `no-canonical fallback: newest release
+    tag older than head 10.8.0+26.6.3` — a real published predecessor, **NOT main-tip**. ✓ (a)
+  - gitea (canonical present) → `version 3.5.3+1.24.2-rootless`, reason `last-green (warm canonical,
+    status=idle)` — canonical USED, unchanged. ✓ (server default path byte-for-byte unchanged)
+- CASE 2 (scratch file → true):
+  - flag reads **True from /etc/cc-ci/settings.toml** → gitea's canonical 3.5.3 is BYPASSED: reason
+    flips to `no-canonical fallback: newest release tag older than head 3.6.0+1.24.2-rootless`
+    (resolves to release tag, not the canonical lookup). The reason change is the proof of bypass. ✓ (b)
+  - keycloak → unchanged (no canonical either way).
+- RESTORE (I removed the scratch file): gitea reason back to `last-green (warm canonical, status=idle)`,
+  flag `False`. Server left in steady state: `/etc/cc-ci/settings.toml` ABSENT, checkout clean @99d6bbc.
+
+**Harness file-pickup proven:** the live flag value flipped `False → True → False` purely from the
+presence/absence of the real host file `/etc/cc-ci/settings.toml` — the M2 "harness picks up the file"
+requirement, demonstrated on the actual deployed path (not `$CCCI_SETTINGS`).
+
+No defects. No VETO. **M2 cold live-PASS. Both M1 + M2 have fresh Adversary PASSes — Builder cleared
+to write `## DONE`.**

machine-docs/REVIEW-shot.md

@@ -0,0 +1,184 @@
+# REVIEW-shot.md — Adversary verdicts, phase `shot` (recipe screenshot audit & repair)
+
+Owner: Adversary loop. Append-only verdict log. Gates: M1 (audit+diagnosis), M2 (all working).
+SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md`.
+
+No gate CLAIMED yet (phase just opened; Builder has not bootstrapped STATUS-shot.md). Doing
+independent cold ground-truth prep below so M1/M2 cold-verify is fast and un-anchored.
+
+---
+
+## Independent cold pre-audit (Adversary, @2026-06-11T01:20Z)
+
+Method: ssh cc-ci, scanned `/var/lib/cc-ci-runs/*/results.json` for recipe + `screenshot` field +
+on-disk `screenshot.png` size; scp'd suspect PNGs locally and **looked at them** (Read tool).
+This is MY ground truth, formed before any Builder claim — to compare against the Builder's matrix.
+
+PNG sizes from latest representative runs (m2r-* sweep + numbered drone runs):
+
+| recipe | PNG bytes | my visual read | class |
+|---|---|---|---|
+| immich | 4801 | pure blank white frame | **BLANK** |
+| n8n | 4801 | blank near-white frame | **BLANK** |
+| lasuite-meet | 4801 | (size-identical to immich/n8n 4801B — blank tell) | BLANK (to confirm visually) |
+| cryptpad | 4802 | blank light-grey frame | **BLANK** |
+| keycloak | 8764 | spinner + "Loading the Administration Console" — paint-race loading state, NOT a real login form | **BLANK/LOADING** (not the "genuine sparse login" §2 guessed) |
+| lasuite-docs | 6022 | bare spinner on white | **BLANK/LOADING** |
+| lasuite-drive | ~5.9K | (size sibling of lasuite-docs — likely same spinner) | BLANK (to confirm) |
+| plausible | null / NO PNG | every run null (122→357 incl. 357); run dir has no screenshot.png; capture stdout not in run dir (goes to Drone build log) — root cause still to trace | **NULL** |
+| ghost | 444183 | (reference healthy, §2) | OK (visual-confirm at M2) |
+| mattermost-lts | 242139 | reference healthy | OK |
+| hedgedoc | 131967 | reference healthy | OK |
+| discourse | 66-67K | reference healthy | OK |
+| custom-html | 35707 | reference healthy | OK |
+| mailu | 33800 | reference healthy | OK |
+| matrix-synapse | 33296 | reference healthy | OK |
+| uptime-kuma | 30858 | reference healthy | OK |
+| custom-html-tiny | 12950 | reference healthy | OK |
+| mumble | 7913 | voice server — web-UI N/A candidate (confirm) | N/A? |
+
+Confirmed defect classes match the orchestrator pre-audit (§2): SPA paint-race (domcontentloaded
+fires before JS paints) → immich/n8n/cryptpad fully blank, keycloak/lasuite-docs/-drive caught at
+loading spinner; plausible never captures (null on every run). **The 4801B byte-identical size is a
+reliable blank-frame fingerprint.**
+
+Open items I must still resolve when verifying:
+- plausible NULL root cause — need the Drone build log for a plausible run (capture stdout: "capture
+  failed" vs "produced no file" vs step never reached). Run dir alone doesn't have it.
+- lasuite-meet / lasuite-drive / mumble — visual confirm.
+- Authoritative enrolled-recipe set: every `tests/<recipe>/recipe_meta.py` minus fixtures
+  (`_generic`, `regression`, `concurrency`, `custom-html-bkp-bad`, `custom-html-rst-bad`).
+
+No verdict yet. Awaiting `claim(shot): M1`.
+
+---
+
+## M1: PASS @2026-06-11T01:38Z  (audit + diagnosis complete)
+
+Claim: `claim(shot): M1` commit e005897; matrix+diagnoses at 8978fa6. STATUS-shot.md "M1 claim".
+Verified COLD from my own clone + ssh cc-ci, **without reading JOURNAL-shot.md** (anti-anchoring).
+My independent pre-audit (commit 4f3a747, formed BEFORE reading the Builder's matrix) already
+agreed on every BLANK/LOADING/NULL read I had pre-formed — no anchoring.
+
+**Enrolled set — complete, no omissions.** `ls tests/*/recipe_meta.py` = 21. Minus the two harness
+canaries `custom-html-bkp-bad`, `custom-html-rst-bad` (plan §2 explicitly excludes both) = **19**.
+The 19 matrix rows are *exactly* that set (diffed by hand) and exactly the plan §2 expected set.
+`_generic`/`regression`/`concurrency`/`unit` have no recipe_meta.py → correctly absent. ✓
+
+**Every non-OK row has evidence-backed root cause (independently re-derived):**
+- plausible NULL — ran the Builder's drone-log command myself: build 357 step log shows
+  `capture failed … page.goto(https://plau-…/) never returned a status in (200,301,302,303,401,403)
+  after 15 attempts (45s); last status=500`. `/` 500s by design (DISABLE_AUTH) → default landing
+  capture can never succeed; needs a SCREENSHOT hook to a rendering path. Confirmed. ✓
+- bluesky-pds NULL — capture is `if deploy_ok:`-gated, OUTSIDE the deploy try/except
+  (runner/run_recipe_ci.py:1024, read it). install=fail level=0 → capture correctly skipped. Not a
+  screenshot defect; upstream image breakage already in DEFERRED.md (rcust). ✓
+- BLANK/LOADING — screenshot.py:84-93 navigates `wait_until="domcontentloaded"` then screenshots
+  immediately, no paint wait; accept_statuses excludes 500 (plausible mechanism). Read the code. ✓
+- mumble NOT N/A — tests/mumble/recipe_meta.py header: deploys `compose.mumbleweb.yml`, a mumble-web
+  HTTP client routed through Traefik, HEALTH_PATH "/". A real web surface IS served → correctly the
+  HARDER (non-N/A) call. ✓
+
+**Independent visual spot-checks (Read tool) — 11 artifacts, matrix matched reality on every one:**
+immich 4801B = pure white; n8n 4801B = blank; cryptpad 4802B = blank grey; lasuite-meet 4801B =
+pure white; keycloak 8764B = "Loading the Administration Console" spinner (NOT a real login — the
+§2 "might be a genuine login" guess was wrong, Builder classed it LOADING correctly); lasuite-docs
+6022B = bare spinner; mumble 7913B = spinner ring on grey; mattermost-lts 242139B = blue brand
+splash + logo, NO login form (correctly LOADING despite large size — size alone is NOT a sufficient
+signal, good catch); n8n run 197 30256B = real "Set up owner account" form, empty fields,
+credential-free (flaky-pass + secret-safe, confirmed); custom-html 35707B = genuine "Welcome to
+nginx!" (honest fresh-install view for a bare static host — OK); plausible = NULL via drone log.
+Includes plausible ✓ and multiple 4801B cases ✓ (M1 minimum was ≥5 incl. those — exceeded).
+
+**N/A arguments — agreed:**
+- bluesky-pds → justified N/A (deploy-gated: can't screenshot what can't deploy; upstream breakage
+  is pre-existing/DEFERRED, not a screenshot defect). Agreed, contingent on the upstream image still
+  being broken at M2 — if it becomes deployable, it re-enters as a real recipe.
+- mumble → NOT N/A. Agreed (real mumble-web surface, evidence above).
+
+No omissions, no fabricated visual reads, diagnoses are causal not symptomatic. **M1 PASS.**
+
+Watch-list for M2 (so the Builder has it early — NOT blocking M1):
+1. Harness default-wait fix must stay within NAV_DEADLINE_S=45 / step worst-case ≤~60s and must
+   NEVER affect a verdict on screenshot failure (R7) — I will test the failure path has teeth but
+   no verdict impact, and compare pre/post run durations.
+2. plausible SCREENSHOT hook must land on a credential-free *rendering* path (not /login showing a
+   generated secret; not a 500 page).
+3. mattermost-lts proof: a bigger PNG is NOT acceptance — I will visually confirm the real login,
+   not a brand splash.
+4. Secret-safety: every final PNG must show no generated credentials (install wizards, secrets
+   pages). n8n's "Set up owner account" with EMPTY fields is the safe shape; a pre-filled one is not.
+5. M2 requires ≥2 proof runs via the drone `!testme` path + me Reading *every* final PNG.
+
+Did not read JOURNAL-shot.md before this verdict. No finding filed (audit is accurate). No VETO.
+
+---
+
+## M2: PASS @2026-06-11T07:17:53Z — all screenshots working (cold-verified from scratch)
+
+Verified independently from a cold start (my own clone, my own scp/Read/re-runs; did NOT read
+JOURNAL before this verdict). Claim commit 196156e. Every M2 DoD item checked:
+
+**1. Every final PNG Read (18/18) — real, representative, credential-free.** Pulled each PNG by scp,
+Read it with the image tool, byte-size matched the claim on all 18:
+- Fixed-class (10): immich 234351B "Welcome to Immich" onboarding; plausible 64132B real
+  registration form (EMPTY fields); keycloak 215587B real "Sign in to your account" (EMPTY) — was
+  the 8764B "Loading Admin Console" spinner at M1, settle fix resolved it; cryptpad 57310B real
+  landing + doc-type picker; lasuite-meet 225686B real video-conf landing; lasuite-docs 284769B real
+  Docs landing; lasuite-drive 132037B real "Fichiers" landing; n8n 26433B "Set up owner account"
+  (ALL fields EMPTY — secret-safe, now deterministic); mattermost-lts 178367B **real "Log in to your
+  account" form (EMPTY) — NOT the byte-identical interstitial** (hook v2 click-through works — my
+  sharpest watch-item, resolved); mumble 7980B loader spinner (see §N/A).
+- Healthy-class (8): ghost 444183B blog landing; hedgedoc 131967B landing; discourse 66121B forum +
+  welcome topic; custom-html 35707B "Welcome to nginx!" (honest fresh-install); custom-html-tiny
+  12950B seeded content; mailu 33800B sign-in (EMPTY); matrix-synapse 33296B "It works!"; uptime-kuma
+  30858B "Create your admin account" (EMPTY).
+  Every login/setup form has EMPTY fields — NO generated credential is shown anywhere. Secret-safety
+  cardinal guardrail holds across all 18.
+
+**2. No verdict/level regression.** All 10 proof runs status=pass at their baseline level (immich
+/plausible/keycloak/cryptpad/lasuite-*/n8n/mumble=4, mattermost-lts=2). screenshot field populated
+on every one. no_secret_leak=true on every proof run I sampled (370/371/keycloak/n8n/mattermost
+/mumble).
+
+**3. ≥2 genuine drone `!testme` proofs — confirmed end-to-end, NOT manual.** ccci-bridge_app logs:
+`[poll] triggered build 370 for immich@107d7220 (PR #2, comment 14321) by autonomic-bot` and
+`...build 371 for plausible@13458fac (PR #3, comment 14322)...`, both `reflected outcome ...:
+success`. The bridge polled Gitea, found real !testme comments, triggered the builds, reflected
+verdicts back — the full comment→build path. Drone params {RECIPE,PR,REF,SRC}, event=custom,
+trigger/sender=autonomic-bot — matches the Phase-1c bridge-!testme fingerprint (REVIEW-1c:110).
+
+**4. Durations unaffected (no balloon).** Drone same-recipe pre/post: immich 199s→198s, plausible
+209s→166s (faster — capture no longer burns 45s failing on the 500). Screenshot step wait budget =
+60000ms exactly (unit test_wait_budget_within_step_cap + my own cold probe). ≤~60s holds.
+
+**5. R7 (cosmetics never block) — intact.** Call site run_recipe_ci.py ~1024-1037 is OUTSIDE the
+deploy try/except AND double-wrapped in its own try/except (`_scrub`-bed log) — and git log proves
+NO shot-phase commit touched run_recipe_ci.py (call site unchanged). capture() swallows everything →
+None → placeholder. I cold-probed the new helpers independently: _settle swallows all exceptions,
+_snap keeps the larger frame (A1 fix, 5/5), 60s budget — 9/9+5/5 pass. Screenshot unit suite 12/12
++ card suite 10/10 ran GREEN cold on the real harness (cc-ci-run) from my scp'd clone.
+
+**6. Dashboard/card/badge render — live 200.** GET dashboard / → 200; runs/370+371/screenshot.png →
+200 image/png; badge/immich.svg + badge/plausible.svg → 200 image/svg+xml.
+
+**7. N/A set (19/19 enrolled, no omissions) — AGREED.**
+- bluesky-pds → N/A, re-confirmed at M2 (ab-bluesky-pds-oldmain: install=fail, level=0,
+  screenshot=null → placeholder correct; upstream MODULE_NOT_FOUND still broken, DEFERRED).
+- mumble → N/A-variant, AGREED — **this reverses my M1 "NOT N/A" stance, on NEW evidence not
+  available at M1.** rankenstein/mumble-web:0.5 renders no usable UI for an anonymous browser:
+  connect-dialog DOM genuinely absent (probe4 console: `#connect-dialog_input_address ... did not
+  match any element`), perpetual loading-container spinner at 5/15/30/60/90s (probe2) — corroborated
+  by my own Read of the 7980B spinner PNG. The loader frame is the literal web-surface reality every
+  visitor gets; mumble's actual function (voice) is fully protocol-tested; fix needs a recipe/overlay
+  change (out of scope, guardrail prefers upstream). Documented in DEFERRED with an upstream
+  question. NOTE (not a defect, not a veto): the dashboard shows the honest loader frame rather than
+  the "no screenshot" placeholder — acceptable as a documented, agreed limitation, NOT a healthy-app
+  screenshot.
+
+Finding A1 (blank-retry regression) was filed, fixed (7ad7d1f), and CLOSED after my cold re-test.
+No open findings. No fabricated reads — every matrix/claim value matched what I independently
+observed. **M2 PASS. No VETO.** With M1 PASS (ae10b55) + M2 PASS both fresh and A1 closed, the DoD
+handshake (§6.1) is satisfied — the Builder may write `## DONE` to STATUS-shot.md.
+
+(Consulted no JOURNAL-shot.md before forming this verdict.)