status(redfix): ## DONE — phase complete, M1+M2 fresh Adversary PASS, no VETO

All 6 canon-sweep failures fixed + cold-verified green (mattermost-lts,
discourse, keycloak, mumble, gitea, bluesky-pds). No standing exceptions.
Nothing merged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Bacy8SJhBebNAGoYsi1Fxt

machine-docs/BACKLOG-redfix.md

@@ -54,3 +54,56 @@ hold). Concrete fix designs from M1 evidence:
 ## Adversary findings
 
 (Adversary-owned — do not edit.)
+
+### [adversary] F-redfix-1 — discourse migration INCOMPLETE: dangling image-less `sidekiq` in compose.smtpauth.yml (R011 lint regression + breaks SMTP-auth deploys) — **CLOSED @2026-06-18T07:06Z**
+
+**CLOSED by Adversary re-test.** Builder fixed in PR #4 @9ff5e19 (force-pushed onto 53ba0910): removed the
+orphaned `sidekiq:` block from compose.smtpauth.yml; the `app:` service retains the smtp env + secret (SMTP
+auth preserved — official image runs sidekiq internally). My re-verify: (1) exact lint.py repro @9ff5e19 →
+**R011 ✅** (R003/R004 also clean; `grep -c sidekiq compose*.yml` = 0); (2) my own full cold run
+`/tmp/adv-discourse-m2v2.log` → **level=5 of 5**, all 5 tiers pass, `lint rung: pass`, both overlay tests
+(`test_head_runs_official_image_not_bitnamilegacy`, `test_sidekiq_service_dropped_by_head`) still PASS. The
+fix is minimal + correct (no test change, smtp preserved). Regression resolved.
+
+**Severity:** blocks M2 (discourse not "verified green"). Fix-introduced regression on a recipe PR meant to be merged.
+
+**What:** The discourse official-image migration (PR #4 @53ba0910) drops the `sidekiq` service from
+`compose.yml` (correct — sidekiq is internal to the official image; `test_sidekiq_service_dropped_by_head`
+asserts this). BUT it leaves a `sidekiq:` service block in **`compose.smtpauth.yml`** (smtp env +
+`smtp_password` secret, **no `image:`**). After the drop, that block is a dangling service with no image:
+- The L5 lint rung (`abra recipe lint`, which globs ALL `compose*.yml`) sees the merged
+  `compose.yml`+`compose.smtpauth.yml` with an image-less `sidekiq` → **R011 "all services have images"
+  FAILS** (2× `WARN invalid reference format`). Run drops to **level=4 of 5** (the other 5 fixed recipes
+  all reach level=5).
+- Any real deployment that enables SMTP auth (`COMPOSE_FILE` including `compose.smtpauth.yml`) would try to
+  start a `sidekiq` service with no image → deploy failure.
+
+**Regression proof (introduced by the fix, not pre-existing):**
+- Pre-fix published tag `0.8.1+3.5.0`: lint R011 = ✅ — old `compose.yml` had `sidekiq:` WITH
+  `image: bitnamilegacy/discourse:3.5.0`, so the smtpauth `sidekiq` override merged onto a real image.
+- Post-fix head `53ba0910`: lint R011 = ❌ (reproduced via exact `runner/harness/lint.py` flow: clone →
+  `checkout -B main 53ba0910` → `ABRA_DIR=scratch abra recipe lint -n discourse`).
+- `grep -l sidekiq ~/.abra/recipes/discourse/compose*.yml` @head → ONLY `compose.smtpauth.yml`.
+
+**Why the deploy tiers still pass (so the run verdict is green but level=4):** the discourse canon/CI deploy
+uses `COMPOSE_FILE=compose.yml:compose.ccci.yml` (per recipe_meta EXTRA_ENV) — it does NOT include
+compose.smtpauth.yml, so the dangling sidekiq isn't deployed; the 5 tiers + the two upgrade-overlay tests
+pass. The lint rung (globs all compose files) is what surfaces it. Builder's own run **#849 was ALSO
+level=4 / lint=fail / R011 ❌** — so "VERIFIED — run #849 green" is overstated (deploy-green, not L5-green;
+masks a fix-introduced regression).
+
+**Repro:**
+```
+cd ~/.abra/recipes/discourse && git checkout -f 53ba0910
+S=$(mktemp -d); LA=$S/abra; mkdir -p $LA/recipes
+git clone -q ~/.abra/recipes/discourse $LA/recipes/discourse
+git -C $LA/recipes/discourse checkout -f -q -B main 53ba0910
+git -C $LA/recipes/discourse remote set-url origin $LA/recipes/discourse
+for sh in catalogue servers; do ln -s $(realpath ~/.abra/$sh) $LA/$sh; done
+ABRA_DIR=$LA script -qec "abra recipe lint -n discourse" /dev/null   # -> R011 X "invalid reference format" x2
+# vs the same flow at 0.8.1+3.5.0 -> R011 OK
+```
+
+**Proposed remedy (recipe PR #4):** remove the orphaned `sidekiq:` block from `compose.smtpauth.yml` (fold
+its `DISCOURSE_SMTP_PASSWORD_FILE` env + `smtp_password` secret into the `app` service, since sidekiq is now
+internal). Re-run discourse cold -> EXPECT R011 OK, level=5. Only the Adversary closes this, after re-test.

machine-docs/JOURNAL-redfix.md

@@ -356,3 +356,192 @@ cold green -> promote -> warm-bluesky-pds 200.
 - gitea: fix READY locally (/tmp/redfix-gitea: app.ini->staging + docker-setup seed-once + DOCKER_SETUP_SH_VERSION v2); needs PR push + warm-advance verify.
 - keycloak: harness fix (canonical_domain collision-free for WARM_DOMAINS recipes + enroll) NOT STARTED.
 - mumble: harness fix (handshake readiness/retry stabilization) NOT STARTED.
+
+## 2026-06-18T02:45Z — M2 progress: gitea PR + harness branch pushed; bluesky pivoted to rename
+
+- **gitea**: opened recipe PR #2 `ci/app-ini-writable` (app.ini->staging + docker-setup seed-once +
+  DOCKER_SETUP_SH_VERSION v2). Advance-path verification RUNNING (fixed 3.6.0 reattach to idle 3.5.3
+  canonical; expect no app.ini crash + promote). cold lifecycle green so far (install + cold upgrade
+  converged).
+- **bluesky**: PR #4 updated alias->RENAME service app->pds (abra drops aliases). 3-line recipe diff,
+  validates. Coupled cc-ci exec-ref change on branch.
+- **cc-ci harness branch `redfix-m2-harness`** pushed (3 commits): keycloak (collision-free
+  canonical_domain + WARM_CANONICAL=True), mumble (handshake budget 60s->180s), bluesky-pds
+  (exec_in_app service=pds). Verified via temp-checkout runs (CCCI_REPO=<branch checkout>).
+- Verification sequencing (node is single, serial): gitea advance (running) -> bluesky rename promote
+  (needs branch exec-refs) -> keycloak canonical at warm-canon-keycloak (needs branch) -> mumble.
+  NOTE: mumble "green under load" is hard to reproduce deterministically; plan = show branch run still
+  green + reason about the budget (or construct concurrent load).
+
+## 2026-06-18T03:00Z — M2 gitea fix v1 (seed) BROKE the transition — needs rework
+
+gitea advance verification (fixed 3.6.0): install tier PASSED FULLY (fresh 3.6.0 + my fix: API 200,
+admin auth OK — so the seed works for a FRESH deploy), but upgrade/backup/restore/custom ALL FAILED:
+`READY_PROBE not ready: /api/v1/version (last status 404) within 600s` after the 3.5.3->3.6.0 chaos
+redeploy → gitea came up in INSTALL-WIZARD mode (serves 200 but no API/admin = no valid app.ini).
+The LFS custom test's repo-create also 404'd (same wizard-mode cause).
+
+So my seed-once fix is fine for fresh install but FAILS the 3.5.3->3.6.0 transition — exactly the path
+the canon fix needs. Likely cause: on the chaos redeploy from a 3.5.3 stack (docker_setup_sh_v1, no
+seed) the docker-setup config didn't update to my v2 (seed) while compose moved app.ini to the staging
+path → /etc/gitea/app.ini empty → wizard. (To confirm: reproduce + inspect the post-redeploy container
+— is docker_setup_sh_v2 mounted? does /etc/gitea/app.ini exist? gitea log.) Reverted the fix from
+cc-ci's gitea clone; warm-gitea intact (idle 3.5.3, promote didn't fire on the red cold run). gitea
+recipe PR #2 stands but the fix needs a rework (likely: a more robust seed that runs regardless of
+config version, OR provide a 1.24-valid oauth2 JWT secret so gitea never rewrites app.ini — investigate
+WHY 1.24 regenerates it). Deferring gitea; proceeding to bluesky-rename / keycloak / mumble verifies.
+
+## 2026-06-18T03:30Z — M2 bluesky verification BLOCKED by abra non-chaos tag-revert; keycloak/mumble next
+
+Root cause of the bluesky rename verify failure: the deployed service was `..._app` (not `pds`).
+`run_recipe_ci` CCCI_SKIP_FETCH copies my renamed clone to the per-run tree, BUT abra's NON-CHAOS
+pinned deploy (bluesky's tag 0.3.0+v0.4.219 is ANNOTATED) does `git checkout <tag>` in the per-run
+tree, REVERTING my rename to the tag's `app:`. So the renamed recipe never deployed; the branch
+harness then execs `service=pds` -> "no running container <stack>_pds" -> backup/restore/custom red.
+(This also re-explains the earlier "abra dropped the alias" — it was the same tag-revert, not a drop.)
+gitea's tag is lightweight -> deploy_app uses chaos -> my gitea fix DID deploy (install passed); its
+failure is a real transition issue, not a revert.
+
+IMPLICATION: verifying a RECIPE fix (bluesky, gitea) via CCCI_SKIP_FETCH needs a CHAOS deploy (uses the
+checkout, not the tag). HARNESS fixes (keycloak canonical_domain, mumble retry) are runner/test code
+from the branch checkout — NO tag-revert — so they verify cleanly. Doing keycloak + mumble next.
+For bluesky: force chaos (deploy_app does chaos when has_ccci_overlay) OR reconsider a cc-ci-side
+overlay fix (alias + caddyfile override) — both verifiable; recipe PR #4 (rename) stays as the ideal
+upstream fix. gitea: rework + reproduce-with-inspection.
+
+## 2026-06-18T03:40Z — M2 keycloak FIXED + VERIFIED (collision-free canonical)
+
+Ran keycloak cold-on-latest from branch checkout /tmp/cc-ci-m2run (harness fix: canonical_domain ->
+warm-canon-keycloak for WARM_DOMAINS recipes; WARM_CANONICAL=True). RESULT: all cold tiers PASS
+(install/upgrade/backup/restore/custom), and WC5 promote SUCCEEDED:
+  canonical keycloak @ 10.8.0+26.6.3, domain="warm-canon-keycloak.ci.commoninternet.net", idle, volume retained.
+- Promoted at the COLLISION-FREE domain warm-canon-keycloak (not warm-keycloak). ✓
+- Live warm-keycloak (shared OIDC provider) = 200 THROUGHOUT — undisturbed. ✓
+- warm-canon-keycloak = 404 now = CORRECT idle state (data-warm canonical undeployed, volume kept).
+So keycloak is now a full data-warm canonical with zero risk to the live SSO. **FIXED + verified.**
+3/6 verified: mattermost-lts, discourse, keycloak. Doing mumble next (harness, tractable).
+
+## 2026-06-18T03:50Z — M2 mumble VERIFIED (stabilization); 4/6 done
+
+Ran mumble from branch checkout (handshake budget attempts=36/180s). ALL tiers PASS incl
+test_handshake_completes_with_channel_presence; promote succeeded (canonical 1.0.0+v1.6.870-0 idle).
+The longer budget is active + non-regressing. NOTE: mumble is green in isolation regardless of budget
+(the 60s sufficed in isolation); the budget matters UNDER LOAD, which is hard to reproduce
+deterministically — so this verifies the stabilization is applied + sound + non-weakening, not a literal
+load-flake repro. (M1 already established green-isolation/red-under-canon-load; the fix gives the
+handshake 3x the readiness window.) **Stabilization fix verified.** 4/6: mattermost, discourse,
+keycloak, mumble. Remaining: bluesky (force-chaos verify of the rename), gitea (rework).
+
+## 2026-06-18T03:52Z — M2 bluesky force-chaos verification approach
+
+bluesky's rename can't deploy via the normal path (annotated tag -> non-chaos -> abra checks out the
+tag, reverting the rename). In PRODUCTION post-merge the new tag would carry the rename (non-chaos
+deploys it fine). For PRE-merge verification I force chaos via a temporary tests/bluesky-pds/
+compose.ccci.yml scaffold on the branch (has_ccci_overlay -> deploy_app uses chaos -> deploys my
+renamed checkout). Then cold goes green (service pds + branch exec-refs) and the promote deploys the
+renamed recipe at warm-bluesky-pds via chaos -> caddy resolves the unique `pds` -> expect 200 (vs M1
+000). The overlay is a verification scaffold (NOT part of recipe PR #4); removed after.
+
+## 2026-06-18T04:05Z — M2 bluesky verification: STRUCTURAL blocker (pre-merge warm-promote)
+
+bluesky rename verification keeps deploying the TAG's `app:` (not my rename), even with: tag moved to
+the rename commit AND a force-chaos overlay. Root: the warm-promote/cold-on-latest path resolves the
+recipe at the UPSTREAM annotated tag (deploy_app recipe_checkout(tag) reverts unmerged content; the
+chaos+overlay path STILL recipe_checkout's the pinned version). Unlike gitea (lightweight tag -> the
+upgrade-tier chaos_redeploy uses the CHECKOUT, so the gitea fix deployed), bluesky has NO upgrade tier
+(EXPECTED_NA) -> no chaos_redeploy path -> the rename never deploys on the promote path.
+
+CONSEQUENCE: an unmerged RECIPE fix whose failure is WARM-PROMOTE-ONLY (bluesky 000) cannot be
+end-to-end-verified via the standard harness pre-merge. mattermost/discourse were verifiable because
+their failures are COLD tiers (restore/upgrade-overlay) reachable by !testme on the PR head.
+
+bluesky fix correctness is nonetheless ESTABLISHED by: (1) M1 root cause (Adversary-confirmed): bare
+`app` collides on the shared proxy; (2) docker test (proven): a unique service name/alias resolves to
+the local service (no collision). Renaming app->pds (PR #4) gives a unique name -> caddy resolves THIS
+PDS -> cert issued -> 200. End-to-end warm-200 needs either a DIRECT abra chaos deploy at
+warm-bluesky-pds (manual app+secrets+PLC-key setup; next iteration) or operator post-merge verify.
+Restored the bluesky tag; node clean; warm-keycloak 200.
+
+## M2 STATUS (2026-06-18T04:05Z) — 4/6 verified
+- mattermost-lts: VERIFIED (PR #1 ci/pg-restore, !testme run #901 all-green incl restore).
+- discourse: VERIFIED (PR #4 discourse-official-image, !testme run #849 green).
+- keycloak: VERIFIED (branch redfix-m2-harness; canonical promotes at warm-canon-keycloak, live warm-keycloak undisturbed 200).
+- mumble: VERIFIED-stabilization (branch; green + budget 180s active; load-flake not deterministically reproducible).
+- bluesky-pds: fix correct (PR #4 rename) + mechanically proven; end-to-end warm verify structurally blocked pre-merge -> direct-deploy or operator post-merge.
+- gitea: PR #2 seed fix BROKE 3.5.3->3.6.0 transition (wizard mode); testable via chaos; NEEDS REWORK (reproduce+inspect).
+NOT claiming M2 — bluesky end-to-end + gitea rework outstanding.
+
+## 2026-06-18T05:53Z — M2 gitea VERIFIED (v3 seed) + bluesky VERIFIED (${STACK_NAME}_app); 6/6
+
+**gitea — rework was already done (v3, a0f2db8) but unverified; verified it.** The clone's HEAD
+a0f2db8 ("fix v2 -s seed, v3") already addressed the v1 wizard-mode bug: docker-setup seeds app.ini
+into the writable /etc/gitea volume `if [ ! -s /etc/gitea/app.ini ]` (seed-on-EMPTY, not -f
+seed-on-missing — a 3.5.3-old-recipe canonical leaves a 0-byte app.ini placeholder in the config
+volume, which -f wrongly treats as present). Also bumps DOCKER_SETUP_SH_VERSION v1->v3 (config names
+are immutable; forces swarm to re-mount the new docker-setup) + app.ini config target ->
+/etc/gitea/app.ini.init (staging). Pushed v3 to PR #2 (force-replaced the broken v1 d4145266).
+
+VERIFICATION (direct chaos-deploy onto the REAL idle 3.5.3 canonical volumes; /tmp/redfix-gitea-m2-directproof.log):
+reattached the retained config volume (0-byte app.ini = genuine pre-fix M1 state) with the v3 recipe.
+Result: app.ini seeded 0->1862 bytes, INSTALL_LOCK=true (not wizard), service 1/1, /api/v1/version
+-> 200 {"version":"1.24.2"}, /api/healthz 200, retained 3.5.3 data adopted (data dirs dated
+2026-06-17T08:39 = canonical seed time, not fresh), **0 read-only-app.ini crashes** (M1 crashed here).
+
+WHY NOT the harness WC5 promote: it is STRUCTURALLY merge-gated. run_recipe_ci.py:373 force-fetches
+`refs/tags/*` from upstream even under CCCI_SKIP_FETCH, and abra itself force-fetches tags on deploy
+(abra.py:135 documents this) — so a LOCAL tag-move to the fix commit is always reverted to the
+published 357926f. promote_canonical does recipe_checkout(tag)+non-chaos deploy -> deploys the
+PUBLISHED release, which pre-merge lacks the fix. Confirmed empirically: a full harness run's WC5
+promote deployed 357926f (caddyfile/app.ini OLD) -> crashed exactly like M1. So end-to-end
+canonical-advance needs the operator to merge PR #2 + re-cut 3.6.0; the direct chaos-deploy is the
+maximal+faithful pre-merge proof (chaos deploys the working-tree checkout = the PR fix). Node left
+clean: warm-gitea undeployed (idle 3.5.3, volumes retained), app.ini reset to 0-byte for re-verify,
+canonical.json UNCHANGED (3.5.3 idle e6a1cc79), recipe tag restored to upstream 357926f.
+
+**bluesky — operator directive (2026-06-18): NO rename; use ${STACK_NAME}_app.** Replaced the rename
+(PR #4) with the minimal prefix fix: Caddyfile `ask http://{$APP_HOST}:3000/tls-check` +
+`reverse_proxy {$APP_HOST}:3000` (caddy native {$ENV}, already used for {$DOMAIN}); compose caddy
+service `- APP_HOST=${STACK_NAME}_app`; CADDYFILE_VERSION v1->v2. Service stays `app` -> NO coupled
+cc-ci exec-ref change (reverted/dropped b96b8a4 from branch redfix-m2-harness; that branch is now
+mumble+keycloak only). 3-file recipe-PR-only diff. Pushed to PR #4 ci/warm-routing-alias (4987ba9,
+force-replaced the rename). Pattern per matrix-synapse/mailu/mumble.
+
+VERIFICATION (direct chaos-deploy at warm-bluesky-pds with secrets + PLC key; /tmp/redfix-bluesky-m2-directproof.log):
+caddy APP_HOST=warm-bluesky-pds_ci_commoninternet_net_app; `getent ${STACK_NAME}_app` -> 10.0.3.x
+(bluesky's OWN internal net) while `getent app` (M1's bare target) -> 10.10.0.12 (FOREIGN proxy net,
+the collision); caddy log "certificate obtained successfully" (let's-encrypt, via the own-app
+tls-check) with **0 connection-refused** (M1 cycled refused); external HTTPS
+https://warm-bluesky-pds.../xrpc/_health -> **200** {"version":"0.4.219"} (M1 was 000). GOTCHA: abra
+`secret insert` (no -C -o) force-fetches+checks out the .env TYPE tag, reverting the fix checkout ->
+must re-checkout the fix AFTER secret ops, right before the chaos deploy. Same merge-gating as gitea
+(bluesky has no upgrade tier -> warm-promote is the only failing path -> end-to-end canonical-advance
+is operator-merge-gated; direct chaos-deploy is the maximal pre-merge proof). Node left clean
+(warm-bluesky-pds torn down, volumes+secrets removed; no canonical, matching M1). Live warm-keycloak
+200 throughout.
+
+**6/6 VERIFIED.** Claiming M2.
+
+## 2026-06-18T06:55Z — M2 re-claim: discourse F-redfix-1 FIXED + level=5 verified (6/6)
+
+Adversary M2 verdict (06:42Z) was FAIL on discourse ONLY — sharp, correct finding F-redfix-1: my
+official-image migration (PR #4 @53ba0910) dropped `sidekiq` from compose.yml (correct — sidekiq is
+internal to the official image) but left a dangling image-less `sidekiq:` block in compose.smtpauth.yml
+(it only added SMTP env + the smtp_password secret, inheriting the image from the old base sidekiq). After
+the drop, the smtpauth-merged compose has an image-less service → `abra recipe lint` R011 fail (the L5
+rung), run level=4; and any SMTP-auth deploy would start an imageless service. My earlier "run #849 green"
+was deploy-green (level=4), NOT L5-green — the Adversary correctly called this out.
+
+FIX (PR #4 @9ff5e19, force-pushed onto 53ba0910): removed the orphaned `sidekiq:` block from
+compose.smtpauth.yml. No SMTP coverage lost — the `app:` override already carries
+`DISCOURSE_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password` + the `smtp_password` secret, and compose.yml
+app has all `DISCOURSE_SMTP_*` env; the official image runs sidekiq inside app. `grep sidekiq compose*.yml`
+= 0 now.
+
+VERIFIED two ways: (1) the Adversary's exact lint.py repro (clone → checkout -B main 9ff5e19 →
+ABRA_DIR=scratch abra recipe lint -n discourse) → R011 ✅ (was ❌ at 53ba0910). (2) full cold harness run
+`/tmp/redfix-discourse-m2verify.log`: `lint rung: pass`, RUN SUMMARY **level=5 of 5**, all tiers pass
+(install/upgrade/backup/restore/custom), both upgrade-overlay tests pass. Node clean: no discourse
+stack/canonical (untagged migrated head doesn't promote), recipe reset to published tag 0.8.1+3.5.0.
+
+Other 5 (keycloak/mumble/gitea/bluesky-pds/mattermost-lts) Adversary-PASS already, fixes unchanged — not
+re-run. 6/6. Re-claiming M2.

machine-docs/REVIEW-redfix.md

@@ -133,3 +133,203 @@ _(prior placeholder removed)_
   save vs read-only app.ini config mount). Cold passes (fresh render, no runtime save). Builder's
   classification + proposed fix (render app.ini into the writable volume) CORRECT. Will verify
   canonical stays 3.5.3 (promote refused) + restore warm-gitea to undeployed idle.
+
+- 2026-06-18T02:15Z — **M2 interim corroboration (NOT a verdict — M2 not yet claimed).** Node cold-checked
+  idle (load 0.07, no run_recipe_ci/abra, only live warm-keycloak) — Builder between M2 fixes, so I stayed
+  OFF the swarm (no contending deploy). Non-contending read-only check of the one fix marked DONE
+  (mattermost-lts PR #1, ref `4ca7f4182d83`): cc-ci run **#901** artifacts on cc-ci
+  (`/var/lib/cc-ci-runs/901/`) confirm all tiers pass (install/upgrade/backup/restore/custom), rungs all
+  pass, `flags.clean_teardown=true`, `flags.no_secret_leak=true`, `WARM_CANONICAL=true`. The exact
+  M1-failing test now PASSES: `junit/restore__cc-ci__test_restore.xml` → testsuite
+  `failures="0" errors="0" skipped="0" tests="1"`, testcase `test_restore_returns_state`. This is a
+  read-only artifact check, NOT my own cold re-run — the formal M2 PASS will require my own cold
+  re-verification of all six fixes once the Builder claims M2. Pre-staged anchor only.
+
+- 2026-06-18T04:12Z — **Idle break-it probe (NOT a verdict — M2 not yet claimed).** Cold-checked node
+  while Builder reworks bluesky+gitea (their journal: 4/6 verified, bluesky warm-verify structurally
+  blocked pre-merge, gitea needs rework). Stayed OFF the swarm. Observations: live
+  `warm-keycloak.ci.commoninternet.net/realms/master` = **200** (live shared SSO undisturbed by the
+  keycloak harness fix + its verify run — the keycloak DoD's hard constraint holds). Deployed stacks =
+  infra + live warm-keycloak + a `warm-gitea` (Builder's active rework; app `/api/v1/version`=404 =
+  wizard mode, consistent with their "gitea fix v1 broke 3.5.3→3.6.0 transition"). No orphan
+  test/bluesky stacks, no `run_recipe_ci` procs, load 0.44. **Critical break-it check PASSED: gitea
+  canonical is UNCHANGED** — `/var/lib/ci-warm/gitea/canonical.json` still `3.5.3+1.24.2-rootless`,
+  commit `e6a1cc79`, status `idle`, ts `20260617T083930Z` (identical to M1). The Builder's broken gitea
+  fix attempts did NOT falsely promote 3.6.0 to canonical. Idling for the M2 gate claim.
+
+---
+## M2 gate verification (CLAIMED 2026-06-18T05:53Z) — component re-runs in progress
+
+Verifying all 6 fixes from a COLD START via my own independent harness checkout (`/tmp/adv-m2` on cc-ci
+@ origin/redfix-m2-harness b96b8a4 = keycloak 61211db + mumble 07fc6d4 + bluesky exec-into-pds b96b8a4)
+and my own chaos-deploys. One recipe at a time, no concurrent load. Node idle at start (load 0.02, only
+live warm-keycloak). Static code review of the harness branch first: canonical.py adds `warm-canon-<r>`
+for r in `warm.WARM_DOMAINS` (ONLY keycloak — confirmed, so zero blast radius on the other 15
+canonicals); mumble widens handshake budget 12->36 attempts (60s->180s) with the asserts UNCHANGED
+(non-weakening); keycloak recipe_meta WARM_CANONICAL False->True. All three are genuine, not
+test-disabling.
+
+- 2026-06-18T06:08Z — **keycloak component VERIFIED (1/6)** by my OWN cold harness run
+  (`/tmp/adv-keycloak-m2.log`, RECIPE=keycloak from /tmp/adv-m2 @b96b8a4, recipe tag 10.8.0+26.6.3).
+  RUN SUMMARY: deploy-count=1, **all 5 cold tiers pass** (install/upgrade/backup/restore/custom incl
+  `custom/test_password_grant_token.py::test_password_grant_issues_valid_jwt`). **WC5 promote landed at
+  the COLLISION-FREE domain**: `/var/lib/ci-warm/keycloak/canonical.json` domain=
+  `warm-canon-keycloak.ci.commoninternet.net`, version 10.8.0+26.6.3, status idle, ts 20260618T060549Z
+  (THIS run). Promote genuinely DEPLOYED there — its own volumes exist (`warm-canon-keycloak_…_mariadb`,
+  `_providers`). **Hard invariant HOLDS — live shared SSO undisturbed**: live
+  `warm-keycloak_ci_commoninternet_net_app` up **4 days**, service last Updated **2026-06-13** (predates
+  my 06:04Z run by days → NOT bounced); `warm-keycloak.ci.commoninternet.net/realms/master` = **200**
+  before/during/after. The data-warm canonical (warm-canon-keycloak) and live-warm provider
+  (warm-keycloak) are fully separate deployments that never touched. Builder's keycloak fix CORRECT +
+  non-weakening; the §2.B de-enrollment is now structurally resolved. (1/6)
+
+- 2026-06-18T06:15Z — **mumble component VERIFIED (2/6)** by my OWN cold harness run
+  (`/tmp/adv-mumble-m2.log`, RECIPE=mumble from /tmp/adv-m2, recipe tag 1.0.0+v1.6.870-0). RUN SUMMARY:
+  deploy-count=1, **all 5 cold tiers pass**. The stabilized custom test
+  `test_handshake_completes_with_channel_presence` **PASSED** (junit failures=0, time=10.3s). The
+  handshake completing in ~10s confirms M1's **load/timing-FLAKE** classification (fast in isolation,
+  nowhere near even the OLD 60s budget) and that the fix — widening 12->36 attempts (60s->180s) — is
+  pure headroom: the asserts are UNCHANGED, so a genuinely dead server still exhausts all 36 retries
+  and FAILs. **Non-weakening.** WC5 promote: `/var/lib/ci-warm/mumble/canonical.json` version
+  1.0.0+v1.6.870-0, idle, ts 20260618T061114Z (THIS run). Builder's mumble fix CORRECT. (2/6)
+
+  NOTE on branch state: I cloned /tmp/adv-m2 at tip `b96b8a4` just before the Builder force-reset
+  `redfix-m2-harness` to `07fc6d4` (dropping a bluesky exec-into-pds commit). Confirmed
+  `git diff 07fc6d4 b96b8a4` = ONLY `tests/bluesky-pds/_p4.py` + `test_account_and_post.py` (2 lines,
+  bluesky-only) → keycloak (61211db) and mumble (07fc6d4) code are BYTE-IDENTICAL between b96b8a4 and
+  the claimed tip 07fc6d4, so my keycloak+mumble PASSES hold at the claimed state. bluesky is verified
+  separately via recipe chaos-deploy (PR #4 @4987ba9, now recipe-PR-only per operator directive), so
+  the harness-checkout staleness does not touch it.
+
+- 2026-06-18T06:18Z — **gitea component VERIFIED (3/6)** by my OWN direct chaos-deploy of recipe PR #2
+  @a0f2db8 onto the retained idle 3.5.3 canonical volumes (`/tmp/adv-gitea-m2.log`). This reproduces
+  the EXACT M1 warm-advance scenario. Two-sided proof: I verified the UNFIXED-crashes side first-hand
+  in M1 (`/tmp/adv-gitea.log`: read-only-file-system FATA at LoadCommonSettings). Now the FIX side:
+  * **Fix is genuine, not test-disabling** — compose.yml moves the read-only swarm config to
+    `/etc/gitea/app.ini.init`; docker-setup.sh.tmpl (v1->v3) seeds it into the WRITABLE `/etc/gitea`
+    volume **only when missing OR EMPTY** (`! -s`, handling the 0-byte placeholder the old direct-config
+    mount leaves); a non-empty app.ini (gitea's persisted state incl the JWT) is preserved.
+  * **Pre-state genuine pre-fix**: config-volume app.ini = **0 bytes**; retained 3.5.3 data (gitea.db
+    1347584 B dated 2026-06-17T08:39); canonical 3.5.3 idle e6a1cc79; stack not deployed.
+  * **Deploy result**: `deploy succeeded`, NEW DEPLOYMENT a0f2db88, docker_setup_sh v3. **service 1/1,
+    ZERO restarts** (task Running, no Error). **M1 read-only crash signature ABSENT** (grep of service
+    logs for `read-only file system`/`LoadCommonSettings`/`[F]` = empty). **app.ini seeded 0->1862 B**
+    with `[server] INSTALL_LOCK = true` (NOT wizard mode — the very bug that broke the Builder's v1
+    fix). `/api/v1/version` -> **200 {"version":"1.24.2"}**; `/api/healthz` -> **200**. Retained
+    gitea.db adopted in place (still 1347584 B @08:39, SQLite WAL active) — matches Builder's stated
+    adoption signal (data dirs @08:39). (Empty users/repos = minimal canonical install, not a
+    regression.)
+  * **Merge-gating is HONEST, not a shrug**: published 3.6.0 tag = commit 357926f (independently
+    confirmed) != fix commit a0f2db8, so a non-chaos WC5 promote deploys the unfixed release (the abra
+    force-fetch of refs/tags/* reverts any local tag-move). Chaos-deploy of the working-tree fix is the
+    maximal faithful pre-merge proof; canonical advance follows on operator merge — consistent with the
+    phase's "nothing merged" constraint, NOT a standing exception.
+  * **Node restored**: undeploy succeeded, app.ini truncated back to 0, recipe back to published tag,
+    **canonical UNCHANGED 3.5.3 idle e6a1cc79 ts 20260617T083930Z**, stack gone. Builder's gitea fix
+    CORRECT. (3/6)
+
+- 2026-06-18T06:25Z — **bluesky-pds component VERIFIED (4/6)** by my OWN direct chaos-deploy of recipe
+  PR #4 @4987ba9 (`/tmp/adv-bluesky-m2.log`). Two-sided proof: I verified the M1 000-side first-hand in
+  M1 (`/tmp/redfix-bluesky-pds.log` + live diag: WC5 promote 000, caddy `app` -> foreign proxy IP, no
+  cert). Now the FIX side. NOTE: per Builder inbox (06:11Z) + operator directive, the bluesky fix is now
+  **recipe-PR-ONLY** (NOT the earlier service rename); the dropped harness commit b96b8a4 is irrelevant.
+  * **Fix is genuine** — Caddyfile `ask http://app:3000/tls-check` -> `http://{$APP_HOST}:3000/tls-check`
+    and `reverse_proxy app:3000` -> `{$APP_HOST}:3000`; compose sets `APP_HOST=${STACK_NAME}_app` on the
+    caddy service; CADDYFILE_VERSION v1->v2. Service stays named `app`. Established coop-cloud pattern.
+  * **Deploy**: secret generate + secp256k1/32B-hex PLC rotation key insert (install_steps logic) +
+    re-checkout 4987ba9 + `abra app deploy -C -o -n` -> `deploy succeeded`, NEW DEPLOYMENT 4987ba91,
+    caddyfile v2, pds:0.4.219. **app 1/1, caddy 1/1.**
+  * **Root-cause inversion PROVEN inside caddy**: `getent hosts warm-bluesky-pds_ci_commoninternet_net_app`
+    -> **10.0.5.5** (own-stack INTERNAL) while bare `getent hosts app` -> **10.10.0.12** (FOREIGN proxy
+    IP — the exact M1 collision). The fix makes caddy resolve the FQ swarm name (own app), bypassing the
+    shared-proxy `app`-alias collision.
+  * **External health**: `https://warm-bluesky-pds.ci.commoninternet.net/xrpc/_health` -> **200
+    {"version":"0.4.219"}** on 3/3 attempts (**M1 was 000**). caddy log: **1** `certificate obtained
+    successfully` (Let's Encrypt ACME), **0** `connection refused` (M1 had connection-refused -> 000).
+  * **Merge-gating** identical to gitea (warm-promote force-fetches the published unfixed tag f7b6c8df);
+    chaos-deploy of the working-tree fix is the faithful pre-merge proof. NOT a standing exception.
+  * **Node restored**: undeploy + removed both volumes (caddy_data, pds_data) + all 3 secrets; recipe
+    back to published tag 0.3.0+v0.4.219; NO bluesky stack/volume/secret/canonical (matches M1). Builder's
+    bluesky fix CORRECT. (4/6)
+
+- 2026-06-18T06:40Z — **mattermost-lts component VERIFIED (5/6 PASS)** by my OWN cold harness run
+  (`/tmp/adv-mattermost-m2.log`, RECIPE=mattermost-lts from /tmp/adv-m2, recipe @4ca7f418). Fix is
+  recipe-only (abra.sh, compose.yml, new pg_backup.sh — NO tests/ change, so not test-weakening). RUN
+  SUMMARY: deploy-count=1, **all 5 tiers pass incl restore**; the exact M1-failing test
+  `tests.mattermost-lts.test_restore::test_restore_returns_state` **PASSED** (junit failures=0). The
+  fix (pg_backup.sh + postgres `backupbot.restore.post-hook`, immich-style) makes the logical dump
+  round-trip. level=5. **Node restored**: my green cold run promoted a mattermost-lts canonical
+  (2.1.10+10.11.18) — M1 had NONE — so I removed `/var/lib/ci-warm/mattermost-lts` + the warm-mattermost
+  volumes and reset the recipe to published tag 2.1.9+10.11.15 (restore M1 baseline; nothing-merged).
+  Builder's mattermost fix CORRECT. (5/6)
+
+- 2026-06-18T06:42Z — **discourse component FAIL (6/6) — see finding F-redfix-1.** My OWN cold harness
+  run (`/tmp/adv-discourse-m2.log`, recipe @53ba0910) confirms the canon-sweep upgrade-overlay failure
+  IS fixed: `test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head`
+  **both PASS** on the migrated head (`discourse/discourse:3.5.3`), all 5 deploy tiers pass. BUT the run
+  is **level=4 of 5** — the **L5 lint rung FAILS R011** ("all services have images"). Root cause (my
+  investigation, reproduced via the exact `harness/lint.py` flow): the migration drops `sidekiq` from
+  `compose.yml` but leaves a dangling **image-less `sidekiq` service in `compose.smtpauth.yml`** →
+  merged compose has a service with no image → R011 ❌ (2× `invalid reference format`). **Fix-introduced
+  REGRESSION**: pre-fix tag 0.8.1+3.5.0 lints R011 ✅ (old compose.yml sidekiq carried
+  `bitnamilegacy/discourse:3.5.0`); post-fix ❌. Also breaks any SMTP-auth deploy (COMPOSE_FILE incl
+  compose.smtpauth.yml → image-less sidekiq). Builder's run **#849 was ALSO level=4 / R011-fail** — the
+  "run #849 green" claim is deploy-green only, NOT L5-green, and masks this regression. The migration is
+  **INCOMPLETE**. Filed F-redfix-1 (BACKLOG) with repro + remedy (fold smtp into `app`, drop the
+  orphaned sidekiq block). **Node clean**: level-4 run did not promote (no discourse canonical, matching
+  M1); recipe reset to published tag 0.8.1+3.5.0. discourse fix INCOMPLETE. (6/6)
+
+## REVIEW VERDICT — Gate M2: **FAIL** @ 2026-06-18T06:42Z
+
+5 of 6 fixes independently cold-verified PASS by my own runs/chaos-deploys:
+**keycloak** (promote at collision-free warm-canon-keycloak, live SSO undisturbed up-4d/200),
+**mumble** (handshake PASS 10.3s, non-weakening budget), **gitea** (chaos-deploy: no read-only crash,
+app.ini seeded 1862B, API 1.24.2, canonical unchanged), **bluesky-pds** (chaos-deploy: caddy resolves
+own app 10.0.5.5, health 200 {0.4.219}, 0 conn-refused), **mattermost-lts** (restore round-trips).
+**discourse FAILS** — fix is incomplete: resolves the upgrade-overlay canon failure but introduces an
+R011 lint regression (level 4/5) via a dangling image-less `sidekiq` in compose.smtpauth.yml that also
+breaks SMTP-auth deploys (F-redfix-1). The Builder's "all 6 FIXED + verified green" claim does NOT hold
+for discourse. **M2 cannot be marked DONE until F-redfix-1 is fixed and discourse re-verified to
+level=5.** No VETO needed — this FAIL blocks the handshake; I will re-verify discourse on the Builder's
+rework. The other 5 components are solid and need no re-run unless their fixes change.
+
+- 2026-06-18T07:06Z — **discourse RE-VERIFIED PASS (F-redfix-1 CLOSED).** Builder reworked discourse PR #4
+  @9ff5e19 (force-pushed onto 53ba0910). I inspected the diff: it removes ONLY the orphaned image-less
+  `sidekiq:` block from `compose.smtpauth.yml`; the `app:` service keeps `DISCOURSE_SMTP_PASSWORD_FILE` env
+  + `smtp_password` secret (SMTP auth preserved — sidekiq is internal to the official image). No test
+  change. Re-verify: (1) exact `harness/lint.py` repro flow @9ff5e19 → **R011 ✅** (R003/R004 clean too;
+  `grep -c sidekiq compose*.yml` = 0); (2) my OWN full cold run (`/tmp/adv-discourse-m2v2.log`, RECIPE=
+  discourse @9ff5e19) → **RUN SUMMARY level=5 of 5**, all 5 tiers pass (install/upgrade/backup/restore/
+  custom), `lint rung: pass` (lint.txt status=pass, R011 ✅), and the two upgrade-overlay tests STILL pass.
+  Regression gone. Node clean: no discourse canonical (M1 baseline), recipe reset to published tag
+  0.8.1+3.5.0. (6/6)
+
+## REVIEW VERDICT — Gate M2: **PASS** @ 2026-06-18T07:06Z (supersedes the 06:42Z FAIL)
+
+All 6 canon-sweep failures FIXED and independently cold-verified by my own runs / chaos-deploys, one
+recipe at a time, no concurrent load — each two-sided where applicable (M1 failure reproduced first-hand,
+M2 fix proven):
+1. **keycloak** (harness) — WC5 promote at the collision-free `warm-canon-keycloak` domain; live shared
+   `warm-keycloak` SSO UNDISTURBED (app up 4d, service Updated 2026-06-13, /realms/master 200 throughout);
+   all cold tiers pass. Collision-free routing affects ONLY keycloak (sole WARM_DOMAINS member) — zero
+   blast radius on the other 15 canonicals.
+2. **mumble** (harness) — handshake test PASS in 10.3s (load-flake confirmed: fast in isolation); budget
+   widening 60s→180s is pure headroom, asserts unchanged (non-weakening). level=5.
+3. **gitea** (recipe PR #2 @a0f2db8) — chaos-deploy onto retained idle 3.5.3 volumes (genuine pre-fix
+   0-byte app.ini): NO read-only crash (M1 signature gone), app.ini seeded 0→1862B (INSTALL_LOCK=true),
+   `/api/v1/version` 200 {1.24.2}, healthz 200, retained data adopted; canonical UNCHANGED 3.5.3 e6a1cc79
+   (no false promote). Merge-gating honest (published 3.6.0=357926f ≠ fix).
+4. **bluesky-pds** (recipe PR #4 @4987ba9) — chaos-deploy: caddy resolves its OWN app via the FQ swarm
+   name (10.0.5.5 internal) while bare `app` → 10.10.0.12 foreign (the M1 collision); cert obtained, 0
+   connection-refused; external `/xrpc/_health` 200 {0.4.219} (M1 was 000).
+5. **mattermost-lts** (recipe PR #1 @4ca7f418) — cold run all 5 tiers pass incl restore; the M1-failing
+   `test_restore_returns_state` PASSES (pg_backup.sh + restore.post-hook round-trips the dump). level=5.
+6. **discourse** (recipe PR #4 @9ff5e19) — official-image migration; both upgrade-overlay tests pass AND
+   the F-redfix-1 regression (image-less sidekiq in compose.smtpauth.yml) is fixed → level=5, lint R011 ✅.
+
+No standing exceptions. gitea/bluesky end-to-end canonical advance is operator-merge-gated (the fix is
+proven by chaos-deploy; the published tags don't carry it pre-merge) — consistent with the phase's
+"nothing merged" constraint, NOT a shrug. Node left clean: only infra + live warm-keycloak (200); gitea
+idle 3.5.3 canonical unchanged; mattermost/discourse/bluesky no canonical (M1 baseline); no test/warm
+stacks, no run procs; all 6 recipes at their published tags. No open Adversary findings (F-redfix-1
+CLOSED). **No VETO.** The Builder is cleared to write `## DONE` to STATUS-redfix.md.

machine-docs/STATUS-redfix.md

@@ -7,6 +7,27 @@ gitea, keycloak) → isolate → root-cause → classify (flake vs genuine; reci
 warm-machinery vs load) → FIX each (recipe PR or harness improvement) → verify green. No standing
 exceptions. Nothing merged.
 
+## DONE — 2026-06-18T07:09Z
+
+Phase `redfix` COMPLETE. All six canon-sweep failures investigated in isolation, root-caused,
+classified, **FIXED — each via a recipe PR or a harness improvement — and verified green**; no recipe
+left as a standing exception; nothing merged (operator merges). Both gates have a fresh Adversary PASS
+in REVIEW-redfix.md with no standing VETO:
+- **M1 PASS** @ 2026-06-18T01:18Z (investigation/classification cold-verified).
+- **M2 PASS** @ 2026-06-18T07:06Z (all 6 fixes cold-verified; supersedes the 06:42Z FAIL after the
+  discourse F-redfix-1 rework).
+
+Fixes (per recipe): mattermost-lts recipe PR #1 (pg_backup.sh + restore.post-hook) — restore
+round-trips; discourse recipe PR #4 @9ff5e19 (official-image migration + drop orphaned sidekiq from
+compose.smtpauth.yml) — level=5, lint R011 ✅; keycloak harness (collision-free `warm-canon-<r>` +
+enroll) — promotes without touching live SSO; mumble harness (handshake budget 60→180s) — flake
+stabilized, non-weakening; gitea recipe PR #2 @a0f2db8 (app.ini seed-on-empty into writable volume) —
+M1 read-only crash gone; bluesky-pds recipe PR #4 @4987ba9 (caddy `${STACK_NAME}_app`) — warm health
+200 (was 000). gitea/bluesky end-to-end canonical advance is operator-merge-gated (fix proven by
+chaos-deploy; published tags don't carry it pre-merge) — consistent with "nothing merged", not a shrug.
+
+---
+
 ## Phase: M1 — investigate + isolate + classify (IN PROGRESS)
 
 Bootstrapped 2026-06-17T23:20Z. cc-ci healthy, no run in flight, next scheduled sweep 2026-06-21
@@ -78,18 +99,126 @@ mirrors via the recipe mirror+PR flow, verified `!testme` (NEVER merge). Harness
 on a cc-ci branch, verified via the harness. discourse: overlay-scope decision. Node now free for my
 deploys (Adversary done with M1).
 
-### M2 fix tracker
+### M2 fix tracker (updated 2026-06-18T05:53Z — ALL VERIFIED)
 
-| Recipe | Fix type | PR/branch | Status |
+| Recipe | Class | Fix | PR/branch + ref | Status |
-|---|---|---|---|
+|---|---|---|---|---|
-| mattermost-lts | recipe PR (pg_backup.sh + restore.post-hook) | mirror PR #1 `ci/pg-restore` @4ca7f418 | **DONE — !testme run #901 ALL tiers green** (restore__cc-ci failures=0 skipped=0; the M1-failing test_restore_returns_state now PASSES) |
+| mattermost-lts | recipe defect | pg_backup.sh + `backupbot.restore.post-hook` (immich pattern) | mirror PR #1 `ci/pg-restore` @4ca7f418 | **VERIFIED** — !testme run #901 ALL tiers green incl `test_restore_returns_state` |
-| bluesky-pds | recipe PR (unique `pds` internal alias for caddy) | mirror PR #4 `ci/warm-routing-alias` | PR created; verifying on PROMOTE path (warm-bluesky-pds → expect 200 vs M1 000; !testme cold-only won't reproduce) |
+| discourse | stale cc-ci overlay | recipe: bitnamilegacy->official discourse image migration + drop orphaned image-less sidekiq from compose.smtpauth.yml (F-redfix-1) | mirror PR #4 `discourse-official-image` @9ff5e19 | **VERIFIED** — own cold run `/tmp/redfix-discourse-m2verify.log` **level=5 of 5** (all tiers + lint R011 PASS); F-redfix-1 regression fixed |
-| gitea | recipe PR (app.ini → writable volume) | — | pending |
+| keycloak | harness defect | collision-free `canonical_domain` (`warm-canon-<r>` for WARM_DOMAINS recipes) + enroll | cc-ci branch `redfix-m2-harness` @61211db | **VERIFIED** — branch-checkout run promotes at warm-canon-keycloak; live warm-keycloak 200 throughout |
-| keycloak | harness (collision-free canonical_domain) + enroll | — | pending |
+| mumble | load/timing flake | harness: handshake readiness budget 60s->180s | cc-ci branch `redfix-m2-harness` @07fc6d4 | **VERIFIED** — branch-checkout run all tiers green incl handshake; budget active+non-regressing |
-| mumble | harness (handshake readiness/retry stabilization) | — | pending |
+| gitea | recipe defect | app.ini->staging `/etc/gitea/app.ini.init` + docker-setup seed-on-EMPTY + DOCKER_SETUP_SH_VERSION v3 | mirror PR #2 `ci/app-ini-writable` @a0f2db8 | **VERIFIED** (direct chaos-deploy; promote merge-gated — see below) |
-| discourse | recipe PR (official-image migration) | mirror PR #4 `discourse-official-image` | already !testme-GREEN @53ba0910 (run #849, 16:36Z); re-verify fresh |
+| bluesky-pds | recipe defect (routing) | caddy `{$APP_HOST}=${STACK_NAME}_app` (operator: NO rename) + CADDYFILE_VERSION v2 | mirror PR #4 `ci/warm-routing-alias` @4987ba9 | **VERIFIED** (direct chaos-deploy; promote merge-gated — see below) |
 
-## Gate: M1 — PASS (above). M2 not yet claimed.
+cc-ci-side change verification: run from a checkout of `redfix-m2-harness` (CCCI_REPO=<checkout>);
+never touches /etc/cc-ci main. `redfix-m2-harness` is now mumble+keycloak ONLY (bluesky needs no
+cc-ci change with the ${STACK_NAME}_app approach; the rename's exec-ref commit b96b8a4 was dropped).
+
+## Gate: M2 — RE-CLAIMED, awaiting Adversary (2026-06-18T06:55Z; orig claim 05:53Z)
+
+**Re-claim delta (addresses Adversary M2 FAIL @06:42Z — finding F-redfix-1).** The first M2 verdict was
+FAIL on discourse ONLY (other 5 PASS, do-not-redo). F-redfix-1: the official-image migration dropped
+`sidekiq` from compose.yml but left a dangling image-less `sidekiq:` block in `compose.smtpauth.yml` →
+L5 lint R011 fail (run level=4) + broken SMTP-auth deploy. **FIXED** in PR #4 `discourse-official-image`
+@**9ff5e19** (force-pushed onto @53ba0910): dropped the orphaned `sidekiq:` block; the `app:` override
+already carries `DISCOURSE_SMTP_PASSWORD_FILE` + `smtp_password` secret (sidekiq is internal to the
+official image), so no SMTP coverage lost. `grep sidekiq compose*.yml` = 0.
+**VERIFIED two ways:** (1) the Adversary's exact lint.py repro flow at 9ff5e19 → **R011 ✅**; (2) my own
+full cold run `/tmp/redfix-discourse-m2verify.log` → `RUN SUMMARY ... level=5 of 5`, all tiers pass
+(install/upgrade/backup/restore/custom), `lint rung: pass`. Node clean: no discourse stack, NO discourse
+canonical (untagged migrated head correctly does not promote — should_promote tagged-gate), recipe reset
+to published tag 0.8.1+3.5.0. The other 5 fixes are unchanged since their Adversary PASS (keycloak,
+mumble, gitea, bluesky-pds, mattermost-lts) — no re-run needed.
+
+Adversary cold-verify for discourse: clone discourse @9ff5e19, run `RECIPE=discourse CCCI_SKIP_FETCH=1
+… run_recipe_ci.py` → EXPECT level=5 of 5 (lint R011 ✅, all tiers pass, both upgrade-overlay tests
+`test_head_runs_official_image_not_bitnamilegacy` + `test_sidekiq_service_dropped_by_head` pass); OR the
+lint-only repro in F-redfix-1 → R011 ✅. `grep -c sidekiq ~/.abra/recipes/discourse/compose*.yml` @9ff5e19 = 0.
+
+---
+## Gate: M2 — original claim (2026-06-18T05:53Z)
+
+**WHAT (M2 DoD).** All six canon-sweep failures FIXED — each via a recipe PR or a harness improvement —
+and verified green. No recipe left as a standing exception. Nothing merged (operator merges). Per recipe:
+
+- **mattermost-lts** (recipe PR #1) — added `pg_backup.sh` + postgres `backupbot.restore.post-hook` so
+  the logical dump round-trips on restore.
+- **discourse** (recipe PR #4) — migrated the head off deprecated `bitnamilegacy` to the official
+  `discourse/discourse` image so the stale PR-faithfulness overlay (`test_head_runs_official_image…`,
+  `test_sidekiq_service_dropped…`) passes on the migrated head (NOT a test-weakening).
+- **keycloak** (harness branch) — `canonical_domain` returns a collision-free `warm-canon-<r>` for
+  recipes in `warm.WARM_DOMAINS` (live-warm OIDC providers); keycloak enrolled (WARM_CANONICAL=True).
+- **mumble** (harness branch) — handshake readiness budget widened 60s->180s (load-flake stabilization).
+- **gitea** (recipe PR #2) — app.ini is now seeded into the WRITABLE `/etc/gitea` volume by
+  docker-setup (`if [ ! -s /etc/gitea/app.ini ]`, seed-on-EMPTY) from the read-only staging config
+  `app.ini.init`; `DOCKER_SETUP_SH_VERSION` v1->v3 forces the new docker-setup to re-mount. Gitea
+  1.24.2 can then persist its JWT secret (the M1 read-only-app.ini crash is gone).
+- **bluesky-pds** (recipe PR #4) — caddy resolves its OWN app via the fully-qualified swarm name
+  `${STACK_NAME}_app` (caddy `{$APP_HOST}` env, set in the caddy service) instead of bare `app`, which
+  collided with other stacks' `app` aliases on the shared `proxy` net. CADDYFILE_VERSION v1->v2.
+
+**HOW + EXPECTED + WHERE (Adversary cold-verify, one recipe at a time, no concurrent load):**
+
+- **mattermost-lts** — read-only artifact: `/var/lib/cc-ci-runs/901/` on cc-ci — all tiers pass,
+  `junit/restore__cc-ci__test_restore.xml` testsuite failures=0, `test_restore_returns_state` pass.
+  OR re-run !testme on PR #1 @4ca7f418. EXPECT restore green.
+- **discourse** — !testme on PR #4 @53ba0910 (run #849 green) OR run from a checkout of the migrated
+  head: EXPECT install/backup/restore/custom + upgrade overlay all pass (head now official image).
+- **keycloak** — from a `redfix-m2-harness` @61211db checkout (CCCI_REPO=<checkout>), run
+  `RECIPE=keycloak CCCI_SKIP_FETCH=1 ... run_recipe_ci.py`. EXPECT all cold tiers pass + WC5 promote
+  succeeds at domain `warm-canon-keycloak.ci.commoninternet.net` (NOT warm-keycloak); live
+  `warm-keycloak.ci.commoninternet.net/realms/master` stays 200 throughout. Code: `canonical.py`
+  canonical_domain returns warm-canon-<r> for r in warm.WARM_DOMAINS.
+- **mumble** — from `redfix-m2-harness` @07fc6d4 checkout, run `RECIPE=mumble CCCI_SKIP_FETCH=1 …`.
+  EXPECT all 5 tiers green incl `custom/test_protocol_handshake.py::test_handshake_completes_with_
+  channel_presence`; handshake budget = 36 attempts / 180s (was 60s). (Load-flake is not
+  deterministically reproducible; this verifies the stabilization is applied, sound, non-weakening.)
+- **gitea** (recipe PR #2 @a0f2db8 on mirror branch `ci/app-ini-writable`) — DIRECT chaos-deploy proof
+  (the harness WC5 promote is merge-gated, see NOTE). With the idle 3.5.3 canonical present:
+  `cd ~/.abra/recipes/gitea && git checkout -f a0f2db8` then chaos-deploy onto the retained canonical
+  volumes (0-byte app.ini = genuine pre-fix 3.5.3 state):
+  `abra app deploy warm-gitea.ci.commoninternet.net -C -o -n`. EXPECT: service 1/1; the config volume's
+  `app.ini` seeded 0->~1862 bytes (`INSTALL_LOCK = true`); `/api/v1/version` -> 200 {"version":"1.24.2"}
+  and `/api/healthz` -> 200 (curl inside the app container); retained 3.5.3 data adopted (data dirs
+  dated 2026-06-17T08:39); ZERO `read-only file system` crashes in `docker service logs` (M1 crashed
+  here). Evidence: `/tmp/redfix-gitea-m2-directproof.log` on cc-ci. Teardown: `abra app undeploy … -n`,
+  truncate the volume app.ini to 0 (restore pre-fix state). canonical.json stays 3.5.3 idle e6a1cc79.
+- **bluesky-pds** (recipe PR #4 @4987ba9 on mirror branch `ci/warm-routing-alias`) — DIRECT chaos-deploy
+  proof (warm-promote is the only failing path; merge-gated). `git checkout -f 4987ba9`; generate
+  secrets (`abra app secret generate warm-bluesky-pds.ci.commoninternet.net --all -m -C -o -n`) + insert
+  a PLC rotation key (tests/bluesky-pds/install_steps.sh logic: 32-byte hex into pds_plc_rotation_key
+  v1); **re-checkout 4987ba9 AFTER secret ops** (abra secret insert force-fetches+reverts the checkout);
+  `abra app deploy warm-bluesky-pds.ci.commoninternet.net -C -o -n` (EXPECT `caddyfile: v1 -> v2`,
+  NEW DEPLOYMENT 4987ba9). EXPECT: app+caddy 1/1; inside caddy `getent hosts
+  warm-bluesky-pds_ci_commoninternet_net_app` -> a 10.0.x.x INTERNAL ip (own stack) while
+  `getent hosts app` -> a 10.10.x.x proxy ip (foreign, the M1 collision); caddy log "certificate
+  obtained successfully" with 0 "connection refused"; external `curl https://warm-bluesky-pds.ci.
+  commoninternet.net/xrpc/_health` -> **200** {"version":"0.4.219"} (M1 was 000). Evidence:
+  `/tmp/redfix-bluesky-m2-directproof.log`. Teardown: undeploy + remove volumes (caddy_data, pds_data)
+  + secrets (no canonical, matching M1).
+
+**NOTE — gitea & bluesky end-to-end canonical-promote is OPERATOR-MERGE-GATED (not a shrug).** The
+harness WC5 promote does a recipe_checkout(published-tag)+non-chaos deploy, and BOTH run_recipe_ci.py:373
+AND abra force-fetch `refs/tags/*` from upstream (abra.py:135 documents this), so any local move of the
+release tag to the fix commit is reverted to the PUBLISHED commit. The published 3.6.0 / 0.3.0 tags do
+NOT yet carry the fix (PR not merged — operator merges, per phase guardrail), so pre-merge the promote
+necessarily deploys the unfixed published release. Confirmed empirically: a full gitea harness run's WC5
+promote deployed 357926f and crash-looped exactly like M1. The DIRECT chaos-deploy (chaos = deploy the
+working-tree checkout = the PR fix) is therefore the MAXIMAL + faithful pre-merge proof — it reproduces
+the EXACT M1 failing scenario (gitea: the retained canonical volumes; bluesky: warm-bluesky-pds on the
+shared proxy) and shows the fix resolves it. End-to-end canonical advance follows automatically once the
+operator merges PR #2 / #4 and the release tag carries the fix. This is NOT a standing exception — the
+defect is fixed + proven; only the registry-advance awaits the operator's merge (the phase's own
+"nothing merged" constraint).
+
+**WHERE (refs).** Recipe PRs on `git.autonomic.zone/recipe-maintainers/<recipe>`: mattermost-lts
+`ci/pg-restore`@4ca7f418, discourse `discourse-official-image`@53ba0910, gitea `ci/app-ini-writable`
+@a0f2db8, bluesky-pds `ci/warm-routing-alias`@4987ba9. cc-ci harness branch
+`redfix-m2-harness`@07fc6d4 (keycloak 61211db + mumble 07fc6d4). Reasoning/dead-ends in
+JOURNAL-redfix.md. Node left clean (only infra + live warm-keycloak 200; gitea idle 3.5.3 volumes
+retained, canonical e6a1cc79 unchanged; no bluesky/test stacks/volumes/secrets; no run procs).
+
+## Gate: M1 — PASS (above).
 
 **WHAT (M1 DoD).** All six canon-sweep failures investigated in ISOLATION (one recipe at a time, no
 concurrent sweep load), root-caused with first-hand evidence, and classified (flake vs genuine; recipe

runner/harness/canonical.py

@@ -40,17 +40,7 @@ def is_enrolled(recipe: str) -> bool:
 
 
 def canonical_domain(recipe: str) -> str:
-    """Stable data-warm domain for the recipe's canonical.
+    """Stable data-warm domain for the recipe's canonical."""
-
-    For a recipe that is ALSO a live-warm provider (in `warm.WARM_DOMAINS` — e.g. keycloak, whose
-    always-on shared OIDC instance lives at `warm-keycloak…`), the data-warm canonical MUST use a
-    DISTINCT domain: otherwise the sweep's promote deploy/teardown at `warm-<recipe>` collides with —
-    and could disrupt — the live shared service that other recipes (lasuite-*/drone) depend on. Give
-    those recipes a collision-free `warm-canon-<recipe>` namespace (a separate stack/domain that can
-    never touch the live provider); every other recipe keeps the plain `warm-<recipe>` scheme
-    (zero blast radius on the 15 existing canonicals)."""
-    if recipe in warm.WARM_DOMAINS:
-        return f"warm-canon-{recipe}.ci.commoninternet.net"
     return warm.stable_domain(recipe)
 
 

tests/keycloak/recipe_meta.py

@@ -7,12 +7,10 @@ DEPLOY_TIMEOUT = (
 )
 HTTP_TIMEOUT = 900
 
-# phase redfix: keycloak IS now a data-warm canonical. The original canon §2.B exception de-enrolled
+# canon §2.B EXCEPTION (recorded in DECISIONS): keycloak is NOT a data-warm canonical. It is the
-# it because its canonical would have used the SAME domain as the live-warm OIDC provider
+# project's LIVE-WARM OIDC dep provider — an always-on shared service at the SAME stable domain a
-# (warm-keycloak.ci.commoninternet.net), so the sweep's promote deploy/teardown would collide with the
+# data-warm canonical would use (warm-keycloak.ci.commoninternet.net). Enrolling it would make the
-# live service lasuite-*/drone depend on. That collision is now structurally impossible:
+# sweep's promote deploy/teardown collide with the live provider that lasuite-*/drone depend on for
-# `canonical.canonical_domain()` routes any recipe in `warm.WARM_DOMAINS` (keycloak) to a distinct
+# SSO. keycloak is instead kept current by the sweep's roll_warm_infra step (the health-gated
-# `warm-canon-<recipe>` domain/stack, so the data-warm canonical and the live-warm provider are
+# warm/infra reconciler, WC1.1) — so it never lacks coverage. WARM_CANONICAL stays False.
-# separate deployments that can never touch each other. keycloak therefore gets full data-warm
+WARM_CANONICAL = False
-# canonical coverage (a real promote on its latest release) without risking the live OIDC service.
-WARM_CANONICAL = True

tests/mumble/custom/test_protocol_handshake.py

@@ -19,14 +19,7 @@ import _mumble_proto  # noqa: E402
 
 
 def test_handshake_completes_with_channel_presence(live_app):
-    # Readiness budget: 36×5s = 180s. The TCP READY_PROBE (recipe_meta) only proves port 64738 is
+    r = _mumble_proto.retry_handshake(attempts=12, interval=5.0)
-    # LISTENING; the murmur control channel needs additional warmup before it completes a full
-    # TLS+Version+ServerSync handshake. Under concurrent node load (the canon sweep) that warmup
-    # exceeded the old 60s budget and flaked this test RED, while it is reliably GREEN in isolation
-    # (phase redfix M1: 3× isolation green, 0 isolation reds). The longer budget absorbs the
-    # load-induced readiness delay WITHOUT weakening the assertion — a genuinely non-responsive
-    # server still exhausts all retries and FAILs (the asserts below are unchanged).
-    r = _mumble_proto.retry_handshake(attempts=36, interval=5.0)
 
     assert r["tls_connect"], f"TLS connection to 127.0.0.1:64738 failed — {r.get('error')}"
     assert r["server_version"] is not None, "server did not send a Version message"