# BACKLOG — Phase 2w (warm canonical + `--quick`)

Single-writer rule (plan §6.1): Builder edits `## Build backlog` only; Adversary edits
`## Adversary findings` only.

## Build backlog

### W0 — Live-warm keycloak (WC1)
- [ ] W0.1 — sso.py: realm lifecycle primitives (`delete_keycloak_realm`, `list_realms`,
      `reap_stale_realms`) + unit tests.
- [ ] W0.2 — Orchestrator/deps: live-warm keycloak dep mode — stable warm domain + per-run
      namespaced realm; delete realm on teardown (don't undeploy); cold-codeploy fallback if no warm
      keycloak. Per-run realm name unique per (parent, pr, ref) for concurrency isolation.
- [ ] W0.3 — Declarative Nix reconciler `nix/modules/warm-keycloak.nix` (systemd oneshot converges
      warm keycloak deployed+healthy at stable domain); wired into the host config.
- [ ] W0.4 — e2e proof: a dependent recipe (lasuite-docs) SSO custom test passes against warm
      keycloak; concurrent dependents use distinct realms (no collision); leftover realms reaped.
      → claim WC1 gate.

### W1 — Canonical registry + snapshot/restore (WC2, WC3)
- [ ] W1.1 — Canonical registry/reconciler (declarative; tracks recipe→known-good commit; stable
      domain `warm-<recipe>`).
- [ ] W1.2 — Snapshot/restore: raw volume copy while undeployed under `/var/lib/ci-warm/<recipe>/`;
      one last-known-good, atomic replace; prove restore round-trips data.

### W2 — `--quick` mode (WC4, WC7)
- [ ] W2.1 — `run_recipe_ci.py --quick` path (reattach → upgrade-to-PR-head → assert → PASS undeploy /
      FAIL restore+undeploy; never promote).
- [ ] W2.2 — Trigger surface + labeling + no-canonical fallback (WC7).

### W3 — Cold-advances-canonical + nightly sweep (WC5, WC6)
- [ ] W3.1 — Promote-on-green-cold (snapshot+tag canonical at teardown on green cold; seed on first green).
- [ ] W3.2 — Nightly full-cold sweep (declarative scheduler, MAX_TESTS-bounded).

### W4 — Hardening + docs + cold verify (WC8, WC9)
- [ ] W4.1 — Resource/isolation hardening: disk monitor+prune, per-app serialize, warm excluded from D8.
- [ ] W4.2 — Docs (warm/quick) + the WC9 rollback proof.

## Adversary findings
(none yet)
</content>