update

docs/phase1-2-findings.md

@@ -284,14 +284,23 @@ $ psql SELECT * FROM restore_check -> 42 | phase2-sentinel
 
 ---
 
-## 5. Teardown (executed — see §6 for what was left)
+## 5. Teardown (executed)
 Restore targets destroyed; Phase 1 objects and spike artifacts removed; `9000`/`9001`
-left **stopped-but-present**.
+left **stopped-but-present**. Verified clean: `felhom-ctl@pve` deleted, no spike ACLs,
+empty `dump/`, `spk1` removed.
+
+> **Correction:** `pveum acl delete` **requires `--roles`** (a bare `-user`/`-token`
+> path errors `400 roles: property is missing`). In practice the explicit ACL deletes
+> are unnecessary — deleting the token/user/role **auto-invalidates** the referencing
+> ACLs (PVE logs `ignore invalid acl token …` and drops them).
 
 ```bash
-pct destroy 9002 --purge ; pct destroy 9003 --purge
+pct stop 9002 ; pct stop 9003 ; pct destroy 9002 --purge ; pct destroy 9003 --purge
-pveum acl delete /vms/9001      -user 'felhom-ctl@pve' ; pveum acl delete /vms/9001      -token 'felhom-ctl@pve!ctl'
+# correct ACL-delete syntax (needs --roles), or just let user/role deletion clean them:
-pveum acl delete /storage/local -user 'felhom-ctl@pve' ; pveum acl delete /storage/local -token 'felhom-ctl@pve!ctl'
+pveum acl delete /vms/9001      --roles FelhomSelfBackup --users  'felhom-ctl@pve'
+pveum acl delete /vms/9001      --roles FelhomSelfBackup --tokens 'felhom-ctl@pve!ctl'
+pveum acl delete /storage/local --roles FelhomSelfBackup --users  'felhom-ctl@pve'
+pveum acl delete /storage/local --roles FelhomSelfBackup --tokens 'felhom-ctl@pve!ctl'
 pveum user token remove felhom-ctl@pve ctl ; pveum user delete felhom-ctl@pve ; pveum role delete FelhomSelfBackup
 pct delsnapshot 9001 spk1
 rm -f /var/lib/vz/dump/vzdump-lxc-9001-*.tar.zst /var/lib/vz/dump/vzdump-lxc-9001-*.log