docs: Phase 2b — REPORT/CONTEXT for restore-from-unit + fail-closed gate

REPORT updated (v0.54.0 restore side, honest validation status: gate+orchestration
unit-tested, capture live-validated, readable-data e2e pending auth-gated dashboard).
CONTEXT dated entry.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CONTEXT.md

@@ -28,7 +28,15 @@ Last updated: 2026-06-12 (storage UX polish)
 >   `felhom-controller-bootstrap.service` docker-runs the tag from `/etc/felhom-controller-image`
 >   (gitea anon-pull). Deploy = build+push → anon-pull → update tag file → restart the service.
 > - **Live-validated (9201):** RomM unit captured (images=3, secrets=3, data_keys=0), secret-leak grep
->   = NO_LEAK. Next: Phase 2b restore-from-unit recreate + fail-closed gate + AdventureLog readable-data.
+>   = NO_LEAK.
+> - **v0.54.0 Phase 2b (restore-from-unit + fail-closed gate):** `RestoreFromRecoveryUnit` recreates an
+>   app from its unit + secrets recovered from the GUEST's live app.yaml (`RecoverStackSecrets`,
+>   `stacks.RedeployFromEnv`), regenerating nothing. `reconcileRestoreSecrets` (pure, unit-tested) is the
+>   fail-closed gate: missing/empty data-key → REFUSE (needs PBS whole-guest restore); missing resettable
+>   secret → warn+proceed. Wired into `/backup/restore`. Gate + orchestration + data_key parsing
+>   unit/integration-tested; deployed v0.54.0 healthy. **PENDING:** live readable-data e2e vs AdventureLog
+>   needs the auth-gated dashboard restore (no web cred in bootstrap.json) — operator-run.
+> - Next: Phase 3 (Tier 2 auto off-drive, rootfs-headroom guard), Phase 4 (FileBrowser + UI).
 >
 > **2026-06-13 — v0.52.0 Phase 1 GATE: deploy-side double-nest fix (catalog) + path-agreement test:**
 > - The `felhom-data` double-nest lived in the **app-catalog compose templates**