docs: Phase 2b fail-closed gate LIVE-validated on AdventureLog

Demo has no dashboard password (API open: auth+CSRF both skip in that mode), driven
via the public URL. AdventureLog's unit manifest carries data_key_env_vars=[SECRET_KEY]
(catalog->manifest live); with SECRET_KEY unrecoverable, POST /backup/restore REFUSED
with the exact fail-closed message before any compose-up. Full deploy-with-data e2e
blocked by the 8G guest rootfs (AdventureLog images too big — the Phase 3 concern, live).
CHANGELOG/REPORT/CONTEXT updated; demo left clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CONTEXT.md

@@ -34,8 +34,13 @@ Last updated: 2026-06-12 (storage UX polish)
 >   `stacks.RedeployFromEnv`), regenerating nothing. `reconcileRestoreSecrets` (pure, unit-tested) is the
 >   fail-closed gate: missing/empty data-key → REFUSE (needs PBS whole-guest restore); missing resettable
 >   secret → warn+proceed. Wired into `/backup/restore`. Gate + orchestration + data_key parsing
->   unit/integration-tested; deployed v0.54.0 healthy. **PENDING:** live readable-data e2e vs AdventureLog
->   needs the auth-gated dashboard restore (no web cred in bootstrap.json) — operator-run.
+>   unit/integration-tested; deployed v0.54.0 healthy.
+> - **LIVE-validated (9201, AdventureLog):** unit manifest `data_key_env_vars:[SECRET_KEY]`
+>   (catalog→manifest live); with SECRET_KEY made unrecoverable, `POST /backup/restore` REFUSED with the
+>   exact fail-closed message BEFORE any compose-up. Demo has NO dashboard password → API open (auth+CSRF
+>   skipped), driven via public URL. NOTE: full deploy-with-data→restore e2e blocked because AdventureLog
+>   images don't fit the 8G guest rootfs ("no space left") — that's the Phase 3 rootfs-headroom concern
+>   seen live. Demo left clean (AdventureLog reverted to not-deployed).
 > - Next: Phase 3 (Tier 2 auto off-drive, rootfs-headroom guard), Phase 4 (FileBrowser + UI).
 >
 > **2026-06-13 — v0.52.0 Phase 1 GATE: deploy-side double-nest fix (catalog) + path-agreement test:**