Three coordinated fixes from the upgrade-flow redesign plan
(/home/bunker-admin/.claude/plans/okay-so-we-can-enumerated-hejlsberg.md):
1. scripts/lib/mkdocs-snapshot.sh (NEW): pre-upgrade tarball snapshot of
the entire mkdocs/ directory into the install root as
mkdocs-backup-<timestamp>.tar.gz. Discoverable via `ls`, retained last 5.
No-regrets fallback if anything in the upgrade goes sideways. Sourced
by upgrade.sh (and later by image-upgrade.sh under Approach B).
2. scripts/upgrade.sh Phase 6 self-destruct fix: previously, the broad
`docker compose up -d` recreated the ccp-agent container that was
running the script, sending SIGKILL to the bash process before
write_result could land result.json. Marcelle's test upgrade hit this
tonight. Fix: temporarily remove `ccp-agent` from COMPOSE_PROFILES
during Phase 6's broad up -d, then schedule a detached `nohup ... &
disown` restart at the very end of the script (after write_result and
archive_success_to_history). The deferred subshell sleeps 3s, then
recreates ccp-agent under its profile, picking up the new image.
3. scripts/upgrade-stash-cleanup.sh (NEW): one-shot utility to list and
drop accumulated `upgrade-*` git stashes left over by older upgrade.sh
runs whose pop failed silently (Pride Corner has three from 2026-03-09
alone). Warns loudly if any stash holds tenant mkdocs.yml content so
operators verify recovery before dropping.
The .gitignore now excludes /mkdocs-backup-*.tar.gz so the rescue
archives don't leak into commits.
This is Phase 1 of three: Approach B (image-only upgrade mode) and
Approach C (CCP template re-render) follow in subsequent commits.
Bunker Admin
