docs(#20): hook exec cgroup gap FIXED + verified on .228 (scoped exec)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/PRODUCTION-MASTER-PLAN.md

@@ -170,14 +170,14 @@ phases 2–6 (`dual-ecash-design.md`).
   cached at startup) — a disk manifest edit alone won't take. RESULT: frontend
   fresh-creates via install_fresh, caps applied, post_install hook FIRES
   (copy_from_host nostr-provider.js ✅), UI 200 (/, /nostr-provider.js, /api/).
-  **KNOWN GAP (general hook capability, NOT blocking indeedhub):** the post_install
-  `exec` steps fail via `podman exec` from the archipelago.service systemd cgroup
-  (`crun: write cgroup.procs: Permission denied / OCI permission denied`). Harmless
-  here (image bakes the nginx config so the exec steps are no-ops; copy_from_host is
-  the one that matters and works). FIX = wrap the hook executor's `podman exec` in a
-  transient user scope (`systemd-run --user --scope`, like `podman_user_scope`) in
-  core/archipelago/src/container/hooks.rs::run_podman. Do before relying on exec hooks
-  for an app whose image does NOT pre-bake its mutations.
+  **HOOK EXEC GAP = FIXED + VERIFIED (`ff78b312`).** The post_install `exec` steps
+  used to fail via `podman exec` from the archipelago.service systemd cgroup
+  (`crun: write cgroup.procs: Permission denied`). Fixed by wrapping the hook
+  executor's `exec` in `systemd-run --user --scope --quiet --collect podman exec …`
+  (its own delegated cgroup; copy_from_host stays a direct `cp`). Verified on .228:
+  all 4 post_install steps now log `ok` (sed X-Frame, copy nostr-provider.js, inject
+  script, nginx reload), frontend serves, UI 200. The #20 hook capability is now fully
+  functional (exec + copy_from_host) on orchestrator-created containers.
 
   PRIOR (now resolved) — was: **FRESH-CREATE PATH = BLOCKED (found live 2026-06-21).** Removed the stateless
   frontend + reinstalled to exercise install_fresh → it FAILED: