diff --git a/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md b/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md
index 73899d1f..1259fa34 100644
--- a/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md
+++ b/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md
@@ -57,22 +57,26 @@ ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c 'c
 	- Older duplicate trees: `/home/sites/regalamiunsorriso/wwwLang/mailMessage` and `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
 - During the 2026-04-16 reconnaissance, representative checksums differed between `www/mailMessage` and `wwwLang/mailMessage`, so they are not interchangeable copies.
 - The Java application configuration lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
-- `web.xml` defines the main application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`.
+- `rus/WEB-INF/web.xml` defines an older or alternate application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`.
+- `www/WEB-INF/web.xml` contains the stronger live SQL lead: `dbDriver=17`, `database=//192.168.10.250/pg`, `catalog=pg`, `user=root`, `password=root`, with a description hint `250658#` that corresponds to the server password and an alternate endpoint hint `//localhost:3308/pg`.
 - `truckservice.properties` defines a second DB connection as `dbDriver=3`, `dbName=//localhost/truckservice`, `user=root`, `password=root`.
 - In this codebase, `dbDriver=3` maps to MySQL Connector/J, not to a legacy non-MySQL driver.
 - `dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all set `USE_PARM_HT=true`, which means runtime values are expected to come from the application `Parm` store.
 - In code, `DBAdapter.getDocBase()` resolves to `getParm("DOCBASE").getTesto()`, and mail-template lookups use `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
 - In code, `Parm.findByCodice()` reads from `PARM` with `select A.* from PARM AS A where A.codice='...'`, so the live `PARM` table is the authoritative lookup point for these values.
 - `pg_src/com/ablia/pg/Users.java` seeds defaults for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html` when the parameters are missing.
+- Read-only validation plus later DBeaver confirmation established that the reachable live SQL path is `192.168.10.250:3306`, database `pg`, user `root`, password `root`.
+- The `250658#` value should be treated as the server password hint noted in `www/WEB-INF/web.xml`, not as the database password.
+- The validated live `PARM` rows included:
+	- `DOCBASE=/home/www/regalamiunsorriso/do`
+	- `MAIL_MSG_PATH_MAILER=phpmailer/regala_un_sorriso/`
+	- `MAIL_NO_MORE=mail_no_more.html`
+	- `MAIL_NO_MORE_SCAD=mail_no_more_scad.html`
+	- `MAIL_REG=mail_reg.html`
 - Because of that indirection, changing files under a `mailMessage` directory is not sufficient proof that outbound mail content will change. The effective `DOCBASE` and mail-template parameter values must also be checked in the live `Parm` data.
 - For mail-template reconnaissance, avoid recursing into `/mnt/da1/foto` via the `RUS` symlink unless the task explicitly concerns photo storage. It adds permission noise and did not help identify the email-template source.
-- Read-only DB access notes from 2026-04-16:
-	- The host has PHP CLI at `/usr/local/bin/php` with both `mysqli` and `pdo_mysql` enabled.
-	- A piped PHP script over SSH is a reliable way to run read-only DB probes without creating files on the server.
-	- `mysqli('localhost', ...)` fails with `No such file or directory`, which indicates PHP tries a Unix socket path that is not present or not configured.
-	- `mysqli('127.0.0.1', ...)` fails with `Connection refused`, and `sockstat` showed no listener on port `3306` and no visible MySQL Unix socket under `/var/run`, `/tmp`, or `/usr/local/var`.
-	- No `mysql` or `mariadb` client binary was found in the shell path.
-	- Result: the app configuration clearly points at MySQL, but direct DB access from the current shell remains unresolved and must be revalidated before relying on live SQL queries.
+- `127.0.0.1:3308` refused connections from the shell during the same investigation, so the localhost hint in `www/WEB-INF/web.xml` should not be treated as the current working shell path without revalidation.
+- Do not upload, stage, or leave ad hoc PHP or SQL helper scripts on the server during reconnaissance. Any future live DB query method must be explicitly approved first.
 
 ## MCP Limitation
 
diff --git a/sync/runtime-reconnaissance.md b/sync/runtime-reconnaissance.md
new file mode 100644
index 00000000..c09925ee
--- /dev/null
+++ b/sync/runtime-reconnaissance.md
@@ -0,0 +1,89 @@
+# Runtime Reconnaissance
+
+This document records read-only reconnaissance findings for the `regalamiunsorriso` runtime environment. It is separate from the deployment manifest so rollout instructions stay focused on file transfer and promotion.
+
+## Shell Behavior On 83.149.164.4
+
+- The remote login shell behaves as `tcsh`.
+- POSIX shell constructs like `for ...; do ...; done` fail unless you explicitly run them through `sh -c`.
+- The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`.
+- `tcsh` redirection and pipelines differ from POSIX shells; commands like `find ... 2>/dev/null | head` can fail with `Ambiguous output redirect` unless the whole payload runs under `sh -c`.
+- Prefer one remote command per SSH invocation for reconnaissance. Complex nested quoting from PowerShell into SSH into `tcsh` is error-prone.
+- If PowerShell shows the continuation prompt `? >`, the command was malformed locally before SSH executed it.
+- Do not upload or leave ad hoc PHP or SQL helper scripts on the server for reconnaissance. Any future live DB query method must be explicitly approved first.
+
+## Mail Template Directories Found On Server
+
+- Live rollout target: `/home/sites/regalamiunsorriso/www/mailMessage`
+- Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage`
+- Older duplicate tree: `/home/sites/regalamiunsorriso/wwwLang/mailMessage`
+- Archived duplicate tree: `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
+
+Representative checksum comparisons showed that `www/mailMessage` and `wwwLang/mailMessage` are not interchangeable copies:
+
+- `noMorePic.html`: live `2188047161 3645`, `wwwLang` `2803737061 3775`
+- `userMsg_itCC.html`: live `324589227 5628`, `wwwLang` `429470199 4921`
+
+## Runtime Resolution Path
+
+- The Java application lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
+- `DBAdapter.getDocBase()` resolves to `getParm("DOCBASE").getTesto()`.
+- `Parm.findByCodice()` reads `PARM` rows with `select A.* from PARM AS A where A.codice='...'`.
+- Mail-template lookups use `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
+- `rus/WEB-INF/lib/pg_src/com/ablia/pg/Users.java` seeds defaults for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html` when parameters are missing.
+- `dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all set `USE_PARM_HT=true`, so runtime values are expected to come from the `PARM` store.
+
+Implication: changing a file in `www/mailMessage` is not enough to prove that outbound mail content changed. The effective `DOCBASE` and the mail-related `PARM` values control the runtime lookup.
+
+## Live Configuration Evidence
+
+### `www` Webapp
+
+Local and live `www/WEB-INF/web.xml` contain the strongest SQL host evidence:
+
+- `dbDriver=17`
+- `database=//192.168.10.250/pg`
+- `catalog=pg`
+- `user=root`
+- `password=root`
+- description hint for server password: `250658#`
+- description hint for alternate endpoint: `//localhost:3308/pg`
+
+### `rus` Webapp
+
+`rus/WEB-INF/web.xml` appears to reflect an older or alternate local configuration:
+
+- `dbDriver=3`
+- `database=//localhost/pg`
+- `user=root`
+- `password=root`
+
+Local source in `DriversJdbc.java` maps `dbDriver=3` to MySQL Connector/J.
+
+## Confirmed Read-Only SQL Findings
+
+Read-only validation performed during this reconnaissance confirmed that the live application data is reachable on the network SQL host:
+
+- host: `192.168.10.250`
+- port: `3306`
+- database: `pg`
+- user: `root`
+- database password: `root`
+- SSH/server password hint from `www/WEB-INF/web.xml` description: `250658#`
+- `127.0.0.1:3308` refused connections from the shell during the same investigation
+
+The following live `PARM` values were recovered:
+
+- `DOCBASE=/home/www/regalamiunsorriso/do`
+- `MAIL_MSG_PATH_MAILER=phpmailer/regala_un_sorriso/`
+- `MAIL_NO_MORE=mail_no_more.html`
+- `MAIL_NO_MORE_SCAD=mail_no_more_scad.html`
+- `MAIL_REG=mail_reg.html`
+
+Implication: the current outbound mail path is not driven directly by the deployed `www/mailMessage/noMorePic*.html` files. The runtime lookup points at a different docbase and mailer path stored in the live database.
+
+## Recon Scope Note
+
+- The `RUS` entry under `/home/sites/regalamiunsorriso` is a symlink to `/mnt/da1/foto`.
+- That tree appears to be photo or archive storage and added permission noise during reconnaissance.
+- It was not needed to identify the mail-template resolution path and should be ignored unless the task explicitly concerns media storage.
\ No newline at end of file
diff --git a/sync/www-deploy-manifest.md b/sync/www-deploy-manifest.md
index 0e19933b..29c85d02 100644
--- a/sync/www-deploy-manifest.md
+++ b/sync/www-deploy-manifest.md
@@ -40,81 +40,4 @@ All files in this rollout are deployed from the current working tree.
 
 - Verify staged files with `ls -l` and `cksum`.
 - Verify live files with `ls -l`, `stat -f`, and `cksum`.
-- Existing destination files should retain their original metadata after promotion.
-
-## Known Shell Quirks
-
-- The remote login shell behaves as `tcsh`, so POSIX shell loops fail unless run through `sh -c`.
-- The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`.
-- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided.
-- PowerShell quoting can break remote helper commands for paths with spaces; using `ssh ... --%` passes verification commands through cleanly.
-- Direct remote use of `2>/dev/null`, pipelines, and escaped parentheses can still fail under `tcsh` with `Ambiguous output redirect`; for read-only investigation, prefer small single-purpose SSH commands or wrap the full payload in remote `sh -c`.
-- If PowerShell shows the continuation prompt `? >`, the quoting failed locally before the command reached the server. Cancel it and rerun a simpler command.
-
-## Mail Template Reconnaissance
-
-Read-only investigation on `83.149.164.4` on 2026-04-16 found that mail content is not determined only by the files in `www/mailMessage`.
-
-### Mail Template Directories Found On Server
-
-- Live rollout target: `/home/sites/regalamiunsorriso/www/mailMessage`
-- Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage`
-- Older duplicate tree: `/home/sites/regalamiunsorriso/wwwLang/mailMessage`
-- Archived duplicate tree: `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
-
-Representative checksum comparisons confirmed that `www/mailMessage` and `wwwLang/mailMessage` currently differ:
-
-- `noMorePic.html`: live `2188047161 3645`, `wwwLang` `2803737061 3775`
-- `userMsg_itCC.html`: live `324589227 5628`, `wwwLang` `429470199 4921`
-
-### Runtime Resolution Path
-
-- The Java application lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
-- Local source code shows `DBAdapter.getDocBase()` returns `getParm("DOCBASE").getTesto()`.
-- Local source code shows `Parm.findByCodice()` executes `select A.* from PARM AS A where A.codice='...'`.
-- Local source code also shows the mail templates are located through `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
-- Local `pg_src/com/ablia/pg/Users.java` seeds default values for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html`.
-- On the live server, `/home/sites/regalamiunsorriso/rus/WEB-INF/classes/dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all contain `USE_PARM_HT=true`, which indicates the application expects runtime values from the `Parm` store.
-
-Implication:
-Changing a file in `www/mailMessage` is not enough to guarantee a changed outbound message. The live `Parm` data determines at least:
-
-- the effective `DOCBASE`
-- which mail template filename is used for each message type
-- the generic mailer template root via `MAIL_MSG_PATH_MAILER`
-
-If reports say old messages are still being sent, the next thing to verify is the live `Parm` row values for `DOCBASE`, `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, `MAIL_MSG_PATH_MAILER`, and any related per-feature mail parameters.
-
-### Useful Live App Configuration
-
-- Main webapp DB connection from `rus/WEB-INF/web.xml`:
-	- `dbDriver=3`
-	- `database=//localhost/pg`
-	- `user=root`
-	- `password=root`
-- Secondary app properties from `rus/WEB-INF/classes/truckservice.properties`:
-	- `dbDriver=3`
-	- `dbName=//localhost/truckservice`
-	- `user=root`
-	- `password=root`
-- Local source code in `DriversJdbc.java` maps `dbDriver=3` to MySQL Connector/J (`jdbc:mysql`).
-- Tomcat is running under `jsvc` and is listening on `*:8080` with AJP on `127.0.0.1:8009`.
-
-### Read-Only DB Access Attempts
-
-- The host has PHP CLI at `/usr/local/bin/php` with `mysqli`, `mysqlnd`, `PDO`, and `pdo_mysql` enabled.
-- No `mysql` or `mariadb` client binary was found in the shell path.
-- A read-only PHP probe over SSH is viable by piping a local script into remote PHP:
-	- This worked for plain PHP execution and is the safest known way to attempt SQL reads without creating files on the server.
-- Live connection attempts behaved as follows:
-	- `mysqli('localhost', 'root', 'root', 'pg')` failed with `No such file or directory`.
-	- `mysqli('127.0.0.1', 'root', 'root', 'pg')` failed with `Connection refused`.
-- `sockstat -4 -l` showed no listener on MySQL port `3306`.
-- `sockstat -u -l` and targeted socket checks did not reveal a visible MySQL Unix socket under `/var/run`, `/tmp`, `/usr/local/var`, or `/var/db/mysql`.
-- Current conclusion: the application configuration indicates MySQL, but direct SQL access from the current shell is not yet available. The webapp may rely on a non-obvious socket path, a jailed/internal service path, or a runtime environment not exposed to the `marco` shell.
-
-### Recon Scope Notes
-
-- The `RUS` entry under `/home/sites/regalamiunsorriso` is a symlink to `/mnt/da1/foto`.
-- That tree appears to be photo/archive storage and produced permission noise during reconnaissance.
-- It was not needed to identify the email-template resolution path and should be ignored for future mail-template investigations unless the task explicitly involves media storage.
\ No newline at end of file
+- Existing destination files should retain their original metadata after promotion.
\ No newline at end of file