enterprise-backup sync.sh drift detector auto-discovers /opt/<new-dir>/ not in KNOWN_OPT_DIRS whitelist into discovered/<dirname>/. When that new dir is a cold-archive snapshot (e.g., /opt/retired/<eradication-date>/ with multi-hundred-MB Docker volume tarballs), GitHub push fails atomically with pre-receive hook declined — File exceeds 100.00 MB limit. Local backup commits accumulate without ever propagating to GitHub.
Diagnosis
sync.sh’s drift detector exists to catch unexpected NEW active services that should be backed up — not cold archives. KNOWN_OPT_DIRS whitelist gates the discovered/ auto-capture. Snapshot/archive dirs created without simultaneously updating the whitelist trigger silent backup-push failures. GitHub’s 100MB per-file limit is an absolute pre-receive hook — no LFS configured, no path-specific exclusion, single oversized file rejects entire push.
Fix
Hard rule: when creating any new top-level /opt/<dir>/ with snapshot/archive semantics OR content >50MB, IMMEDIATELY add the dir name to KNOWN_OPT_DIRS exclusion in /opt/enterprise-backup/sync.sh in the SAME operation. Treat new-dir + snapshot-content as a tuple. Recovery if push already failed: rm -rf /opt/enterprise-backup/discovered/<dirname> + add to KNOWN_OPT_DIRS + amend last commit + retry push. Cold-archive convention: /opt/retired/<date>/ (excluded), separate restore-drill cron, NOT daily sync.