guardrail: abra convergence by default; custom READY_PROBE only when necessary + a real strict test (operator 2026-05-29, re F2-12)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

cc-ci-plan/plan.md

@@ -794,5 +794,15 @@ Each default stands until the Adversary or reality forces a change; record the c
   persists for the run, and destroys at teardown — a missing app secret is never a blocker, it is
   something the harness
   creates. See §4.4.
+- **Real abra deploys; abra convergence by default; custom readiness only if it's a real test.**
+  Deploys/upgrades use the **real abra commands** (`abra app deploy`/`upgrade`) — never bypass abra
+  with `docker service update`/`scale`. **Prefer abra's own convergence checks.** Only skip abra's
+  post-deploy convergence monitor (`-c`/`--no-converge-checks`) and substitute a **harness READY_PROBE**
+  when abra's monitor genuinely doesn't fit (e.g. its window is too short for a heavy app and it FATAs
+  on a deploy that *does* converge). When you do: the deploy is still real abra (only abra's *waiting*
+  is replaced), and the probe MUST be a **genuinely strict** readiness test — all services N/N **plus**
+  a real app-level check — that **RAISES on actual non-readiness**, never a no-op that masks a failed
+  deploy. **Prove it has teeth** (a negative test that fails on stuck convergence, e.g. F2-12's
+  P7-negative). The Adversary treats a custom probe as a potential test-weakening until cold-verified.
 - **Honest reporting.** If a stage is skipped or a check failed, say so in `STATUS.md`/`JOURNAL.md`
   with the output. The loop's value depends entirely on the ledgers being true.