M4: harness + green install stage (custom-html + Playwright); guaranteed teardown; M4 CLAIMED

run_recipe_ci.py + conftest + abra/lifecycle wrappers + Nix python/playwright env.
deploy_app forces LETS_ENCRYPT_ENV='' (addresses A1). Short per-run domain scheme
for the 64-char swarm name limit. 2 passed; teardown leaves zero orphans.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

STATUS.md

@@ -1,8 +1,9 @@
 # STATUS — cc-ci Builder
 
-**Phase:** M2 complete & CLAIMED → starting M3 (comment bridge). M0+M1 PASS (Adversary). M2 awaiting verdict.
-**In-flight:** M3 — comment-bridge service (!testme webhook → Drone build trigger).
-**Last updated:** 2026-05-26 (M2 claimed, green build #1)
+**Phase:** M4 complete & CLAIMED. M0/M1/M2 PASS. M3 gate BLOCKED (Gitea webhook delivery; operator).
+M4 awaiting verdict. Next: M5 (upgrade + backup/restore for custom-html).
+**In-flight:** M5 — add upgrade + backup/restore stages for recipe #1.
+**Last updated:** 2026-05-27 (M4 claimed; install stage green)
 
 ## Gates
 - **Gate: M0 — CLAIMED, awaiting Adversary** (2026-05-26). Evidence: flake rebuilds cc-ci from repo
@@ -45,7 +46,9 @@
   the M1 manual custom-html deploy; `scripts/deploy-drone.sh` will too). Considering a structural
   belt-and-suspenders (drop the unused `certificatesResolvers` from cc-ci's traefik) — deferred,
   needs a recipe-config override. Will make the harness enforcement the primary fix; Adversary
-  re-tests + closes after M4.
+  re-tests + closes after M4. → **Now enforced**: `harness.lifecycle.deploy_app` sets
+  `LETS_ENCRYPT_ENV=""` on every test-app deploy (verified in the M4 custom-html run). Adversary can
+  re-test + close A1.
 
 ## Notes
 - **Disk RESOLVED:** operator grew the VM 8.9→**28 GiB** (22 GiB free) on 2026-05-26. Inodes