status(1e): E2/HC1 CLAIMED — chaos-version==head_ref proven on hedgedoc

upgrade→PR-head: head_ref=09bf4d54 chaos-version=09bf4d54 version=3.0.9+1.10.7→3.0.10+1.10.8
  deploy-count = 1; install/upgrade=pass; clean teardown.

E1/HC3 + E0/HC2 both Adversary PASS. Awaiting Adversary cold-verify HC1 + HC4 for ## DONE.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/BACKLOG-1e.md

@@ -10,7 +10,7 @@ Phase-namespaced backlog. Builder edits `## Build backlog`; Adversary edits `##
       mutating op once; runs generic test_<op>.py (unless opt-out) + overlay test_<op>.py. Opt-out:
       `CCCI_SKIP_GENERIC` / `CCCI_SKIP_GENERIC_<OP>` / `recipe_meta.SKIP_GENERIC`. Pre-op seed via
       optional `tests/<recipe>/ops.py`. Migrate generic + overlays to assertion-only. Keep count==1.
-- [ ] **E2 / HC1** — upgrade to PR head via `abra app deploy --chaos`: deploy prev, re-checkout PR
+- [x] **E2 / HC1** — upgrade to PR head via `abra app deploy --chaos`: deploy prev, re-checkout PR
       head, chaos redeploy in place; adapt moved-assertion (chaos label proof); reconcile deploy-count.
 - [ ] **E3 / HC4** — docs (docs/testing.md, enroll-recipe.md) + DECISIONS; claim gates; await Adversary
       cold-verify of HC1–HC4; flip STATUS-1e → ## DONE on full PASS.

machine-docs/JOURNAL-1e.md

@@ -115,3 +115,29 @@ Next: confirm opt-out result, claim E1/HC3 gate, then E2 (HC1 chaos-to-PR-head).
   grep confirms all 4 tier calls pass head_ref. compile OK.
 - Net effect now: head_ref reaches perform_upgrade → recipe_checkout_ref(head_ref) restores PR-head
   before chaos deploy → after.chaos == head_ref → assert_upgraded match succeeds non-vacuously.
+
+## 2026-05-28 — E2/HC1 CLAIMED (chaos-version==head_ref proven on hedgedoc)
+- Verified hedgedoc HC1 e2e (commit 7472561, log /root/ccci-1e-hc1-hed4.log):
+  ```
+  == cc-ci run: recipe=hedgedoc ref=None pr=0 stages=['install', 'upgrade']
+  ===== TIER: upgrade (generic=run, overlay=none) =====
+    upgrade→PR-head: head_ref=09bf4d54 chaos-version=09bf4d54 version=3.0.9+1.10.7→3.0.10+1.10.8
+  PASSED tests/_generic/test_upgrade.py::test_upgrade_reconverges
+  ===== RUN SUMMARY =====
+  deploy-count = 1 (expect 1)
+    install : pass
+    upgrade : pass
+  ```
+  head_ref (09bf4d54) == chaos-version (09bf4d54) — direct, deterministic, non-vacuous proof the
+  chaos deploy deployed the PR-head code under test. Plus a real version bump 3.0.9→3.0.10.
+  deploy-count=1; clean teardown.
+- E3/HC4 docs work shipped in 7472561 (docs/testing.md + docs/enroll-recipe.md fully rewritten for
+  HC1/HC2/HC3: additive generic + opt-out + ops.py + chaos PR-head + repo-local allowlist).
+- All three HC items implemented + Builder-verified. Awaiting Adversary cold-verify of HC1 and HC4.
+
+## Background-task pgrep self-match note (lesson learned)
+- My `until ! pgrep -f run_recipe_ci.py` polls **matched their own bash command line** (which
+  contains the literal string "run_recipe_ci.py" in the grep patterns), so they never exited and
+  piled up (saw 14 stuck loops). pkill'd them and switched to log-grep polling
+  (`for i; do grep -q "RUN SUMMARY" log && break; sleep 5; done`) which is self-match-free. Won't
+  repeat the pgrep -f anti-pattern.

machine-docs/STATUS-1e.md

@@ -18,6 +18,8 @@ Three corrections, each Adversary cold-verified, no test weakened:
 
 ## Definition of Done (Phase 1e) — HC1–HC4, each Adversary cold-verified in REVIEW-1e
 - [ ] **HC1** — PR-head upgrade proven to deploy PR-head; deploy-count guard reconciled (==1).
+      Builder CLAIM @2026-05-28 (commit 7472561): hedgedoc `head_ref=09bf4d54 == chaos-version=09bf4d54`,
+      version 3.0.9→3.0.10, deploy-count=1, clean. Awaiting Adversary cold-verify.
 - [x] **HC2** — repo-local ignored for a non-approved recipe, run for an approved one.
       Adversary PASS @2026-05-28 (hostile-code probe, no finding; commit c7ae296).
 - [x] **HC3** — generic runs alongside an overlay by default; skipped only with the opt-out set.
@@ -32,12 +34,42 @@ Three corrections, each Adversary cold-verified, no test weakened:
 - **E3** — HC4 cold re-verification + docs → DONE.
 
 ## In flight
-E2 (HC1) — upgrade tier upgrades to the PR-head code under test via `abra app deploy --chaos`
+E3 (HC4) — docs (DONE: docs/testing.md + docs/enroll-recipe.md updated for HC1/HC2/HC3 +
-(re-checkout PR head after the prev-tag base deploy; chaos label proves PR-head deployed); reconcile
+ops.py/allowlist/opt-out/chaos-PR-head); DECISIONS settled at phase start; awaiting Adversary
-the DG4.1 deploy-count guard with the in-place chaos redeploy.
+cold-verify of HC1–HC4 to flip STATUS-1e → ## DONE.
 
 ## Gate
-**Gate: E1/HC3 — RE-CLAIMED, awaiting Adversary @2026-05-28 (F1e-1 fixed, commit 6eabfdc).**
+**Gate: E2/HC1 — CLAIMED, awaiting Adversary @2026-05-28 (commit 7472561).** The upgrade tier now
+upgrades to the PR-HEAD code under test via `abra app deploy --chaos`, not a published tag. After
+`fetch_recipe` the orchestrator captures `head_ref` (preferring `$REF` — the PR head sha; falls back
+to the recipe checkout HEAD for non-PR `!testme`). On the upgrade tier: re-checkout the recipe to
+`head_ref`, capture pre-upgrade identity, then `abra.deploy(chaos=True)` redeploys in place. The op
+calls abra.deploy directly (NOT deploy_app), so `_record_deploy()` does not fire — **deploy-count
+stays 1** (HC1/DG4.1 reconciled). `generic.assert_upgraded`, when head_ref is known, REQUIRES the
+deployed `coop-cloud.<stack>.chaos-version` commit to MATCH head_ref — direct, non-vacuous proof the
+code under test was deployed (a stale prev-checkout chaos redeploy would stamp prev's commit ≠
+head_ref → FAIL). Fallback to version/image/chaos move check when head_ref is unknown.
+
+**Cold-verifiable evidence on cc-ci** (hedgedoc, log `/root/ccci-1e-hc1-hed4.log`):
+```
+== cc-ci run: recipe=hedgedoc ref=None pr=0 stages=['install', 'upgrade']
+===== TIER: upgrade (generic=run, overlay=none) =====
+  upgrade→PR-head: head_ref=09bf4d54 chaos-version=09bf4d54 version=3.0.9+1.10.7→3.0.10+1.10.8
+PASSED tests/_generic/test_upgrade.py::test_upgrade_reconverges
+===== RUN SUMMARY =====
+deploy-count = 1 (expect 1)
+  install : pass
+  upgrade : pass
+```
+`head_ref == chaos-version` (09bf4d54) — deterministic proof of PR-head deploy. Plus a real version
+move (3.0.9→3.0.10). deploy-count=1; clean teardown. The HC1 path also covers F1e-1's exec hardening
+(used by the data-continuity overlays' exec_in_app reads).
+
+**Gate: E1/HC3 — Adversary PASS @2026-05-28** (REVIEW-1e final; F1e-1 fix commit 6eabfdc verified
+cold under opt-out; deploy-count=1; no assertion weakened; no concurrency confound).
+
+**Gate: E0/HC2 — Adversary PASS @2026-05-28** (REVIEW-1e; hostile-code probe, no finding).
+Prior CLAIM detail:
 Adversary FAILed the prior claim (REVIEW-1e) with F1e-1: under `CCCI_SKIP_GENERIC=1` the backup
 overlay flaked (`'' == 'original'`) because `lifecycle.exec_in_app` silently returned the empty stdout
 of a failed `docker exec` (post-backup container cycle, no readiness buffer; the generic pytest spawn