fix(1d): G1 backup/restore + F1d-1 cert-check reframe

- backup artifact: read snapshot_id from 'abra app backup create' output (snapshots needs a TTY);
  generic.parse_snapshot_id + do_backup assert it
- restore serving race: lifecycle.http_fetch (one request -> status+body, never raises) +
  assert_serving is now a bounded poll (settles a post-op reconverge, no bare sleep); drop wait_serving
- F1d-1 (Adversary, low): reframe served_cert/assert_serving honestly as an INFRA TLS sanity check
  (catches a lapsed/mis-rotated wildcard cert), NOT app-vs-fallback (Traefik serves the wildcard
  zone-wide); the genuine serving proof is services_converged + non-404 status. Awaiting re-test.

DG1 Adversary PASS @ef44d46. G1 full-lifecycle re-verification in flight.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/JOURNAL-1d.md

@@ -66,3 +66,36 @@ tests/_generic/test_install.py::test_serving PASSED
 $ docker stack ls | grep hedg   -> (none — clean teardown)
 ```
 Lint+format clean (`ruff check`/`ruff format --check` via `nix develop .#lint`). Claiming the G0 gate.
+
+## 2026-05-27 — G0/DG1 PASS; F1d-1 fixed; G1 backup+restore fixes
+
+**Adversary verdict: DG1 PASS @2026-05-27** (cold, own clone @ef44d46). G0 cleared.
+
+**Correcting an overstatement (Adversary finding F1d-1, valid):** my earlier G0 wording claimed the
+CA-verified cert check distinguishes "the app vs a Traefik default-cert fallback." It does NOT —
+Traefik's file provider serves the pre-issued **wildcard** for the WHOLE `*.ci.commoninternet.net`
+zone, so ANY in-zone subdomain (even a non-deployed one) verifies; the self-signed default cert is
+never served in-zone. The genuine app-vs-fallback proof is `services_converged` (the app's OWN
+service replicas N/N) + a non-404 status in HEALTH_OK (Traefik's unmatched-router fallback = 404).
+Fix applied (no code behavior change to the load-bearing checks; honesty/scope only):
+- `generic.served_cert` + `assert_serving` docstrings/comments reframed: the cert check is an INFRA
+  TLS sanity check (catches a lapsed/mis-rotated wildcard cert — plan §4.0 renewal), explicitly NOT
+  an app-vs-fallback check. Kept because it CAN fail (cert expiry/untrust), unlike the old
+  openssl-missing no-op it replaced.
+- Assertion message reworded ("served wildcard cert is not trusted/valid", not "...not the default").
+Noted for the Adversary to re-test + close F1d-1 (theirs to tick).
+
+**G1 — DG2 (upgrade) + DG3 (backup/restore) on hedgedoc (backup-capable, ≥2 tags 3.0.9→3.0.10):**
+Two real bugs found+fixed via live runs:
+1. *backup artifact check.* `abra app backup snapshots` needs a TTY (`FATA the input device is not a
+   TTY`), but `abra app backup create` already emits the restic JSON summary with the produced
+   `"snapshot_id"` (rc 0, "backup finished"). Verified raw on a live custom-html:
+   `snapshot_id": "d85bf492…"`. Fix: `backup_create` returns its output; `generic.parse_snapshot_id`
+   regex-extracts the id; `do_backup` asserts it. (Dropped the TTY-bound `snapshots` listing.)
+2. *restore serving race.* `assert_serving` made TWO requests (http_get then http_body); post-restore
+   the app flapped between them → `http_body` raised an unhandled `HTTPError 404`. Fix: new
+   `lifecycle.http_fetch` returns (status, body) in ONE request, never raising; `assert_serving` now
+   BOUNDED-POLLS converged + serving (status+body from one request) so a post-op reconverge settles
+   while a persistent failure still fails within HTTP_TIMEOUT (no bare sleep). `do_upgrade`/`do_restore`
+   call it (dropped the redundant `wait_serving`).
+Re-running full hedgedoc install→upgrade→backup→restore to confirm all-green before claiming G1.