harness: backup/restore pass -C -o; catalogue fetch re-clones clean

Two fixes surfaced by the first real recipe-ci run through Drone:
- abra app backup/restore now pass -C -o (current checkout, no remote fetch) like
  every other recipe-touching call — without -o they fetch recipe tags from the
  (private) remote and fail 'authentication required: Unauthorized'.
- fetch_recipe's catalogue path rm's the recipe dir first so a leftover private-mirror
  remote from a prior SRC+REF run can't poison version resolution / backup.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

runner/run_recipe_ci.py

@@ -57,6 +57,11 @@ def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None:
         subprocess.run([*git, "clone", "--quiet", url, dest], check=True)
         subprocess.run([*git, "-C", dest, "checkout", "--quiet", ref], check=True)
     else:
+        # Clean re-fetch from the catalogue. rm first so a leftover dir from a prior SRC+REF run
+        # (which points origin at the private mirror and may lack version tags) can't poison the
+        # catalogue fetch — that contamination makes `recipe versions`/backup hit the private remote
+        # and fail "authentication required".
+        subprocess.run(["rm", "-rf", dest], check=False)
         subprocess.run(["abra", "recipe", "fetch", recipe, "-n"], check=True)